Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ocs-office.exe

Overview

General Information

Sample name:ocs-office.exe
Analysis ID:1401771
MD5:9ca1a4c10e82450b64100ad0723bc23f
SHA1:2250f749cedc73924c998c8e38448cd739c4095b
SHA256:2cb1be6c34d9992150169d9abe3236b700f946c6ff9f8f76507d46331d4bb431
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
Queries memory information (via WMI often done to detect virtual machines)
Queries pointing device information (via WMI, Win32_PointingDevice, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Uses ipconfig to lookup or modify the Windows network settings
Writes or reads registry keys via WMI
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • ocs-office.exe (PID: 6556 cmdline: C:\Users\user\Desktop\ocs-office.exe MD5: 9CA1A4C10E82450B64100AD0723BC23F)
    • ocsoffice.exe (PID: 744 cmdline: C:\Users\user\Downloads\ocsoffice.exe MD5: BCD0D1EA9750CA6F018DA33DD41552B1)
      • instOCS.exe (PID: 3704 cmdline: instocs.exe MD5: 3F4CD95A8DF390E36298093C74B3BF7E)
        • OcsSetup.exe (PID: 4600 cmdline: "C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe" /S /NP /NOSPLASH /NO_SYSTRAY /NOW /TAG="office" /SERVER=http://ti.fm2c.com.br/ocsinventory MD5: B2216E895278C44D8168F78188AB4FE9)
          • OCSInventory.exe (PID: 2284 cmdline: "C:\Program Files\OCS Inventory Agent\ocsinventory.exe" /SAVE_CONF /SERVER=http://ti.fm2c.com.br/ocsinventory /USER= /PWD= /SSL=1 /CA="cacert.pem" /PROXY_TYPE=0 /PROXY= /PROXY_PORT= /PROXY_USER= /PROXY_PWD= /DEBUG=0 /TAG="office" /WMI_FLAG_MODE="COMPLETE" /DEFAULT_USER_DOMAIN="" /NO_SYSTRAY MD5: 38E1FC55C0339A770DD39CA6541437B9)
          • OCSInventory.exe (PID: 6540 cmdline: C:\Program Files\OCS Inventory Agent\ocsinventory.exe MD5: 38E1FC55C0339A770DD39CA6541437B9)
            • cmd.exe (PID: 4324 cmdline: C:\Windows\system32\cmd.exe" /c cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 4080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • cscript.exe (PID: 2124 cmdline: cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbs" MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
            • cmd.exe (PID: 4476 cmdline: C:\Windows\system32\cmd.exe" /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)} MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • powershell.exe (PID: 5224 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}" MD5: 04029E121A0CFA5991749937DD22A1D9)
                • ipconfig.exe (PID: 888 cmdline: "C:\Windows\system32\ipconfig.exe" /displaydns MD5: 62F170FB07FDBB79CEB7147101406EB8)
          • OcsService.exe (PID: 5376 cmdline: "C:\Program Files\OCS Inventory Agent\OcsService.exe" -install MD5: 67C17EA1BF6EB610DEAC638E4078D6B4)
            • conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • OcsService.exe (PID: 2488 cmdline: C:\Program Files\OCS Inventory Agent\OcsService.exe MD5: 67C17EA1BF6EB610DEAC638E4078D6B4)
    • cmd.exe (PID: 5796 cmdline: C:\Windows\system32\cmd.exe" /c "C:\Program Files\OCS Inventory Agent\ocsinventory.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • OCSInventory.exe (PID: 1464 cmdline: C:\Program Files\OCS Inventory Agent\ocsinventory.exe MD5: 38E1FC55C0339A770DD39CA6541437B9)
        • cmd.exe (PID: 5480 cmdline: C:\Windows\system32\cmd.exe" /c cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 3672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cscript.exe (PID: 3244 cmdline: cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbs" MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
        • cmd.exe (PID: 5644 cmdline: C:\Windows\system32\cmd.exe" /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)} MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 2164 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}" MD5: 04029E121A0CFA5991749937DD22A1D9)
            • ipconfig.exe (PID: 4092 cmdline: "C:\Windows\system32\ipconfig.exe" /displaydns MD5: 62F170FB07FDBB79CEB7147101406EB8)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}", CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe" /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4476, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}", ProcessId: 5224, ProcessName: powershell.exe
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbs", CommandLine: cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbs", CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe" /c cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4324, ParentProcessName: cmd.exe, ProcessCommandLine: cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbs", ProcessId: 2124, ProcessName: cscript.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}", CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe" /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4476, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}", ProcessId: 5224, ProcessName: powershell.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
Multi AV Scanner detection for submitted file
Source: ocs-office.exeVirustotal: Detection: 11%Perma Link
Source: OCSInventory.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeDirectory created: C:\Program Files\OCS Inventory AgentJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeDirectory created: C:\Program Files\OCS Inventory Agent\PluginsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeDirectory created: C:\Program Files\OCS Inventory Agent\Plugins\DO_NOT_REMOVE.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeDirectory created: C:\Program Files\OCS Inventory Agent\Plugins\o36516user.vbsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\libcurl.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\libeay32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\ssleay32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\msvcr120.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\mfc140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\mfc140u.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\mfcm140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\mfcm140u.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\vcomp140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\vcruntime140_1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\vcamp140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\ucrtbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\ZipArchive.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\zlib1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\ComHTTP.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\OcsWmi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\SysInfo.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\OCSInventory Front.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\OCSInventory.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\Download.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\OcsService.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\OcsSystray.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\OcsNotifyUser.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\OCS-transform.xslJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\Plugins\Saas.ps1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\uninst.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OCS Inventory NG AgentJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OCS-Windows-Agent-Setup-x64.logJump to behavior
Source: unknownHTTPS traffic detected: 119.8.87.215:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.87.215:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: ocs-office.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\External_Deps\openssl-1.0.2r\out32dll\ssleay32.pdb source: OCSInventory.exe, 00000007.00000002.2031169967.00007FFE0E16D000.00000002.00000001.01000000.00000020.sdmp, OCSInventory.exe, 00000008.00000002.2195385269.00007FFE0E16D000.00000002.00000001.01000000.00000020.sdmp, OCSInventory.exe, 00000016.00000002.2414567170.00007FFE0E16D000.00000002.00000001.01000000.00000020.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\MFCM140U.amd64.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcamp140.amd64.pdbGCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OcsNotifyUser.pdb883GCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OcsService.pdb--)GCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsService.exe, 00000011.00000002.2230690850.00007FF6EED67000.00000002.00000001.01000000.00000023.sdmp, OcsService.exe, 00000011.00000000.2223938644.00007FF6EED67000.00000002.00000001.01000000.00000023.sdmp, OcsService.exe, 00000013.00000000.2243858108.00007FF6EED67000.00000002.00000001.01000000.00000023.sdmp, OcsService.exe, 00000013.00000002.2906285996.00007FF6EED67000.00000002.00000001.01000000.00000023.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\External_Deps\openssl-1.0.2r\out32dll\libeay32.pdba source: OCSInventory.exe, 00000007.00000002.2030109278.00007FFDFB4A9000.00000002.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000008.00000002.2193943425.00007FFDFB4A9000.00000002.00000001.01000000.00000018.sdmp, OcsService.exe, 00000011.00000002.2231658880.00007FFDFBA19000.00000002.00000001.01000000.00000018.sdmp, OcsService.exe, 00000013.00000002.2907261387.00007FFDFBA19000.00000002.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000016.00000002.2413735788.00007FFDFBA19000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\MFCM140.amd64.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OCSInventory Front.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2031403378.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OCSInventory.exe, 00000008.00000002.2196356994.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OcsService.exe, 00000011.00000002.2232355200.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OcsService.exe, 00000013.00000002.2908044221.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OCSInventory.exe, 00000016.00000002.2415168665.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\mfc140u.amd64.pdbGCTL source: OCSInventory.exe, 00000007.00000002.2030509014.00007FFDFB834000.00000002.00000001.01000000.00000019.sdmp, OCSInventory.exe, 00000008.00000002.2194438887.00007FFDFB834000.00000002.00000001.01000000.00000019.sdmp, OcsService.exe, 00000011.00000002.2231151082.00007FFDFB684000.00000002.00000001.01000000.00000019.sdmp, OcsService.exe, 00000013.00000002.2906769234.00007FFDFB684000.00000002.00000001.01000000.00000019.sdmp, OCSInventory.exe, 00000016.00000002.2413114558.00007FFDFB684000.00000002.00000001.01000000.00000019.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OcsWmi.pdb))'GCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2029595116.0000000180007000.00000002.00000001.01000000.0000001A.sdmp, OCSInventory.exe, 00000008.00000002.2192512504.0000000180007000.00000002.00000001.01000000.0000001A.sdmp, OcsService.exe, 00000011.00000002.2229840960.0000000180007000.00000002.00000001.01000000.0000001A.sdmp, OcsService.exe, 00000013.00000002.2905102277.0000000180007000.00000002.00000001.01000000.0000001A.sdmp, OCSInventory.exe, 00000016.00000002.2411751483.0000000180007000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\External_Deps\openssl-1.0.2r\out32dll\libeay32.pdb source: OCSInventory.exe, 00000007.00000002.2030109278.00007FFDFB4A9000.00000002.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000008.00000002.2193943425.00007FFDFB4A9000.00000002.00000001.01000000.00000018.sdmp, OcsService.exe, 00000011.00000002.2231658880.00007FFDFBA19000.00000002.00000001.01000000.00000018.sdmp, OcsService.exe, 00000013.00000002.2907261387.00007FFDFBA19000.00000002.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000016.00000002.2413735788.00007FFDFBA19000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OcsSystray.pdb::3GCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OCSInventory.pdb55,GCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000000.2027408654.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000007.00000002.2029941666.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000008.00000002.2193694096.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000008.00000000.2057861583.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000016.00000000.2249360801.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000016.00000002.2412776468.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\External_Deps\openssl-1.0.2r\out32dll\ssleay32.pdbFF source: OCSInventory.exe, 00000007.00000002.2031169967.00007FFE0E16D000.00000002.00000001.01000000.00000020.sdmp, OCSInventory.exe, 00000008.00000002.2195385269.00007FFE0E16D000.00000002.00000001.01000000.00000020.sdmp, OCSInventory.exe, 00000016.00000002.2414567170.00007FFE0E16D000.00000002.00000001.01000000.00000020.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OCSInventory.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000000.2027408654.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000007.00000002.2029941666.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000008.00000002.2193694096.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000008.00000000.2057861583.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000016.00000000.2249360801.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000016.00000002.2412776468.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\External_Deps\zlib-1.2.8\zlib1.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2029529385.000000006670E000.00000002.00000001.01000000.00000017.sdmp, OCSInventory.exe, 00000008.00000002.2192290265.000000006670E000.00000002.00000001.01000000.00000017.sdmp, OcsService.exe, 00000011.00000002.2229660959.000000006670E000.00000002.00000001.01000000.00000017.sdmp, OcsService.exe, 00000013.00000002.2904927334.000000006670E000.00000002.00000001.01000000.00000017.sdmp, OCSInventory.exe, 00000016.00000002.2411630185.000000006670E000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\Download.pdb//+GCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcamp140.amd64.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\mfc140u.amd64.pdb source: OCSInventory.exe, 00000007.00000002.2030509014.00007FFDFB834000.00000002.00000001.01000000.00000019.sdmp, OCSInventory.exe, 00000008.00000002.2194438887.00007FFDFB834000.00000002.00000001.01000000.00000019.sdmp, OcsService.exe, 00000011.00000002.2231151082.00007FFDFB684000.00000002.00000001.01000000.00000019.sdmp, OcsService.exe, 00000013.00000002.2906769234.00007FFDFB684000.00000002.00000001.01000000.00000019.sdmp, OCSInventory.exe, 00000016.00000002.2413114558.00007FFDFB684000.00000002.00000001.01000000.00000019.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\ComHTTP.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2031254054.00007FFE126C7000.00000002.00000001.01000000.0000001E.sdmp, OCSInventory.exe, 00000008.00000002.2195594617.00007FFE126C7000.00000002.00000001.01000000.0000001E.sdmp, OCSInventory.exe, 00000016.00000002.2414823583.00007FFE126C7000.00000002.00000001.01000000.0000001E.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\SysInfo.pdbWW#GCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2030862261.00007FFDFF2BB000.00000002.00000001.01000000.00000016.sdmp, OCSInventory.exe, 00000008.00000002.2194884273.00007FFDFF2BB000.00000002.00000001.01000000.00000016.sdmp, OcsService.exe, 00000011.00000002.2232054370.00007FFE0038B000.00000002.00000001.01000000.00000016.sdmp, OcsService.exe, 00000013.00000002.2907707881.00007FFE0038B000.00000002.00000001.01000000.00000016.sdmp, OCSInventory.exe, 00000016.00000002.2414173406.00007FFE0038B000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OcsWmi.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2029595116.0000000180007000.00000002.00000001.01000000.0000001A.sdmp, OCSInventory.exe, 00000008.00000002.2192512504.0000000180007000.00000002.00000001.01000000.0000001A.sdmp, OcsService.exe, 00000011.00000002.2229840960.0000000180007000.00000002.00000001.01000000.0000001A.sdmp, OcsService.exe, 00000013.00000002.2905102277.0000000180007000.00000002.00000001.01000000.0000001A.sdmp, OCSInventory.exe, 00000016.00000002.2411751483.0000000180007000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OcsSystray.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\SysInfo.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2030862261.00007FFDFF2BB000.00000002.00000001.01000000.00000016.sdmp, OCSInventory.exe, 00000008.00000002.2194884273.00007FFDFF2BB000.00000002.00000001.01000000.00000016.sdmp, OcsService.exe, 00000011.00000002.2232054370.00007FFE0038B000.00000002.00000001.01000000.00000016.sdmp, OcsService.exe, 00000013.00000002.2907707881.00007FFE0038B000.00000002.00000001.01000000.00000016.sdmp, OCSInventory.exe, 00000016.00000002.2414173406.00007FFE0038B000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2031330447.00007FFE126F1000.00000002.00000001.01000000.0000001D.sdmp, OCSInventory.exe, 00000008.00000002.2195863861.00007FFE126F1000.00000002.00000001.01000000.0000001D.sdmp, OcsService.exe, 00000011.00000002.2232211869.00007FFE126F1000.00000002.00000001.01000000.0000001D.sdmp, OcsService.exe, 00000013.00000002.2907881081.00007FFE126F1000.00000002.00000001.01000000.0000001D.sdmp, OCSInventory.exe, 00000016.00000002.2414992126.00007FFE126F1000.00000002.00000001.01000000.0000001D.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OcsService.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsService.exe, 00000011.00000002.2230690850.00007FF6EED67000.00000002.00000001.01000000.00000023.sdmp, OcsService.exe, 00000011.00000000.2223938644.00007FF6EED67000.00000002.00000001.01000000.00000023.sdmp, OcsService.exe, 00000013.00000000.2243858108.00007FF6EED67000.00000002.00000001.01000000.00000023.sdmp, OcsService.exe, 00000013.00000002.2906285996.00007FF6EED67000.00000002.00000001.01000000.00000023.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\External_Deps\ZipArchive\x64\Release Unicode STL MD DLL\ZipArchive.pdbSS GCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcomp140.amd64.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OcsNotifyUser.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\External_Deps\zlib-1.2.8\zlib1.pdb## source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2029529385.000000006670E000.00000002.00000001.01000000.00000017.sdmp, OCSInventory.exe, 00000008.00000002.2192290265.000000006670E000.00000002.00000001.01000000.00000017.sdmp, OcsService.exe, 00000011.00000002.2229660959.000000006670E000.00000002.00000001.01000000.00000017.sdmp, OcsService.exe, 00000013.00000002.2904927334.000000006670E000.00000002.00000001.01000000.00000017.sdmp, OCSInventory.exe, 00000016.00000002.2411630185.000000006670E000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\ComHTTP.pdb''"GCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2031254054.00007FFE126C7000.00000002.00000001.01000000.0000001E.sdmp, OCSInventory.exe, 00000008.00000002.2195594617.00007FFE126C7000.00000002.00000001.01000000.0000001E.sdmp, OCSInventory.exe, 00000016.00000002.2414823583.00007FFE126C7000.00000002.00000001.01000000.0000001E.sdmp
Source: Binary string: ucrtbase.pdbUGP source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\External_Deps\ZipArchive\x64\Release Unicode STL MD DLL\ZipArchive.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OCSInventory Front.pdbKK(GCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2031403378.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OCSInventory.exe, 00000008.00000002.2196356994.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OcsService.exe, 00000011.00000002.2232355200.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OcsService.exe, 00000013.00000002.2908044221.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OCSInventory.exe, 00000016.00000002.2415168665.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\Download.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcomp140.amd64.pdbGCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2031477967.00007FFE13315000.00000002.00000001.01000000.0000001C.sdmp, OCSInventory.exe, 00000008.00000002.2196757713.00007FFE13315000.00000002.00000001.01000000.0000001C.sdmp, OcsService.exe, 00000011.00000002.2232501460.00007FFE1A475000.00000002.00000001.01000000.0000001C.sdmp, OcsService.exe, 00000013.00000002.2908212378.00007FFE1A475000.00000002.00000001.01000000.0000001C.sdmp, OCSInventory.exe, 00000016.00000002.2415294839.00007FFE1A475000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: OCSInventory.exe, 00000007.00000002.2030972028.00007FFE002D5000.00000002.00000001.01000000.0000001B.sdmp, OCSInventory.exe, 00000008.00000002.2195052215.00007FFE002D5000.00000002.00000001.01000000.0000001B.sdmp, OcsService.exe, 00000011.00000002.2231886839.00007FFE00305000.00000002.00000001.01000000.0000001B.sdmp, OcsService.exe, 00000013.00000002.2907530308.00007FFE00305000.00000002.00000001.01000000.0000001B.sdmp, OCSInventory.exe, 00000016.00000002.2414004919.00007FFE00305000.00000002.00000001.01000000.0000001B.sdmp
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAFBC70 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00007FF78EAFBC70
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAC2F50 FindFirstFileExW,0_2_00007FF78EAC2F50
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAFC7C0 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00007FF78EAFC7C0
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB0A874 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00007FF78EB0A874
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB0A350 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,0_2_00007FF78EB0A350
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB0A4F8 FindFirstFileW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,0_2_00007FF78EB0A4F8
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB06428 FindFirstFileW,FindNextFileW,FindClose,0_2_00007FF78EB06428
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAFB7C0 FindFirstFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00007FF78EAFB7C0
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB071F4 FindFirstFileW,FindClose,0_2_00007FF78EB071F4
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB072A8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00007FF78EB072A8
Source: C:\Users\user\Downloads\ocsoffice.exeCode function: 1_2_00406313 FindFirstFileA,FindClose,1_2_00406313
Source: C:\Users\user\Downloads\ocsoffice.exeCode function: 1_2_004057D8 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,1_2_004057D8
Source: C:\Users\user\Downloads\ocsoffice.exeCode function: 1_2_00402765 FindFirstFileA,1_2_00402765
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeCode function: 2_2_00406313 FindFirstFileA,FindClose,2_2_00406313
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeCode function: 2_2_004057D8 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,2_2_004057D8
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeCode function: 2_2_00402765 FindFirstFileA,2_2_00402765
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeCode function: 3_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,3_2_004059F0
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeCode function: 3_2_0040659C FindFirstFileA,FindClose,3_2_0040659C
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeCode function: 3_2_004027A1 FindFirstFileA,3_2_004027A1
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3B5D90 _errno,_errno,malloc,memset,malloc,malloc,free,free,_errno,MultiByteToWideChar,FindFirstFileW,free,free,free,_errno,FindNextFileW,WideCharToMultiByte,_errno,7_2_00007FFDFB3B5D90
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB0E87C InternetReadFile,0_2_00007FF78EB0E87C
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 02 Mar 2024 01:23:36 GMTServer: Apache/2.4.41 (Ubuntu)content-length: 236Cache-control: no-cacheContent-Type: application/x-compressedData Raw: 78 9c 6d 90 31 4f c3 30 10 85 f7 fc 0a cb 4b 26 48 53 10 62 b0 5d 59 ce 25 44 72 ee 5c c7 81 66 ca 50 2a 54 09 52 09 24 c4 cf c7 ae 50 9b 81 ed de f7 de 9d 9e 4e 6c 7e 3e de d9 f7 e1 f3 eb 78 9a 65 5e de ae 72 76 98 f7 a7 d7 e3 fc 26 f3 21 d4 37 8f f9 46 65 c2 83 b3 a3 ca 18 13 ce 93 a5 66 aa 3d 6c d5 fa 5e 14 4b 9d fc 16 9f 01 03 f9 71 22 9c fa a0 7d 18 9c 2a 45 f1 2f 4f 0b e4 42 4b 98 c6 74 5d 7b dd 31 d8 81 19 12 9d 42 db 01 0d 41 f2 72 bd e2 cc 81 6f a9 9a ac 0e 80 66 8c 90 b3 4b e0 2e fa 84 92 2f 62 80 4d 78 8a a9 88 cc 68 2c 5c 17 1f 22 0a a3 03 c9 0d 61 cd 59 ed 75 b3 38 1b dd e2 af 10 ea 0e 54 45 2f 68 49 57 a2 38 cb d4 ba b8 d6 8e cf e9 1d 61 0f aa 07 8c 99 8b cc d2 7c fe db 2f be 83 5e 6c Data Ascii: xm1O0K&HSb]Y%Dr\fP*TR$PNl~>xe^rv&!7Fef=l^Kq"}*E/OBKt]{1BArofK./bMxh,\"aYu8TE/hIW8a|/^l
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 02 Mar 2024 01:23:48 GMTServer: Apache/2.4.41 (Ubuntu)content-length: 91Cache-control: no-cacheContent-Type: application/x-compressedData Raw: 78 9c b3 b1 af c8 cd 51 28 4b 2d 2a ce cc cf b3 55 37 d4 33 50 57 48 cd 4b ce 4f c9 cc 4b b7 55 0f 0d 71 d3 b5 50 b7 b7 e3 b2 09 72 0d f0 89 b4 e3 52 50 00 b2 82 03 fc fd 82 5d ed fc fc e3 1d 9d 9d fd 43 fd 42 e2 43 03 5c 1c 43 5c 6d f4 e1 72 5c 20 36 58 07 00 84 71 1b 9f Data Ascii: xQ(K-*U73PWHKOKUqPrRP]CBC\C\mr\ 6Xq
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 02 Mar 2024 01:23:55 GMTServer: Apache/2.4.41 (Ubuntu)content-length: 237Cache-control: no-cacheContent-Type: application/x-compressedData Raw: 78 9c 6d 90 41 4f c3 30 0c 85 ef fd 15 51 2e 3d 41 d6 81 10 87 34 53 d4 ba a5 52 6a 87 34 85 e5 d4 c3 98 d0 24 e8 24 90 10 3f 9f a4 88 6d 07 4e f6 f7 9e 6d 3d 59 6e be df df d8 d7 fe e3 f3 70 9c cb bc b8 5e e5 6c 3f ef 8e 2f 87 f9 b5 cc 47 df 5c dd e7 1b 95 49 07 d6 04 95 31 16 bb c1 12 0e a0 06 c0 5a 8a 13 26 8f ac ef 08 53 1b 01 75 0f aa a6 67 34 a4 e3 e0 82 bf 8e d5 4e f7 cc 82 eb a8 9e 8c f6 80 55 28 79 c1 19 6c a1 1a d3 89 c9 77 3d d0 e8 a3 ba 5e 71 76 a2 9b 08 7f 7b 80 ad 7f 88 03 51 22 2c 79 2c 8d d3 ed c5 bd b4 18 2c 94 bc 22 6c 38 ab 42 65 e0 6c df 45 5b 2c a9 c5 39 b6 ec f0 09 d0 93 0b 53 0c 31 78 ed fc 68 55 21 c5 bf 7a 5a b0 8e 0c b5 53 e3 e0 51 ad 6f a5 b8 e4 2c bd 67 f9 db 0f d7 db 5e 6c Data Ascii: xmAO0Q.=A4SRj4$$?mNm=Ynp^l?/G\I1Z&Sug4NU(ylw=^qv{Q",y,,"l8BelE[,9S1xhU!zZSQo,g^l
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 02 Mar 2024 01:24:10 GMTServer: Apache/2.4.41 (Ubuntu)content-length: 91Cache-control: no-cacheContent-Type: application/x-compressedData Raw: 78 9c b3 b1 af c8 cd 51 28 4b 2d 2a ce cc cf b3 55 37 d4 33 50 57 48 cd 4b ce 4f c9 cc 4b b7 55 0f 0d 71 d3 b5 50 b7 b7 e3 b2 09 72 0d f0 89 b4 e3 52 50 00 b2 82 03 fc fd 82 5d ed fc fc e3 1d 9d 9d fd 43 fd 42 e2 43 03 5c 1c 43 5c 6d f4 e1 72 5c 20 36 58 07 00 84 71 1b 9f Data Ascii: xQ(K-*U73PWHKOKUqPrRP]CBC\C\mr\ 6Xq
Source: global trafficHTTP traffic detected: GET /paginas/publicFiles/ocsoffice.exe HTTP/1.1User-Agent: AutoItHost: portal.fm2c.com.br
Source: global trafficHTTP traffic detected: GET /paginas/publicFiles/ocsoffice.exe HTTP/1.1User-Agent: AutoItHost: portal.fm2c.com.brCache-Control: no-cache
Source: unknownDNS traffic detected: queries for: portal.fm2c.com.br
Source: unknownHTTP traffic detected: POST /ocsinventory HTTP/1.1Host: ti.fm2c.com.brUser-Agent: OCS-NG_WINDOWS_AGENT_v2.9.2.0Accept: */*Content-Type: application/x-compressedContent-Length: 131Data Raw: 78 9c b2 b1 af c8 cd 51 28 4b 2d 2a ce cc cf b3 55 32 d4 33 50 52 48 cd 4b ce 4f c9 cc 4b b7 55 0a 0d 71 d3 b5 50 52 b0 b7 e3 b2 09 72 0d 0c 75 0d 0e b1 e3 52 00 02 1b 17 d7 30 4f 67 57 4f 17 3b 43 13 43 73 03 03 5d 23 03 23 13 5d 03 63 5d 03 23 10 32 32 d6 35 36 b1 d1 87 2b 82 e8 71 f6 f7 0b 71 f5 0b 51 d0 87 f2 81 e6 05 45 da 05 04 f9 fb f8 bb db e8 43 78 5c 36 fa 70 8b 00 00 00 00 ff ff Data Ascii: xQ(K-*U23PRHKOKUqPRruR0OgWO;CCs]##]c]#2256+qqQECx\6p
Source: ocsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: ocs-office.exe, 00000000.00000002.2304139728.000001814F7BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
Source: ocsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: ocsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: ocsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: ocsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: ocsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: ocsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: OcsSetup.exe, OcsSetup.exe, 00000003.00000003.2251156729.0000000003081000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2263622193.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, OcsSetup.exe, 00000003.00000000.1724965818.000000000040A000.00000008.00000001.01000000.0000000D.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: ocsoffice.exe, 00000001.00000000.1715229113.000000000040A000.00000008.00000001.01000000.00000006.sdmp, ocsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, instOCS.exe, 00000002.00000002.2267468052.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, instOCS.exe, 00000002.00000000.1719645772.000000000040A000.00000008.00000001.01000000.0000000A.sdmp, OcsSetup.exe, 00000003.00000003.2251156729.0000000003081000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2263622193.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, OcsSetup.exe, 00000003.00000000.1724965818.000000000040A000.00000008.00000001.01000000.0000000D.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 0000000F.00000002.2170659052.000001E49A993000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2170659052.000001E49A85C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2132643091.000001E48C21A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2383777401.000001E876498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2383777401.000001E8765CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: ocsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: ocsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
Source: ocsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0J
Source: powershell.exe, 0000001C.00000002.2314383504.000001E866652000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000F.00000002.2132643091.000001E48A7E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2314383504.000001E866421000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: OCSInventory.exe, 00000007.00000002.2029841410.000002017A067000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2029801456.000002017A04D000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000003.2029066267.000002017BE40000.00000004.00000800.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000003.2028921381.000002017BE40000.00000004.00000800.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000003.2029009326.000002017BE40000.00000004.00000800.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000003.2028890553.000002017BE40000.00000004.00000800.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000003.2029308939.000002017A04D000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000003.2029037916.000002017BE40000.00000004.00000800.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2029815348.000002017A05C000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000003.2028855155.000002017BE40000.00000004.00000800.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000003.2029094718.000002017BE40000.00000004.00000800.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000003.2028952360.000002017BE40000.00000004.00000800.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000003.2189573505.000001D997780000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000003.2190014242.000001D995967000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000003.2058488335.000001D9972C0000.00000004.00000800.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000003.2191515474.000001D995968000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000002.2193358121.000001D995968000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000003.2068845045.000001D997760000.00000004.00000800.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000003.2189853413.000001D995947000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000003.2189938683.000001D99595A000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000003.2191316015.000001D995901000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ti.fm2c.com.br/ocsinventory
Source: OCSInventory.exe, 00000007.00000002.2029715162.000002017A01C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ti.fm2c.com.br/ocsinventory/USER=/PWD=/SSL=1/CA=cacert.pem/PROXY_TYPE=0/PROXY=/PROXY_PORT=/PR
Source: OcsSetup.exe, 00000003.00000002.2263622193.0000000000427000.00000004.00000001.01000000.0000000D.sdmpString found in binary or memory: http://ti.fm2c.com.br/ocsinventory12ESS:
Source: instOCS.exe, 00000002.00000002.2267468052.0000000000432000.00000004.00000001.01000000.0000000A.sdmp, instOCS.exe, 00000002.00000002.2268280616.0000000000627000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ti.fm2c.com.br/ocsinventory:
Source: instOCS.exe, 00000002.00000002.2268994035.0000000002750000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2263994646.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264098954.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2263622193.000000000042A000.00000004.00000001.01000000.0000000D.sdmpString found in binary or memory: http://ti.fm2c.com.br/ocsinventoryC:
Source: OcsSetup.exe, 00000003.00000002.2263622193.0000000000427000.00000004.00000001.01000000.0000000D.sdmpString found in binary or memory: http://ti.fm2c.com.br/ocsinventoryERVER=http://ti.fm2c.com.br/ocsinventoryS/NP
Source: ocsoffice.exe, 00000001.00000002.2270342274.00000000007A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ti.fm2c.com.br/ocsinventoryOCS
Source: OcsSetup.exe, 00000003.00000002.2263622193.0000000000425000.00000004.00000001.01000000.0000000D.sdmpString found in binary or memory: http://ti.fm2c.com.br/ocsinventorySaturdayOSPLASH
Source: OCSInventory.exe, 00000008.00000003.2191316015.000001D995901000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000002.2193112052.000001D995901000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000003.2191756385.000001D995901000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ti.fm2c.com.br/ocsinventory_
Source: OCSInventory.exe, 00000008.00000003.2191316015.000001D995901000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000002.2193112052.000001D995901000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000003.2191756385.000001D995901000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000003.2410871338.000001EC3228A000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000003.2410952624.000001EC3229D000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000003.2410745267.000001EC3227F000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000002.2412303943.000001EC3229F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ti.fm2c.com.br/ocsinventorynt
Source: powershell.exe, 0000000F.00000002.2132643091.000001E48BFEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2314383504.000001E867C25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000001C.00000002.2314383504.000001E866652000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.artpol-software.com
Source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, OCSInventory.exe, 00000007.00000002.2030907910.00007FFDFF305000.00000002.00000001.01000000.00000016.sdmp, OCSInventory.exe, 00000007.00000002.2031285647.00007FFE126CE000.00000002.00000001.01000000.0000001E.sdmp, OCSInventory.exe, 00000007.00000002.2029620541.000000018000C000.00000002.00000001.01000000.0000001A.sdmp, OCSInventory.exe, 00000008.00000002.2192641356.000000018000C000.00000002.00000001.01000000.0000001A.sdmp, OCSInventory.exe, 00000008.00000002.2195653164.00007FFE126CE000.00000002.00000001.01000000.0000001E.sdmp, OCSInventory.exe, 00000008.00000002.2194956078.00007FFDFF305000.00000002.00000001.01000000.00000016.sdmp, OcsService.exe, 00000011.00000002.2229893566.000000018000C000.00000002.00000001.01000000.0000001A.sdmp, OcsService.exe, 00000011.00000002.2232126021.00007FFE003D5000.00000002.00000001.01000000.00000016.sdmp, OcsService.exe, 00000013.00000002.2905174952.000000018000C000.00000002.00000001.01000000.0000001A.sdmp, OcsService.exe, 00000013.00000002.2907782590.00007FFE003D5000.00000002.00000001.01000000.00000016.sdmp, OCSInventory.exe, 00000016.00000002.2414899125.00007FFE126CE000.00000002.00000001.01000000.0000001E.sdmp, OCSInventory.exe, 00000016.00000002.2414282409.00007FFE003D5000.00000002.00000001.01000000.00000016.sdmp, OCSInventory.exe, 00000016.00000002.2411803423.000000018000C000.00000002.00000001.01000000.0000001A.sdmpString found in binary or memory: http://www.ocsinventory-ng.org
Source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ocsinventory-ng.org%s
Source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ocsinventory-ng.orgB
Source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsService.exe, 00000011.00000002.2230743470.00007FF6EED6E000.00000002.00000001.01000000.00000023.sdmp, OcsService.exe, 00000013.00000000.2243916264.00007FF6EED6E000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://www.ocsinventory-ng.orgF
Source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2029969363.00007FF7B4CA6000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000008.00000000.2057887829.00007FF7B4CA6000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000016.00000000.2249421655.00007FF7B4CA6000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.ocsinventory-ng.orgJ
Source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ocsinventory-ng.orgL
Source: OcsSetup.exe, 00000003.00000002.2263817012.0000000000473000.00000002.00000001.01000000.0000000D.sdmp, OcsSetup.exe, 00000003.00000003.2251156729.00000000030CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ocsinventory-ng.orgN
Source: OcsSetup.exe, 00000003.00000002.2264098954.0000000000621000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ocsinventory-ng.orgPublisherOCS
Source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2031437511.00007FFE13241000.00000002.00000001.01000000.00000015.sdmp, OCSInventory.exe, 00000008.00000002.2196531442.00007FFE13241000.00000002.00000001.01000000.00000015.sdmp, OcsService.exe, 00000011.00000002.2232416874.00007FFE13241000.00000002.00000001.01000000.00000015.sdmp, OcsService.exe, 00000013.00000002.2908113490.00007FFE13241000.00000002.00000001.01000000.00000015.sdmp, OCSInventory.exe, 00000016.00000002.2415223849.00007FFE13241000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: http://www.ocsinventory-ng.orgV
Source: OCSInventory.exeString found in binary or memory: http://www.openssl.org/
Source: OCSInventory.exe, 00000007.00000002.2031213190.00007FFE0E188000.00000002.00000001.01000000.00000020.sdmp, OCSInventory.exe, 00000007.00000002.2030196745.00007FFDFB541000.00000002.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000008.00000002.2194128263.00007FFDFB541000.00000002.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000008.00000002.2195516634.00007FFE0E188000.00000002.00000001.01000000.00000020.sdmp, OcsService.exe, 00000011.00000002.2231779010.00007FFDFBAB1000.00000002.00000001.01000000.00000018.sdmp, OcsService.exe, 00000013.00000002.2907418466.00007FFDFBAB1000.00000002.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000016.00000002.2413908506.00007FFDFBAB1000.00000002.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000016.00000002.2414740326.00007FFE0E188000.00000002.00000001.01000000.00000020.sdmpString found in binary or memory: http://www.openssl.org/V
Source: OCSInventory.exe, OCSInventory.exe, 00000007.00000002.2030156695.00007FFDFB501000.00000008.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000008.00000002.2194043876.00007FFDFB510000.00000004.00000001.01000000.00000018.sdmp, OcsService.exe, 00000011.00000002.2231710053.00007FFDFBA70000.00000008.00000001.01000000.00000018.sdmp, OcsService.exe, 00000013.00000002.2907341902.00007FFDFBA71000.00000008.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000016.00000002.2413829529.00007FFDFBA80000.00000004.00000001.01000000.00000018.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
Source: OCSInventory.exe, 00000007.00000002.2030156695.00007FFDFB501000.00000008.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000008.00000002.2194043876.00007FFDFB510000.00000004.00000001.01000000.00000018.sdmp, OcsService.exe, 00000011.00000002.2231710053.00007FFDFBA70000.00000008.00000001.01000000.00000018.sdmp, OcsService.exe, 00000013.00000002.2907341902.00007FFDFBA71000.00000008.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000016.00000002.2413829529.00007FFDFBA80000.00000004.00000001.01000000.00000018.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html.
Source: OCSInventory.exeString found in binary or memory: http://www.zlib.net/
Source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2029556525.0000000066716000.00000002.00000001.01000000.00000017.sdmp, OCSInventory.exe, 00000008.00000002.2192340700.0000000066716000.00000002.00000001.01000000.00000017.sdmp, OcsService.exe, 00000011.00000002.2229759988.0000000066716000.00000002.00000001.01000000.00000017.sdmp, OcsService.exe, 00000013.00000002.2904997429.0000000066716000.00000002.00000001.01000000.00000017.sdmp, OCSInventory.exe, 00000016.00000002.2411679589.0000000066716000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.zlib.net/D
Source: powershell.exe, 0000000F.00000002.2132643091.000001E48A7E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2314383504.000001E866421000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000001C.00000002.2383777401.000001E8765CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001C.00000002.2383777401.000001E8765CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001C.00000002.2383777401.000001E8765CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: OCSInventory.exeString found in binary or memory: https://curl.haxx.se/
Source: OCSInventory.exe, 00000007.00000002.2031113260.00007FFE0CFE6000.00000002.00000001.01000000.0000001F.sdmp, OCSInventory.exe, 00000008.00000002.2195277999.00007FFE0CFE6000.00000002.00000001.01000000.0000001F.sdmp, OCSInventory.exe, 00000016.00000002.2414471242.00007FFE0CFE6000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: https://curl.haxx.se/V
Source: OCSInventory.exeString found in binary or memory: https://curl.haxx.se/docs/copyright.html
Source: OCSInventory.exe, 00000007.00000002.2031113260.00007FFE0CFE6000.00000002.00000001.01000000.0000001F.sdmp, OCSInventory.exe, 00000008.00000002.2195277999.00007FFE0CFE6000.00000002.00000001.01000000.0000001F.sdmp, OCSInventory.exe, 00000016.00000002.2414471242.00007FFE0CFE6000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
Source: OCSInventory.exe, OCSInventory.exe, 00000007.00000002.2031076819.00007FFE0CFD1000.00000002.00000001.01000000.0000001F.sdmp, OCSInventory.exe, 00000008.00000002.2195219918.00007FFE0CFD1000.00000002.00000001.01000000.0000001F.sdmp, OCSInventory.exe, 00000016.00000002.2414413188.00007FFE0CFD1000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: powershell.exe, 0000001C.00000002.2314383504.000001E866652000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000F.00000002.2132643091.000001E48B412000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2314383504.000001E867052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 0000000F.00000002.2170659052.000001E49A993000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2170659052.000001E49A85C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2132643091.000001E48C21A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2383777401.000001E876498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2383777401.000001E8765CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000F.00000002.2132643091.000001E48BFEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2314383504.000001E867C25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 0000000F.00000002.2132643091.000001E48BFEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2314383504.000001E867C25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
Source: ocs-office.exe, 00000000.00000003.2302497939.000001814F495000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000002.2303355822.000001814F496000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000003.2302157006.000001814F492000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portal.fm2c.com.br/
Source: ocs-office.exe, 00000000.00000002.2304139728.000001814F7BB000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000003.2302157006.000001814F492000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000002.2303990987.000001814F73D000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000003.2299557988.000001814F65B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exe
Source: ocs-office.exe, 00000000.00000002.2304139728.000001814F7BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exe%
Source: ocs-office.exe, 00000000.00000002.2304139728.000001814F7BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exe8
Source: ocs-office.exe, 00000000.00000003.2299749862.000001814F663000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000002.2303809041.000001814F673000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000003.2299633468.000001814F65D000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000003.2299557988.000001814F65B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exeE%
Source: ocs-office.exe, 00000000.00000003.2302497939.000001814F495000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000002.2303355822.000001814F496000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000003.2302157006.000001814F492000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exeH
Source: ocs-office.exe, 00000000.00000003.2302497939.000001814F495000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000002.2303355822.000001814F496000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000003.2302157006.000001814F492000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exeQ
Source: ocs-office.exe, 00000000.00000002.2304139728.000001814F7BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exeS
Source: ocs-office.exe, 00000000.00000002.2303990987.000001814F73D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exeexe
Source: ocs-office.exe, 00000000.00000003.2299749862.000001814F663000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000002.2303809041.000001814F673000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000003.2299633468.000001814F65D000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000003.2299557988.000001814F65B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exet
Source: ocsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
Source: ocsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0D
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
Source: unknownHTTPS traffic detected: 119.8.87.215:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknownHTTPS traffic detected: 119.8.87.215:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB10D24 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00007FF78EB10D24
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB10D24 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00007FF78EB10D24
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB10A6C OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00007FF78EB10A6C
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAF9034 GetParent,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,0_2_00007FF78EAF9034

System Summary

barindex
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\ocs-office.exeCode function: This is a third-party compiled AutoIt script.0_2_00007FF78EA837B0
Source: ocs-office.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: ocs-office.exe, 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_1a619d8c-4
Source: ocs-office.exe, 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer@*memstr_9d080eef-1
Writes or reads registry keys via WMI
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAFBF80: CreateFileW,DeviceIoControl,CloseHandle,0_2_00007FF78EAFBF80
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAECE68 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00007FF78EAECE68
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAFD750 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00007FF78EAFD750
Source: C:\Users\user\Downloads\ocsoffice.exeCode function: 1_2_0040326B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,1_2_0040326B
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeCode function: 2_2_0040326B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,2_2_0040326B
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeCode function: 3_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,3_2_00403461
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_yde5xl00.tis.ps1
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EA92E300_2_00007FF78EA92E30
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAC24000_2_00007FF78EAC2400
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB1F6300_2_00007FF78EB1F630
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB132AC0_2_00007FF78EB132AC
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAB30DC0_2_00007FF78EAB30DC
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAC6DE40_2_00007FF78EAC6DE4
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAC2D200_2_00007FF78EAC2D20
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB2CE8C0_2_00007FF78EB2CE8C
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAA0E900_2_00007FF78EAA0E90
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EA90E700_2_00007FF78EA90E70
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB16C340_2_00007FF78EB16C34
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB20AEC0_2_00007FF78EB20AEC
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EA82AE00_2_00007FF78EA82AE0
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAC67F00_2_00007FF78EAC67F0
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EABA8A00_2_00007FF78EABA8A0
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB2A59C0_2_00007FF78EB2A59C
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB2055C0_2_00007FF78EB2055C
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB2C6D40_2_00007FF78EB2C6D4
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAAC3FC0_2_00007FF78EAAC3FC
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB083D40_2_00007FF78EB083D4
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB183600_2_00007FF78EB18360
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB163200_2_00007FF78EB16320
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAB84C00_2_00007FF78EAB84C0
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAA45140_2_00007FF78EAA4514
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAAC1300_2_00007FF78EAAC130
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAA02C40_2_00007FF78EAA02C4
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EA85F3C0_2_00007FF78EA85F3C
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB1206C0_2_00007FF78EB1206C
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAABEB40_2_00007FF78EAABEB4
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EA8BE700_2_00007FF78EA8BE70
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB2DB180_2_00007FF78EB2DB18
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EA93C200_2_00007FF78EA93C20
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB2BA0C0_2_00007FF78EB2BA0C
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EA8B9F00_2_00007FF78EA8B9F0
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAB793C0_2_00007FF78EAB793C
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EA9FA4F0_2_00007FF78EA9FA4F
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB01A180_2_00007FF78EB01A18
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB317C00_2_00007FF78EB317C0
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAB17500_2_00007FF78EAB1750
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EA958D00_2_00007FF78EA958D0
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAAF8D00_2_00007FF78EAAF8D0
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EA8183C0_2_00007FF78EA8183C
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAC18400_2_00007FF78EAC1840
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAFD87C0_2_00007FF78EAFD87C
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAB95B00_2_00007FF78EAB95B0
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB156A00_2_00007FF78EB156A0
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EA8B3900_2_00007FF78EA8B390
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAC529C0_2_00007FF78EAC529C
Source: C:\Users\user\Downloads\ocsoffice.exeCode function: 1_2_00406FC41_2_00406FC4
Source: C:\Users\user\Downloads\ocsoffice.exeCode function: 1_2_004067ED1_2_004067ED
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeCode function: 2_2_00406FC42_2_00406FC4
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeCode function: 2_2_004067ED2_2_004067ED
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeCode function: 3_2_004069253_2_00406925
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_667028507_2_66702850
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_667084137_2_66708413
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_66707EFC7_2_66707EFC
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_66707D797_2_66707D79
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_667015607_2_66701560
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_66706F557_2_66706F55
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_6670871E7_2_6670871E
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_667019E07_2_667019E0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_6670BDB07_2_6670BDB0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00000001800031F37_2_00000001800031F3
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FF7B4C363F07_2_00007FF7B4C363F0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FF7B4C341407_2_00007FF7B4C34140
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3CFBAB7_2_00007FFDFB3CFBAB
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3E9BC07_2_00007FFDFB3E9BC0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3CBB707_2_00007FFDFB3CBB70
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3DFB907_2_00007FFDFB3DFB90
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3B7C407_2_00007FFDFB3B7C40
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3EFBE07_2_00007FFDFB3EFBE0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C5AA47_2_00007FFDFB3C5AA4
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3CBA6A7_2_00007FFDFB3CBA6A
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C7B4C7_2_00007FFDFB3C7B4C
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3DBAE07_2_00007FFDFB3DBAE0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C79A07_2_00007FFDFB3C79A0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C596D7_2_00007FFDFB3C596D
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C3A507_2_00007FFDFB3C3A50
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB4859E07_2_00007FFDFB4859E0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3CF9F07_2_00007FFDFB3CF9F0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3D58B07_2_00007FFDFB3D58B0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3F58C07_2_00007FFDFB3F58C0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3DB8C07_2_00007FFDFB3DB8C0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3EF8707_2_00007FFDFB3EF870
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3CD9307_2_00007FFDFB3CD930
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3CDFC07_2_00007FFDFB3CDFC0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB423F907_2_00007FFDFB423F90
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB4760307_2_00007FFDFB476030
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3DA0207_2_00007FFDFB3DA020
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB431EC07_2_00007FFDFB431EC0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3EFE907_2_00007FFDFB3EFE90
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3CFF407_2_00007FFDFB3CFF40
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB431EE07_2_00007FFDFB431EE0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C9F0B7_2_00007FFDFB3C9F0B
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C3F007_2_00007FFDFB3C3F00
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3F5F007_2_00007FFDFB3F5F00
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C7D9B7_2_00007FFDFB3C7D9B
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB45DD807_2_00007FFDFB45DD80
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3CDD907_2_00007FFDFB3CDD90
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3CFE3A7_2_00007FFDFB3CFE3A
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3E9E307_2_00007FFDFB3E9E30
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3DBDF07_2_00007FFDFB3DBDF0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C5E107_2_00007FFDFB3C5E10
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C5CB07_2_00007FFDFB3C5CB0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C3C807_2_00007FFDFB3C3C80
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3DFC907_2_00007FFDFB3DFC90
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB411D307_2_00007FFDFB411D30
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C9D507_2_00007FFDFB3C9D50
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3D1D507_2_00007FFDFB3D1D50
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3EDD007_2_00007FFDFB3EDD00
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3D9D007_2_00007FFDFB3D9D00
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3D13A07_2_00007FFDFB3D13A0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3CD3CA7_2_00007FFDFB3CD3CA
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3BF3D07_2_00007FFDFB3BF3D0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB48F3707_2_00007FFDFB48F370
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3F54207_2_00007FFDFB3F5420
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB4253E07_2_00007FFDFB4253E0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3E74107_2_00007FFDFB3E7410
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3B92D07_2_00007FFDFB3B92D0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB4612707_2_00007FFDFB461270
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3DB3507_2_00007FFDFB3DB350
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C71C07_2_00007FFDFB3C71C0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C91D37_2_00007FFDFB3C91D3
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3DB1E07_2_00007FFDFB3DB1E0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3CB1F07_2_00007FFDFB3CB1F0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB4832107_2_00007FFDFB483210
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3D90907_2_00007FFDFB3D9090
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3CD13B7_2_00007FFDFB3CD13B
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3B71107_2_00007FFDFB3B7110
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3CB7DB7_2_00007FFDFB3CB7DB
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3D97D07_2_00007FFDFB3D97D0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3D17607_2_00007FFDFB3D1760
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C78407_2_00007FFDFB3C7840
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB4378407_2_00007FFDFB437840
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB40D6807_2_00007FFDFB40D680
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB45D7307_2_00007FFDFB45D730
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C57307_2_00007FFDFB3C5730
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3D37407_2_00007FFDFB3D3740
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3DB6E07_2_00007FFDFB3DB6E0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3E76F07_2_00007FFDFB3E76F0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3ED5B07_2_00007FFDFB3ED5B0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3EF5807_2_00007FFDFB3EF580
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3CB6207_2_00007FFDFB3CB620
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB4836107_2_00007FFDFB483610
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB46D4A07_2_00007FFDFB46D4A0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3CD4D07_2_00007FFDFB3CD4D0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3FB4607_2_00007FFDFB3FB460
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3DF4607_2_00007FFDFB3DF460
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C34907_2_00007FFDFB3C3490
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3D95307_2_00007FFDFB3D9530
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C55507_2_00007FFDFB3C5550
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3DB5507_2_00007FFDFB3DB550
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3D75507_2_00007FFDFB3D7550
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB48CB707_2_00007FFDFB48CB70
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3BEC507_2_00007FFDFB3BEC50
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB45CBF07_2_00007FFDFB45CBF0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3FABE07_2_00007FFDFB3FABE0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3F0AA07_2_00007FFDFB3F0AA0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3F4A907_2_00007FFDFB3F4A90
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3D0B207_2_00007FFDFB3D0B20
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB43AB107_2_00007FFDFB43AB10
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C8B117_2_00007FFDFB3C8B11
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3D89C07_2_00007FFDFB3D89C0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C6A507_2_00007FFDFB3C6A50
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C6A087_2_00007FFDFB3C6A08
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3E28A07_2_00007FFDFB3E28A0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB4908C07_2_00007FFDFB4908C0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C88617_2_00007FFDFB3C8861
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3CA9507_2_00007FFDFB3CA950
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C69517_2_00007FFDFB3C6951
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3DA8E07_2_00007FFDFB3DA8E0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB49E8E07_2_00007FFDFB49E8E0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3D08F07_2_00007FFDFB3D08F0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C8F7C7_2_00007FFDFB3C8F7C
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3CCF807_2_00007FFDFB3CCF80
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3F30207_2_00007FFDFB3F3020
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3DB0207_2_00007FFDFB3DB020
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB43EFF07_2_00007FFDFB43EFF0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB47EEC07_2_00007FFDFB47EEC0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB452EC07_2_00007FFDFB452EC0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3D4E707_2_00007FFDFB3D4E70
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C0EF07_2_00007FFDFB3C0EF0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3D0F107_2_00007FFDFB3D0F10
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB48ADC07_2_00007FFDFB48ADC0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3BAD707_2_00007FFDFB3BAD70
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C8E207_2_00007FFDFB3C8E20
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3F4E407_2_00007FFDFB3F4E40
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3B6E507_2_00007FFDFB3B6E50
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C4DDF7_2_00007FFDFB3C4DDF
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C4DF07_2_00007FFDFB3C4DF0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3DEE007_2_00007FFDFB3DEE00
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3EECD07_2_00007FFDFB3EECD0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C2C707_2_00007FFDFB3C2C70
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3D0D207_2_00007FFDFB3D0D20
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3DAD407_2_00007FFDFB3DAD40
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C63C07_2_00007FFDFB3C63C0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3CC3707_2_00007FFDFB3CC370
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB4244307_2_00007FFDFB424430
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3EE4207_2_00007FFDFB3EE420
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3D04207_2_00007FFDFB3D0420
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB4244107_2_00007FFDFB424410
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3E24007_2_00007FFDFB3E2400
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3B62B07_2_00007FFDFB3B62B0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C82B07_2_00007FFDFB3C82B0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB4762707_2_00007FFDFB476270
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB4762647_2_00007FFDFB476264
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB4762827_2_00007FFDFB476282
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB47627F7_2_00007FFDFB47627F
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB4823307_2_00007FFDFB482330
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3DA2E07_2_00007FFDFB3DA2E0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB4981D07_2_00007FFDFB4981D0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3D81707_2_00007FFDFB3D8170
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3CA1967_2_00007FFDFB3CA196
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB49E2407_2_00007FFDFB49E240
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3DC2507_2_00007FFDFB3DC250
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB41E1E07_2_00007FFDFB41E1E0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3DE2007_2_00007FFDFB3DE200
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3D80A07_2_00007FFDFB3D80A0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB48A0A07_2_00007FFDFB48A0A0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3D40907_2_00007FFDFB3D4090
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3E61307_2_00007FFDFB3E6130
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C40E07_2_00007FFDFB3C40E0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3CA7707_2_00007FFDFB3CA770
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB43A7807_2_00007FFDFB43A780
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3D87507_2_00007FFDFB3D8750
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C66F27_2_00007FFDFB3C66F2
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3BC7007_2_00007FFDFB3BC700
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3D67007_2_00007FFDFB3D6700
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3CC5A07_2_00007FFDFB3CC5A0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3B65B07_2_00007FFDFB3B65B0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C85C07_2_00007FFDFB3C85C0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3D25E07_2_00007FFDFB3D25E0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C45EE7_2_00007FFDFB3C45EE
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3DA6107_2_00007FFDFB3DA610
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3DC4D07_2_00007FFDFB3DC4D0
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3C65207_2_00007FFDFB3C6520
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB4445207_2_00007FFDFB444520
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3CA5407_2_00007FFDFB3CA540
Source: C:\Users\user\Desktop\ocs-office.exeCode function: String function: 00007FF78EAA8D58 appears 76 times
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: String function: 00007FFDFB3B2A20 appears 54 times
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: String function: 00007FFDFB426620 appears 47 times
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: String function: 00007FFDFB41D140 appears 169 times
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: String function: 00007FFDFB3B2D40 appears 339 times
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: String function: 00007FFDFB3B1AB0 appears 54 times
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: String function: 00007FFDFB3B2140 appears 205 times
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: String function: 00007FFDFB4A7470 appears 2081 times
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: String function: 00007FFDFB428210 appears 39 times
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: String function: 00007FFDFB4279D0 appears 905 times
Source: ocs-office.exe, 00000000.00000003.2300666556.000001814F505000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs ocs-office.exe
Source: ocs-office.exe, 00000000.00000003.2301803097.000001814F50A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs ocs-office.exe
Source: ocs-office.exe, 00000000.00000003.2300837185.000001814F4D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAMERT vs ocs-office.exe
Source: ocs-office.exe, 00000000.00000003.2301494982.000001814F508000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs ocs-office.exe
Source: ocs-office.exe, 00000000.00000003.1633738226.000001814F464000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAMERT vs ocs-office.exe
Source: ocs-office.exe, 00000000.00000003.1633738226.000001814F464000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs ocs-office.exe
Source: ocs-office.exe, 00000000.00000003.2302212127.000001814F47B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs ocs-office.exe
Source: ocs-office.exe, 00000000.00000003.2300925550.000001814F4EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAMERT vs ocs-office.exe
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Downloads\ocsoffice.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Downloads\ocsoffice.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Downloads\ocsoffice.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Downloads\ocsoffice.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Downloads\ocsoffice.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Downloads\ocsoffice.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Downloads\ocsoffice.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Downloads\ocsoffice.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Downloads\ocsoffice.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Downloads\ocsoffice.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Downloads\ocsoffice.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Downloads\ocsoffice.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Downloads\ocsoffice.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Downloads\ocsoffice.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Downloads\ocsoffice.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: ocsinventory front.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: sysinfo.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: mfc140u.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: zlib1.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: libeay32.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: libeay32.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: ocswmi.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: mfc140u.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: mfc140u.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: mpr.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: libcurl.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: ssleay32.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: ocsinventory front.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: sysinfo.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: mfc140u.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: zlib1.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: libeay32.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: libeay32.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: ocswmi.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: mpr.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: libcurl.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: ssleay32.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: amsi.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: secur32.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: devobj.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\ipconfig.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\ipconfig.exeSection loaded: dnsapi.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: apphelp.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: libeay32.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: ocsinventory front.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: sysinfo.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: mfc140u.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: zlib1.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: wtsapi32.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: userenv.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: vcruntime140.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: sysinfo.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: mfc140u.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: vcruntime140_1.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: vcruntime140.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: ocswmi.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: vcruntime140_1.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: msvcp140.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: vcruntime140.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: version.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: vcruntime140_1.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: iphlpapi.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: vcruntime140.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: mpr.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: vcruntime140_1.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: vcruntime140.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: uxtheme.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: vcruntime140.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: windows.storage.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: wldp.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: profapi.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: libeay32.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: ocsinventory front.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: sysinfo.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: mfc140u.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: vcruntime140.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: zlib1.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: wtsapi32.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: userenv.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: sysinfo.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: mfc140u.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: vcruntime140_1.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: vcruntime140.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: vcruntime140_1.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: vcruntime140.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: ocswmi.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: mfc140u.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: msvcp140.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: version.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: iphlpapi.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: mpr.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: vcruntime140_1.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: vcruntime140.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: vcruntime140_1.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: uxtheme.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: windows.storage.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: wldp.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: profapi.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: netapi32.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: netutils.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: wkscli.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: srvcli.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: cryptsp.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: rsaenh.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: cryptbase.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: ntmarta.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: wbemcomn.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: amsi.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: dhcpcsvc6.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: dhcpcsvc.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: dnsapi.dll
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeSection loaded: mswsock.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: wsock32.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: ocsinventory front.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: sysinfo.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: mfc140u.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: msvcp140.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140_1.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140_1.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: uxtheme.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: vcruntime140_1.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: libeay32.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: zlib1.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: ocswmi.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: libeay32.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: version.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: wtsapi32.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: iphlpapi.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: userenv.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: mpr.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: windows.storage.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: wldp.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: profapi.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: libcurl.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: ssleay32.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: wbemcomn.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: amsi.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: secur32.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: sspicli.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: mswsock.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: dnsapi.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: rasadhlp.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: fwpuclnt.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: dhcpcsvc6.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: dhcpcsvc.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: devobj.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: msasn1.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: napinsp.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: pnrpnsp.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: wshbth.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: nlaapi.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: winrnr.dll
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\cscript.exeSection loaded: version.dll
Source: C:\Windows\System32\cscript.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\cscript.exeSection loaded: sxs.dll
Source: C:\Windows\System32\cscript.exeSection loaded: vbscript.dll
Source: C:\Windows\System32\cscript.exeSection loaded: amsi.dll
Source: C:\Windows\System32\cscript.exeSection loaded: userenv.dll
Source: C:\Windows\System32\cscript.exeSection loaded: profapi.dll
Source: C:\Windows\System32\cscript.exeSection loaded: wldp.dll
Source: C:\Windows\System32\cscript.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\cscript.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\cscript.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\cscript.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\cscript.exeSection loaded: msisip.dll
Source: C:\Windows\System32\cscript.exeSection loaded: wshext.dll
Source: C:\Windows\System32\cscript.exeSection loaded: scrobj.dll
Source: C:\Windows\System32\cscript.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\ipconfig.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\ipconfig.exeSection loaded: dnsapi.dll
Source: classification engineClassification label: mal100.evad.winEXE@44/69@2/2
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB03778 GetLastError,FormatMessageW,0_2_00007FF78EB03778
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAECCE0 AdjustTokenPrivileges,CloseHandle,0_2_00007FF78EAECCE0
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAED5CC LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00007FF78EAED5CC
Source: C:\Users\user\Downloads\ocsoffice.exeCode function: 1_2_0040326B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,1_2_0040326B
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeCode function: 2_2_0040326B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,2_2_0040326B
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeCode function: 3_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,3_2_00403461
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB059D8 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_00007FF78EB059D8
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAFBE00 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00007FF78EAFBE00
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB06D04 CoInitialize,CoCreateInstance,CoUninitialize,0_2_00007FF78EB06D04
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EA86580 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00007FF78EA86580
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeFile created: C:\Program Files\OCS Inventory AgentJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ocsoffice[1].exeJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeMutant created: \Sessions\1\BaseNamedObjects\OCSINVENTORY-088FA840-B10D-11D3-BC36-006067709674
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5776:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeMutant created: \BaseNamedObjects\OCSSERVICE-088FA840-B10D-11D3-BC36-006067709674
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5268:120:WilError_03
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeMutant created: \BaseNamedObjects\OCSINVENTORY-088FA840-B10D-11D3-BC36-006067709674
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeMutant created: \Sessions\1\BaseNamedObjects\instOCSNG
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3672:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeMutant created: \Sessions\1\BaseNamedObjects\OcsSetup
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4080:120:WilError_03
Source: C:\Users\user\Downloads\ocsoffice.exeFile created: C:\Users\user\AppData\Local\Temp\nsb5C55.tmpJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /c cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbs
Source: ocs-office.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Downloads\ocsoffice.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: ocs-office.exeVirustotal: Detection: 11%
Source: OCSInventory.exeString found in binary or memory: <LAUNCH_BTN> <SIZE>15, 14</SIZE> <CORNERS>2, 2, 2, 2</CORNERS> </LAUNCH_BTN> <LAUNCH_ICON> <SIZE>8, 8</SIZE> </LAUNCH_ICON> <TextNormal>115, 131, 153</TextNormal> <TextHighlighted>115, 131, 153</TextHighlighted>
Source: OCSInventory.exeString found in binary or memory: TTOM> <SIZE>100, 17</SIZE> <CORNERS>3, 0, 4, 4</CORNERS> </BOTTOM> </BACK> <CAPTION> <LAUNCH_BTN> <SIZE>15, 14</SIZE> <CORNERS>2, 2, 2, 2</CORNERS> </LAUNCH_BTN> <LAUNCH_ICON> <SIZE>8, 8</SIZE> </L
Source: OCSInventory.exeString found in binary or memory: <CORNERS>2, 0, 2, 16</CORNERS> </BOTTOM> </BACK> <CAPTION> <LAUNCH_ICON> <SIZE>12, 12</SIZE> </LAUNCH_ICON> <TextNormal>255, 255, 255</TextNormal> <TextHighlighted>255, 255, 255</TextHighlighted> </CAPTION> <S
Source: OCSInventory.exeString found in binary or memory: <SIZE>15, 14</SIZE> <CORNERS>2, 2, 2, 2</CORNERS> </LAUNCH_BTN> <LAUNCH_ICON> <SIZE>8, 8</SIZE> </LAUNCH_ICON> <TextNormal>83, 84, 89</TextNormal> <TextHighlighted>83, 84, 89</TextHighlighted> </CAPTION> <SEPA
Source: OCSInventory.exeString found in binary or memory: SIZE>100, 17</SIZE> <CORNERS>3, 0, 4, 4</CORNERS> </BOTTOM> </BACK> <CAPTION> <LAUNCH_BTN> <SIZE>15, 14</SIZE> <CORNERS>2, 2, 2, 2</CORNERS> </LAUNCH_BTN> <LAUNCH_ICON> <SIZE>8, 8</SIZE> </LAUNCH_ICON>
Source: unknownProcess created: C:\Users\user\Desktop\ocs-office.exe C:\Users\user\Desktop\ocs-office.exe
Source: C:\Users\user\Desktop\ocs-office.exeProcess created: C:\Users\user\Downloads\ocsoffice.exe C:\Users\user\Downloads\ocsoffice.exe
Source: C:\Users\user\Downloads\ocsoffice.exeProcess created: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exe instocs.exe
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeProcess created: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe "C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe" /S /NP /NOSPLASH /NO_SYSTRAY /NOW /TAG="office" /SERVER=http://ti.fm2c.com.br/ocsinventory
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeProcess created: C:\Program Files\OCS Inventory Agent\OCSInventory.exe "C:\Program Files\OCS Inventory Agent\ocsinventory.exe" /SAVE_CONF /SERVER=http://ti.fm2c.com.br/ocsinventory /USER= /PWD= /SSL=1 /CA="cacert.pem" /PROXY_TYPE=0 /PROXY= /PROXY_PORT= /PROXY_USER= /PROXY_PWD= /DEBUG=0 /TAG="office" /WMI_FLAG_MODE="COMPLETE" /DEFAULT_USER_DOMAIN="" /NO_SYSTRAY
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeProcess created: C:\Program Files\OCS Inventory Agent\OCSInventory.exe C:\Program Files\OCS Inventory Agent\ocsinventory.exe
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /c cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbs
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbs"
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /displaydns
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeProcess created: C:\Program Files\OCS Inventory Agent\OcsService.exe "C:\Program Files\OCS Inventory Agent\OcsService.exe" -install
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files\OCS Inventory Agent\OcsService.exe C:\Program Files\OCS Inventory Agent\OcsService.exe
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /c "C:\Program Files\OCS Inventory Agent\ocsinventory.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\OCS Inventory Agent\OCSInventory.exe C:\Program Files\OCS Inventory Agent\ocsinventory.exe
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /c cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbs
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbs"
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /displaydns
Source: C:\Users\user\Desktop\ocs-office.exeProcess created: C:\Users\user\Downloads\ocsoffice.exe C:\Users\user\Downloads\ocsoffice.exeJump to behavior
Source: C:\Users\user\Downloads\ocsoffice.exeProcess created: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exe instocs.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeProcess created: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe "C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe" /S /NP /NOSPLASH /NO_SYSTRAY /NOW /TAG="office" /SERVER=http://ti.fm2c.com.br/ocsinventoryJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeProcess created: C:\Program Files\OCS Inventory Agent\OCSInventory.exe "C:\Program Files\OCS Inventory Agent\ocsinventory.exe" /SAVE_CONF /SERVER=http://ti.fm2c.com.br/ocsinventory /USER= /PWD= /SSL=1 /CA="cacert.pem" /PROXY_TYPE=0 /PROXY= /PROXY_PORT= /PROXY_USER= /PROXY_PWD= /DEBUG=0 /TAG="office" /WMI_FLAG_MODE="COMPLETE" /DEFAULT_USER_DOMAIN="" /NO_SYSTRAYJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeProcess created: C:\Program Files\OCS Inventory Agent\OCSInventory.exe C:\Program Files\OCS Inventory Agent\ocsinventory.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeProcess created: C:\Program Files\OCS Inventory Agent\OcsService.exe "C:\Program Files\OCS Inventory Agent\OcsService.exe" -installJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /c cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbsJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbs"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /displaydns
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /c "C:\Program Files\OCS Inventory Agent\ocsinventory.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\OCS Inventory Agent\OCSInventory.exe C:\Program Files\OCS Inventory Agent\ocsinventory.exe
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /c cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbs
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbs"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /displaydns
Source: C:\Users\user\Desktop\ocs-office.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: C:\Users\user\Downloads\ocsoffice.exeFile written: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\ocsdat.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeDirectory created: C:\Program Files\OCS Inventory AgentJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeDirectory created: C:\Program Files\OCS Inventory Agent\PluginsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeDirectory created: C:\Program Files\OCS Inventory Agent\Plugins\DO_NOT_REMOVE.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeDirectory created: C:\Program Files\OCS Inventory Agent\Plugins\o36516user.vbsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\libcurl.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\libeay32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\ssleay32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\msvcr120.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\mfc140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\mfc140u.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\mfcm140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\mfcm140u.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\vcomp140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\vcruntime140_1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\vcamp140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\ucrtbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\ZipArchive.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\zlib1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\ComHTTP.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\OcsWmi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\SysInfo.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\OCSInventory Front.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\OCSInventory.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\Download.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\OcsService.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\OcsSystray.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\OcsNotifyUser.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\OCS-transform.xslJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\Plugins\Saas.ps1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDirectory created: C:\Program Files\OCS Inventory Agent\uninst.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OCS Inventory NG AgentJump to behavior
Source: ocs-office.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: ocs-office.exeStatic file information: File size 1166336 > 1048576
Source: ocs-office.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ocs-office.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ocs-office.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ocs-office.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ocs-office.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ocs-office.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: ocs-office.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: ocs-office.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\External_Deps\openssl-1.0.2r\out32dll\ssleay32.pdb source: OCSInventory.exe, 00000007.00000002.2031169967.00007FFE0E16D000.00000002.00000001.01000000.00000020.sdmp, OCSInventory.exe, 00000008.00000002.2195385269.00007FFE0E16D000.00000002.00000001.01000000.00000020.sdmp, OCSInventory.exe, 00000016.00000002.2414567170.00007FFE0E16D000.00000002.00000001.01000000.00000020.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\MFCM140U.amd64.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcamp140.amd64.pdbGCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OcsNotifyUser.pdb883GCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OcsService.pdb--)GCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsService.exe, 00000011.00000002.2230690850.00007FF6EED67000.00000002.00000001.01000000.00000023.sdmp, OcsService.exe, 00000011.00000000.2223938644.00007FF6EED67000.00000002.00000001.01000000.00000023.sdmp, OcsService.exe, 00000013.00000000.2243858108.00007FF6EED67000.00000002.00000001.01000000.00000023.sdmp, OcsService.exe, 00000013.00000002.2906285996.00007FF6EED67000.00000002.00000001.01000000.00000023.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\External_Deps\openssl-1.0.2r\out32dll\libeay32.pdba source: OCSInventory.exe, 00000007.00000002.2030109278.00007FFDFB4A9000.00000002.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000008.00000002.2193943425.00007FFDFB4A9000.00000002.00000001.01000000.00000018.sdmp, OcsService.exe, 00000011.00000002.2231658880.00007FFDFBA19000.00000002.00000001.01000000.00000018.sdmp, OcsService.exe, 00000013.00000002.2907261387.00007FFDFBA19000.00000002.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000016.00000002.2413735788.00007FFDFBA19000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\MFCM140.amd64.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OCSInventory Front.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2031403378.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OCSInventory.exe, 00000008.00000002.2196356994.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OcsService.exe, 00000011.00000002.2232355200.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OcsService.exe, 00000013.00000002.2908044221.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OCSInventory.exe, 00000016.00000002.2415168665.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\mfc140u.amd64.pdbGCTL source: OCSInventory.exe, 00000007.00000002.2030509014.00007FFDFB834000.00000002.00000001.01000000.00000019.sdmp, OCSInventory.exe, 00000008.00000002.2194438887.00007FFDFB834000.00000002.00000001.01000000.00000019.sdmp, OcsService.exe, 00000011.00000002.2231151082.00007FFDFB684000.00000002.00000001.01000000.00000019.sdmp, OcsService.exe, 00000013.00000002.2906769234.00007FFDFB684000.00000002.00000001.01000000.00000019.sdmp, OCSInventory.exe, 00000016.00000002.2413114558.00007FFDFB684000.00000002.00000001.01000000.00000019.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OcsWmi.pdb))'GCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2029595116.0000000180007000.00000002.00000001.01000000.0000001A.sdmp, OCSInventory.exe, 00000008.00000002.2192512504.0000000180007000.00000002.00000001.01000000.0000001A.sdmp, OcsService.exe, 00000011.00000002.2229840960.0000000180007000.00000002.00000001.01000000.0000001A.sdmp, OcsService.exe, 00000013.00000002.2905102277.0000000180007000.00000002.00000001.01000000.0000001A.sdmp, OCSInventory.exe, 00000016.00000002.2411751483.0000000180007000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\External_Deps\openssl-1.0.2r\out32dll\libeay32.pdb source: OCSInventory.exe, 00000007.00000002.2030109278.00007FFDFB4A9000.00000002.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000008.00000002.2193943425.00007FFDFB4A9000.00000002.00000001.01000000.00000018.sdmp, OcsService.exe, 00000011.00000002.2231658880.00007FFDFBA19000.00000002.00000001.01000000.00000018.sdmp, OcsService.exe, 00000013.00000002.2907261387.00007FFDFBA19000.00000002.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000016.00000002.2413735788.00007FFDFBA19000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OcsSystray.pdb::3GCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OCSInventory.pdb55,GCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000000.2027408654.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000007.00000002.2029941666.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000008.00000002.2193694096.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000008.00000000.2057861583.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000016.00000000.2249360801.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000016.00000002.2412776468.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\External_Deps\openssl-1.0.2r\out32dll\ssleay32.pdbFF source: OCSInventory.exe, 00000007.00000002.2031169967.00007FFE0E16D000.00000002.00000001.01000000.00000020.sdmp, OCSInventory.exe, 00000008.00000002.2195385269.00007FFE0E16D000.00000002.00000001.01000000.00000020.sdmp, OCSInventory.exe, 00000016.00000002.2414567170.00007FFE0E16D000.00000002.00000001.01000000.00000020.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OCSInventory.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000000.2027408654.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000007.00000002.2029941666.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000008.00000002.2193694096.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000008.00000000.2057861583.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000016.00000000.2249360801.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000016.00000002.2412776468.00007FF7B4C3C000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\External_Deps\zlib-1.2.8\zlib1.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2029529385.000000006670E000.00000002.00000001.01000000.00000017.sdmp, OCSInventory.exe, 00000008.00000002.2192290265.000000006670E000.00000002.00000001.01000000.00000017.sdmp, OcsService.exe, 00000011.00000002.2229660959.000000006670E000.00000002.00000001.01000000.00000017.sdmp, OcsService.exe, 00000013.00000002.2904927334.000000006670E000.00000002.00000001.01000000.00000017.sdmp, OCSInventory.exe, 00000016.00000002.2411630185.000000006670E000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\Download.pdb//+GCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcamp140.amd64.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\mfc140u.amd64.pdb source: OCSInventory.exe, 00000007.00000002.2030509014.00007FFDFB834000.00000002.00000001.01000000.00000019.sdmp, OCSInventory.exe, 00000008.00000002.2194438887.00007FFDFB834000.00000002.00000001.01000000.00000019.sdmp, OcsService.exe, 00000011.00000002.2231151082.00007FFDFB684000.00000002.00000001.01000000.00000019.sdmp, OcsService.exe, 00000013.00000002.2906769234.00007FFDFB684000.00000002.00000001.01000000.00000019.sdmp, OCSInventory.exe, 00000016.00000002.2413114558.00007FFDFB684000.00000002.00000001.01000000.00000019.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\ComHTTP.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2031254054.00007FFE126C7000.00000002.00000001.01000000.0000001E.sdmp, OCSInventory.exe, 00000008.00000002.2195594617.00007FFE126C7000.00000002.00000001.01000000.0000001E.sdmp, OCSInventory.exe, 00000016.00000002.2414823583.00007FFE126C7000.00000002.00000001.01000000.0000001E.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\SysInfo.pdbWW#GCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2030862261.00007FFDFF2BB000.00000002.00000001.01000000.00000016.sdmp, OCSInventory.exe, 00000008.00000002.2194884273.00007FFDFF2BB000.00000002.00000001.01000000.00000016.sdmp, OcsService.exe, 00000011.00000002.2232054370.00007FFE0038B000.00000002.00000001.01000000.00000016.sdmp, OcsService.exe, 00000013.00000002.2907707881.00007FFE0038B000.00000002.00000001.01000000.00000016.sdmp, OCSInventory.exe, 00000016.00000002.2414173406.00007FFE0038B000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OcsWmi.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2029595116.0000000180007000.00000002.00000001.01000000.0000001A.sdmp, OCSInventory.exe, 00000008.00000002.2192512504.0000000180007000.00000002.00000001.01000000.0000001A.sdmp, OcsService.exe, 00000011.00000002.2229840960.0000000180007000.00000002.00000001.01000000.0000001A.sdmp, OcsService.exe, 00000013.00000002.2905102277.0000000180007000.00000002.00000001.01000000.0000001A.sdmp, OCSInventory.exe, 00000016.00000002.2411751483.0000000180007000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OcsSystray.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\SysInfo.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2030862261.00007FFDFF2BB000.00000002.00000001.01000000.00000016.sdmp, OCSInventory.exe, 00000008.00000002.2194884273.00007FFDFF2BB000.00000002.00000001.01000000.00000016.sdmp, OcsService.exe, 00000011.00000002.2232054370.00007FFE0038B000.00000002.00000001.01000000.00000016.sdmp, OcsService.exe, 00000013.00000002.2907707881.00007FFE0038B000.00000002.00000001.01000000.00000016.sdmp, OCSInventory.exe, 00000016.00000002.2414173406.00007FFE0038B000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2031330447.00007FFE126F1000.00000002.00000001.01000000.0000001D.sdmp, OCSInventory.exe, 00000008.00000002.2195863861.00007FFE126F1000.00000002.00000001.01000000.0000001D.sdmp, OcsService.exe, 00000011.00000002.2232211869.00007FFE126F1000.00000002.00000001.01000000.0000001D.sdmp, OcsService.exe, 00000013.00000002.2907881081.00007FFE126F1000.00000002.00000001.01000000.0000001D.sdmp, OCSInventory.exe, 00000016.00000002.2414992126.00007FFE126F1000.00000002.00000001.01000000.0000001D.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OcsService.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsService.exe, 00000011.00000002.2230690850.00007FF6EED67000.00000002.00000001.01000000.00000023.sdmp, OcsService.exe, 00000011.00000000.2223938644.00007FF6EED67000.00000002.00000001.01000000.00000023.sdmp, OcsService.exe, 00000013.00000000.2243858108.00007FF6EED67000.00000002.00000001.01000000.00000023.sdmp, OcsService.exe, 00000013.00000002.2906285996.00007FF6EED67000.00000002.00000001.01000000.00000023.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\External_Deps\ZipArchive\x64\Release Unicode STL MD DLL\ZipArchive.pdbSS GCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcomp140.amd64.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OcsNotifyUser.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\External_Deps\zlib-1.2.8\zlib1.pdb## source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2029529385.000000006670E000.00000002.00000001.01000000.00000017.sdmp, OCSInventory.exe, 00000008.00000002.2192290265.000000006670E000.00000002.00000001.01000000.00000017.sdmp, OcsService.exe, 00000011.00000002.2229660959.000000006670E000.00000002.00000001.01000000.00000017.sdmp, OcsService.exe, 00000013.00000002.2904927334.000000006670E000.00000002.00000001.01000000.00000017.sdmp, OCSInventory.exe, 00000016.00000002.2411630185.000000006670E000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\ComHTTP.pdb''"GCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2031254054.00007FFE126C7000.00000002.00000001.01000000.0000001E.sdmp, OCSInventory.exe, 00000008.00000002.2195594617.00007FFE126C7000.00000002.00000001.01000000.0000001E.sdmp, OCSInventory.exe, 00000016.00000002.2414823583.00007FFE126C7000.00000002.00000001.01000000.0000001E.sdmp
Source: Binary string: ucrtbase.pdbUGP source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\External_Deps\ZipArchive\x64\Release Unicode STL MD DLL\ZipArchive.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\OCSInventory Front.pdbKK(GCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2031403378.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OCSInventory.exe, 00000008.00000002.2196356994.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OcsService.exe, 00000011.00000002.2232355200.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OcsService.exe, 00000013.00000002.2908044221.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OCSInventory.exe, 00000016.00000002.2415168665.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\Users\charl\Documents\GitHub\WindowsAgent64\Release\Download.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcomp140.amd64.pdbGCTL source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2031477967.00007FFE13315000.00000002.00000001.01000000.0000001C.sdmp, OCSInventory.exe, 00000008.00000002.2196757713.00007FFE13315000.00000002.00000001.01000000.0000001C.sdmp, OcsService.exe, 00000011.00000002.2232501460.00007FFE1A475000.00000002.00000001.01000000.0000001C.sdmp, OcsService.exe, 00000013.00000002.2908212378.00007FFE1A475000.00000002.00000001.01000000.0000001C.sdmp, OCSInventory.exe, 00000016.00000002.2415294839.00007FFE1A475000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: OCSInventory.exe, 00000007.00000002.2030972028.00007FFE002D5000.00000002.00000001.01000000.0000001B.sdmp, OCSInventory.exe, 00000008.00000002.2195052215.00007FFE002D5000.00000002.00000001.01000000.0000001B.sdmp, OcsService.exe, 00000011.00000002.2231886839.00007FFE00305000.00000002.00000001.01000000.0000001B.sdmp, OcsService.exe, 00000013.00000002.2907530308.00007FFE00305000.00000002.00000001.01000000.0000001B.sdmp, OCSInventory.exe, 00000016.00000002.2414004919.00007FFE00305000.00000002.00000001.01000000.0000001B.sdmp
Source: ocs-office.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ocs-office.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ocs-office.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ocs-office.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ocs-office.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: ucrtbase.dll.3.drStatic PE information: 0xBBF7FB0E [Fri Dec 6 21:30:54 2069 UTC]
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB1AF20 LoadLibraryA,GetProcAddress,0_2_00007FF78EB1AF20
Source: services.dll.3.drStatic PE information: real checksum: 0x0 should be: 0x561f
Source: instOCS.exe.1.drStatic PE information: real checksum: 0x0 should be: 0x746c5
Source: KillProcDLL.dll.3.drStatic PE information: real checksum: 0x0 should be: 0xad9e
Source: nsExec.dll.3.drStatic PE information: real checksum: 0x0 should be: 0x2c08
Source: uninst.exe.3.drStatic PE information: real checksum: 0x5ad785 should be: 0x7386f
Source: System.dll.2.drStatic PE information: real checksum: 0x0 should be: 0xd8f8
Source: System.dll.3.drStatic PE information: real checksum: 0x0 should be: 0xdd14
Source: ocsoffice.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x5f7e3c
Source: System.dll.1.drStatic PE information: real checksum: 0x0 should be: 0xd8f8
Source: UserInfo.dll.3.drStatic PE information: real checksum: 0x0 should be: 0x1e00
Source: UserInfo.dll.1.drStatic PE information: real checksum: 0x0 should be: 0x67f6
Source: ocsoffice[1].exe.0.drStatic PE information: real checksum: 0x0 should be: 0x5f7e3c
Source: mfc140.dll.3.drStatic PE information: section name: .didat
Source: mfc140u.dll.3.drStatic PE information: section name: .didat
Source: mfcm140.dll.3.drStatic PE information: section name: .nep
Source: mfcm140u.dll.3.drStatic PE information: section name: .nep
Source: vcruntime140.dll.3.drStatic PE information: section name: _RDATA
Source: vcomp140.dll.3.drStatic PE information: section name: _RDATA
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAB78FD push rdi; ret 0_2_00007FF78EAB7904
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAB7399 push rdi; ret 0_2_00007FF78EAB73A2
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB405F71 push rcx; ret 7_2_00007FFDFB405F72
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB460DE2 push rcx; ret 7_2_00007FFDFB460DE3
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB406111 push rcx; ret 7_2_00007FFDFB406112
Source: msvcr120.dll.3.drStatic PE information: section name: .text entropy: 6.9566713846558015

Persistence and Installation Behavior

barindex
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /displaydns
Source: C:\Users\user\Desktop\ocs-office.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ocsoffice[1].exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\mfc140u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\OcsService.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\vcomp140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\libeay32.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\nsProcess.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\msvcr120.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\OCSInventory Front.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\OcsSystray.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\Download.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\ucrtbase.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\vcamp140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\OCSInventory.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\KillProcDLL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\OcsWmi.dllJump to dropped file
Source: C:\Users\user\Desktop\ocs-office.exeFile created: C:\Users\user\Downloads\ocsoffice.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\OcsNotifyUser.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\vcruntime140_1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\SetACL.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\vcruntime140.dllJump to dropped file
Source: C:\Users\user\Downloads\ocsoffice.exeFile created: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\UserInfo.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\ssleay32.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\mfcm140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\ZipArchive.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\msvcp140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\services.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\mfc140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\mfcm140u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\zlib1.dllJump to dropped file
Source: C:\Users\user\Downloads\ocsoffice.exeFile created: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\libcurl.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeFile created: C:\Users\user\AppData\Local\Temp\nsm5E69.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\SysInfo.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\uninst.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Program Files\OCS Inventory Agent\ComHTTP.dllJump to dropped file
Source: C:\Users\user\Downloads\ocsoffice.exeFile created: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\UserInfo.dllJump to dropped file
Source: C:\Users\user\Downloads\ocsoffice.exeFile created: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OCS-Windows-Agent-Setup-x64.logJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\OCS Inventory Service
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAA4514 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00007FF78EAA4514
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB4253E0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,7_2_00007FFDFB4253E0
Source: C:\Users\user\Desktop\ocs-office.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Downloads\ocsoffice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_PhysicalMemoryArray
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_PhysicalMemoryArray
Queries pointing device information (via WMI, Win32_PointingDevice, often done to detect virtual machines)
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_PointingDevice
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_PointingDevice
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_DiskDrive
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_PhysicalMemoryArray
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_PhysicalMemoryArray
Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines)
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Printer
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Printer
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_SoundDevice
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_SoundDevice
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}\Configuration name: DriverDesc
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e96d-e325-11ce-bfc1-08002be10318}\Properties name: DriverDesc
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\ocs-office.exeWindow / User API: threadDelayed 3268Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4346
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2521
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2927
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2251
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\services.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDropped PE file which has not been started: C:\Program Files\OCS Inventory Agent\mfc140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDropped PE file which has not been started: C:\Program Files\OCS Inventory Agent\vcomp140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDropped PE file which has not been started: C:\Program Files\OCS Inventory Agent\mfcm140u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\nsProcess.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDropped PE file which has not been started: C:\Program Files\OCS Inventory Agent\msvcr120.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDropped PE file which has not been started: C:\Program Files\OCS Inventory Agent\OcsSystray.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDropped PE file which has not been started: C:\Program Files\OCS Inventory Agent\Download.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDropped PE file which has not been started: C:\Program Files\OCS Inventory Agent\vcamp140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\KillProcDLL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm5E69.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDropped PE file which has not been started: C:\Program Files\OCS Inventory Agent\OcsNotifyUser.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDropped PE file which has not been started: C:\Program Files\OCS Inventory Agent\uninst.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDropped PE file which has not been started: C:\Program Files\OCS Inventory Agent\ComHTTP.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\SetACL.exeJump to dropped file
Source: C:\Users\user\Downloads\ocsoffice.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\UserInfo.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\UserInfo.dllJump to dropped file
Source: C:\Users\user\Downloads\ocsoffice.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDropped PE file which has not been started: C:\Program Files\OCS Inventory Agent\mfcm140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeDropped PE file which has not been started: C:\Program Files\OCS Inventory Agent\ZipArchive.dllJump to dropped file
Source: C:\Users\user\Desktop\ocs-office.exeEvaded block: after key decisiongraph_0-100887
Source: C:\Users\user\Desktop\ocs-office.exeAPI coverage: 6.9 %
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeAPI coverage: 5.5 %
Source: C:\Users\user\Desktop\ocs-office.exe TID: 6576Thread sleep time: -32680s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe TID: 3064Thread sleep count: 113 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2032Thread sleep count: 4346 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2032Thread sleep count: 2521 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 416Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4488Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\OCS Inventory Agent\OcsService.exe TID: 1244Thread sleep count: 48 > 30
Source: C:\Program Files\OCS Inventory Agent\OcsService.exe TID: 1244Thread sleep time: -48000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1904Thread sleep count: 2927 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1904Thread sleep count: 2251 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2344Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Bios
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Bios
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeLast function: Thread delayed
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAFBC70 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00007FF78EAFBC70
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAC2F50 FindFirstFileExW,0_2_00007FF78EAC2F50
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAFC7C0 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00007FF78EAFC7C0
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB0A874 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00007FF78EB0A874
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB0A350 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,0_2_00007FF78EB0A350
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB0A4F8 FindFirstFileW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,0_2_00007FF78EB0A4F8
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB06428 FindFirstFileW,FindNextFileW,FindClose,0_2_00007FF78EB06428
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAFB7C0 FindFirstFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00007FF78EAFB7C0
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB071F4 FindFirstFileW,FindClose,0_2_00007FF78EB071F4
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB072A8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00007FF78EB072A8
Source: C:\Users\user\Downloads\ocsoffice.exeCode function: 1_2_00406313 FindFirstFileA,FindClose,1_2_00406313
Source: C:\Users\user\Downloads\ocsoffice.exeCode function: 1_2_004057D8 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,1_2_004057D8
Source: C:\Users\user\Downloads\ocsoffice.exeCode function: 1_2_00402765 FindFirstFileA,1_2_00402765
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeCode function: 2_2_00406313 FindFirstFileA,FindClose,2_2_00406313
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeCode function: 2_2_004057D8 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,2_2_004057D8
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeCode function: 2_2_00402765 FindFirstFileA,2_2_00402765
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeCode function: 3_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,3_2_004059F0
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeCode function: 3_2_0040659C FindFirstFileA,FindClose,3_2_0040659C
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeCode function: 3_2_004027A1 FindFirstFileA,3_2_004027A1
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB3B5D90 _errno,_errno,malloc,memset,malloc,malloc,free,free,_errno,MultiByteToWideChar,FindFirstFileW,free,free,free,_errno,FindNextFileW,WideCharToMultiByte,_errno,7_2_00007FFDFB3B5D90
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAA1D80 GetVersionExW,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_00007FF78EAA1D80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: OCSInventory.exeBinary or memory string: VMware
Source: OCSInventory.exe, 00000016.00000002.2412384666.000001EC322DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,VMware VMCI Bus Device)
Source: OCSInventory.exe, 00000016.00000003.2410745267.000001EC3227F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
Source: OCSInventory.exe, 00000008.00000003.2189607209.000001D995947000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,VMware VMCI Bus Deviceevice
Source: OCSInventory.exe, 00000016.00000002.2414173406.00007FFE0038B000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: MicrosoftQEMUXenVMwareVirtual HDVirtual MachineVBOXVirtualBoxVirtual CDWSA Get IPv4 address...Failed to load <WSAStartup> function from wsock32.dll !
Source: OCSInventory.exe, 00000008.00000003.2191316015.000001D995912000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000002.2193138521.000001D995912000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 66Microsoft Hyper-V Virtualization Infrastructure Driverdn;
Source: OCSInventory.exe, 00000016.00000002.2412303943.000001EC322BC000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000003.2410952624.000001EC322BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HMicrosoft Hyper-V Generation Counter
Source: OCSInventory.exe, 00000016.00000002.2412384666.000001EC322DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,VMware VMCI Bus Deviceon
Source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2031403378.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OCSInventory.exe, 00000008.00000002.2196356994.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OcsService.exe, 00000011.00000002.2232355200.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OcsService.exe, 00000013.00000002.2908044221.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OCSInventory.exe, 00000016.00000002.2415168665.00007FFE13222000.00000002.00000001.01000000.00000015.sdmpBinary or memory string: ?SetVirtualMachines@COCSInventoryState@@QEAAXPEB_W@Z
Source: OCSInventory.exe, OCSInventory.exe, 00000008.00000003.2190745262.000001D997780000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000003.2190104058.000001D997780000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000003.2409239112.000001EC32D58000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000003.2409305516.000001EC32D70000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000003.2409165390.000001EC32D34000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000003.2409918315.000001EC32D8F000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000003.2408981922.000001EC32D30000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000003.2409734595.000001EC32D8F000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000003.2409518675.000001EC32D80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VIRTUALMACHINES
Source: OCSInventory.exe, 00000016.00000002.2412253744.000001EC3228B000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000003.2410871338.000001EC3228A000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000003.2410745267.000001EC3227F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lMicrosoft Hyper-V Virtualization Infrastructure Driver();
Source: ocs-office.exe, 00000000.00000003.2302497939.000001814F495000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000002.2303355822.000001814F496000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000003.2299316240.000001814F770000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000002.2304050623.000001814F770000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000003.2302157006.000001814F492000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: OCSInventory.exe, 00000008.00000003.2189607209.000001D995947000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tComputer System ProductUF8L8T71434D56-1548-ED3D-AEE6-C75AECD93BF0VMware, Inc.Noney*
Source: OCSInventory.exeBinary or memory string: Virtual HD
Source: OCSInventory.exe, 00000008.00000003.2190288810.000001D9977A4000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000003.2189796044.000001D99779C000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000002.2412454459.000001EC32303000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000002.2412476657.000001EC32307000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000002.2412476657.000001EC3230F000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000002.2412476657.000001EC3230C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <VIRTUALMACHINES />
Source: OCSInventory.exe, 00000008.00000003.2189607209.000001D995947000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.driveintec
Source: OCSInventory.exe, 00000008.00000003.2191316015.000001D995947000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000002.2193277809.000001D995947000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000003.2189853413.000001D995947000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000003.2180395080.000001D995946000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000003.2181153915.000001D995946000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000003.2189607209.000001D995947000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HMicrosoft Hyper-V Generation CounterX
Source: OCSInventory.exe, 00000008.00000003.2189607209.000001D995947000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_PnPSignedDriverDisk driveDISKDRIVESCSI\DiskVMware__Virtual_disk____2.0_SCSI\DiskSCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000{4d36e967-e325-11ce-bfc1-08002be10318}Bus Number 0, Target Id 0, LUN 0\Device\00000023(Standard disk drives)VMware Virtual disk SCSI Disk Devicedisk.infMicrosoft20060621000000.******+***Disk drive10.0.19041.1865Microsoft Windows9
Source: OCSInventory.exe, 00000008.00000003.2191692441.000001D99593C000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000002.2193220048.000001D99593C000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000003.2191316015.000001D99593C000.00000004.00000020.00020000.00000000.sdmp, OcsService.exe, 00000013.00000002.2905552943.00000170E8855000.00000004.00000020.00020000.00000000.sdmp, OcsService.exe, 00000013.00000003.2903794985.00000170E8855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000002.2412303943.000001EC322BC000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000003.2410952624.000001EC322BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: OCSInventory.exe, 00000008.00000003.2181153915.000001D995946000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: OCSInventory.exe, 00000008.00000003.2181153915.000001D995946000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRomNECVMWarVMware_SATA_CD001.00
Source: OCSInventory.exe, 00000016.00000002.2414173406.00007FFE0038B000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: VMware Inc.,
Source: OCSInventory.exe, 00000008.00000003.2189607209.000001D995947000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DiskVMware__Virtual_disk____2.0_
Source: OCSInventory.exe, 00000008.00000003.2189607209.000001D995947000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: OCSInventory.exe, 00000008.00000003.2181153915.000001D995946000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00
Source: ocs-office.exe, 00000000.00000003.2299316240.000001814F770000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000002.2304050623.000001814F770000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWV'
Source: OCSInventory.exe, 00000016.00000002.2412384666.000001EC322DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc. Processor$a
Source: OCSInventory.exe, 00000008.00000003.2181153915.000001D995946000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_PnPSignedDriverCD-ROM DriveCDROMSCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\CdRomSCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000{4d36e965-e325-11ce-bfc1-08002be10318}Bus Number 0, Target Id 0, LUN 0\Device\00000025(Standard CD-ROM drives)NECVMWar VMware SATA CD00cdrom.infMicrosoft20060621000000.******+***CD-ROM Drive10.0.19041.1266Microsoft Windows3
Source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2031403378.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OCSInventory.exe, 00000008.00000002.2196356994.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OcsService.exe, 00000011.00000002.2232355200.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OcsService.exe, 00000013.00000002.2908044221.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OCSInventory.exe, 00000016.00000002.2415168665.00007FFE13222000.00000002.00000001.01000000.00000015.sdmpBinary or memory string: REGISTRYHARDWAREMEMORIESBIOSCONTROLLERSSLOTSPORTSMONITORSDRIVESSTORAGESMODEMSINPUTSPRINTERSNETWORKSVIDEOSSOUNDSVIRTUALMACHINESSOFTWARESCPUS%s\*.*KERNEL32.DLLGetDiskFreeSpaceExW&#37;x%cw,ccs=UTF-8%c%c%02x%c%2XPROLOG
Source: OCSInventory.exe, 00000008.00000003.2191316015.000001D995947000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000002.2193277809.000001D995947000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000003.2189853413.000001D995947000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000003.2180395080.000001D995946000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000003.2181153915.000001D995946000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000003.2189607209.000001D995947000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HMicrosoft Hyper-V Generation CounterN 00.000P3
Source: OCSInventory.exe, 00000008.00000003.2189607209.000001D995947000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,VMware VMCI Bus Device)onitor7
Source: OCSInventory.exe, 00000008.00000003.2191316015.000001D995912000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000002.2193138521.000001D995912000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000002.2412253744.000001EC3228B000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000003.2410871338.000001EC3228A000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000003.2410745267.000001EC3227F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lMicrosoft Hyper-V Virtualization Infrastructure Driver
Source: OCSInventory.exe, 00000016.00000003.2410745267.000001EC3227F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: stringComputer System ProductComputer System ProductUF8L8T71434D56-1548-ED3D-AEE6-C75AECD93BF0VMware, Inc.Noney*
Source: OCSInventory.exe, 00000008.00000003.2189607209.000001D995947000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2031403378.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OCSInventory.exe, 00000008.00000002.2196356994.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OcsService.exe, 00000011.00000002.2232355200.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OcsService.exe, 00000013.00000002.2908044221.00007FFE13222000.00000002.00000001.01000000.00000015.sdmp, OCSInventory.exe, 00000016.00000002.2415168665.00007FFE13222000.00000002.00000001.01000000.00000015.sdmpBinary or memory string: ?GetVirtualMachines@COCSInventoryState@@QEAAPEB_WXZ
Source: OCSInventory.exe, 00000016.00000002.2412303943.000001EC322BC000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000003.2410952624.000001EC322BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HMicrosoft Hyper-V Generation Counteroller000L3
Source: OCSInventory.exe, 00000016.00000002.2412253744.000001EC3228B000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000003.2410871338.000001EC3228A000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000003.2410745267.000001EC3227F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 66emMicrosoft Hyper-V Virtualization Infrastructure DriverQ
Source: C:\Users\user\Downloads\ocsoffice.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\ocs-office.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB10A00 BlockInput,0_2_00007FF78EB10A00
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EA837B0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00007FF78EA837B0
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAA5BC0 GetLastError,IsDebuggerPresent,OutputDebugStringW,0_2_00007FF78EAA5BC0
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB1AF20 LoadLibraryA,GetProcAddress,0_2_00007FF78EB1AF20
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAECDC4 GetProcessHeap,HeapAlloc,InitializeAcl,0_2_00007FF78EAECDC4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAC8FE4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF78EAC8FE4
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EABAF58 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF78EABAF58
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAA59C8 SetUnhandledExceptionFilter,0_2_00007FF78EAA59C8
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAA57E4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF78EAA57E4
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_6670D6FC IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6670D6FC
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_6670CCB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_6670CCB4
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_0000000180005830 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_0000000180005830
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00000001800059B4 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00000001800059B4
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FF7B4C3A210 SetUnhandledExceptionFilter,7_2_00007FF7B4C3A210
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FF7B4C39C60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FF7B4C39C60
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FF7B4C3A02C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF7B4C3A02C
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB4A7574 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FFDFB4A7574

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}"
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAECE68 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00007FF78EAECE68
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EA837B0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00007FF78EA837B0
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAA4514 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00007FF78EAA4514
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB14C58 GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00007FF78EB14C58
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeProcess created: C:\Program Files\OCS Inventory Agent\OCSInventory.exe "C:\Program Files\OCS Inventory Agent\ocsinventory.exe" /SAVE_CONF /SERVER=http://ti.fm2c.com.br/ocsinventory /USER= /PWD= /SSL=1 /CA="cacert.pem" /PROXY_TYPE=0 /PROXY= /PROXY_PORT= /PROXY_USER= /PROXY_PWD= /DEBUG=0 /TAG="office" /WMI_FLAG_MODE="COMPLETE" /DEFAULT_USER_DOMAIN="" /NO_SYSTRAYJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeProcess created: C:\Program Files\OCS Inventory Agent\OCSInventory.exe C:\Program Files\OCS Inventory Agent\ocsinventory.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeProcess created: C:\Program Files\OCS Inventory Agent\OcsService.exe "C:\Program Files\OCS Inventory Agent\OcsService.exe" -installJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /c cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbsJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbs"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /displaydns
Source: C:\Program Files\OCS Inventory Agent\OcsService.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /c "C:\Program Files\OCS Inventory Agent\ocsinventory.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\OCS Inventory Agent\OCSInventory.exe C:\Program Files\OCS Inventory Agent\ocsinventory.exe
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /c cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbs
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbs"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /displaydns
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeProcess created: C:\Program Files\OCS Inventory Agent\OCSInventory.exe "c:\program files\ocs inventory agent\ocsinventory.exe" /save_conf /server=http://ti.fm2c.com.br/ocsinventory /user= /pwd= /ssl=1 /ca="cacert.pem" /proxy_type=0 /proxy= /proxy_port= /proxy_user= /proxy_pwd= /debug=0 /tag="office" /wmi_flag_mode="complete" /default_user_domain="" /no_systray
Source: C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exeProcess created: C:\Program Files\OCS Inventory Agent\OCSInventory.exe "c:\program files\ocs inventory agent\ocsinventory.exe" /save_conf /server=http://ti.fm2c.com.br/ocsinventory /user= /pwd= /ssl=1 /ca="cacert.pem" /proxy_type=0 /proxy= /proxy_port= /proxy_user= /proxy_pwd= /debug=0 /tag="office" /wmi_flag_mode="complete" /default_user_domain="" /no_systrayJump to behavior
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAEC858 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00007FF78EAEC858
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAED540 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00007FF78EAED540
Source: ocs-office.exe, 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: ocs-office.exeBinary or memory string: Shell_TrayWnd
Source: OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CSystemTrayTaskbarCreatedTrayNotifyWndTrayClockWClassShell_TrayWnd8
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EABFD20 cpuid 0_2_00007FF78EABFD20
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductIdJump to behavior
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB08BF4 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,wcscat,wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,wcscpy,0_2_00007FF78EB08BF4
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAE2BCF GetUserNameW,0_2_00007FF78EAE2BCF
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAC2650 _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00007FF78EAC2650
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EAA1D80 GetVersionExW,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_00007FF78EAA1D80
Source: C:\Windows\System32\cscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: ocs-office.exeBinary or memory string: WIN_81
Source: ocs-office.exeBinary or memory string: WIN_XP
Source: ocs-office.exeBinary or memory string: WIN_XPe
Source: ocs-office.exeBinary or memory string: WIN_VISTA
Source: ocs-office.exe, 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Source: ocs-office.exeBinary or memory string: WIN_7
Source: ocs-office.exeBinary or memory string: WIN_8
Source: ocs-office.exe, 00000000.00000003.1633738226.000001814F464000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_XPON6@h7
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB14074 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00007FF78EB14074
Source: C:\Users\user\Desktop\ocs-office.exeCode function: 0_2_00007FF78EB13940 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00007FF78EB13940
Source: C:\Program Files\OCS Inventory Agent\OCSInventory.exeCode function: 7_2_00007FFDFB41F1E0 htons,htonl,socket,setsockopt,bind,WSAGetLastError,strchr,memcpy,htonl,socket,connect,closesocket,closesocket,socket,WSAGetLastError,closesocket,listen,WSAGetLastError,7_2_00007FFDFB41F1E0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		2
Valid Accounts		931
Windows Management Instrumentation		1
Scripting		1
Exploitation for Privilege Escalation		1
Disable or Modify Tools		11
Input Capture		2
System Time Discovery		Remote Services11
Archive Collected Data		3
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory1
Account Discovery		Remote Desktop Protocol11
Input Capture		11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts12
Command and Scripting Interpreter		2
Valid Accounts		2
Valid Accounts		3
Obfuscated Files or Information		Security Account Manager4
File and Directory Discovery		SMB/Windows Admin Shares3
Clipboard Data		4
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
PowerShell		11
Windows Service		21
Access Token Manipulation		1
Software Packing		NTDS168
System Information Discovery		Distributed Component Object ModelInput Capture5
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
Windows Service		1
Timestomp		LSA Secrets1
Query Registry		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts12
Process Injection		1
DLL Side-Loading		Cached Domain Credentials971
Security Software Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSync561
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job3
Masquerading		Proc Filesystem3
Process Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
Valid Accounts		/etc/passwd and /etc/shadow11
Application Window Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron561
Virtualization/Sandbox Evasion		Network Sniffing1
System Owner/User Discovery		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd21
Access Token Manipulation		Input Capture1
System Network Configuration Discovery		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task12
Process Injection		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1401771 Sample: ocs-office.exe Startdate: 02/03/2024 Architecture: WINDOWS Score: 100 96 ti.fm2c.com.br 2->96 98 portal.fm2c.com.br 2->98 100 2 other IPs or domains 2->100 106 Antivirus detection for URL or domain 2->106 108 Multi AV Scanner detection for submitted file 2->108 110 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 2->110 112 8 other signatures 2->112 13 ocs-office.exe 15 2->13         started        18 OcsService.exe 2->18         started        signatures3 process4 dnsIp5 104 portal.fm2c.com.br 119.8.87.215, 443, 49729, 49730 HWCLOUDS-AS-APHUAWEICLOUDSHK Singapore 13->104 92 C:\Users\user\Downloads\ocsoffice.exe, PE32 13->92 dropped 94 C:\Users\user\AppData\...\ocsoffice[1].exe, PE32 13->94 dropped 116 Binary is likely a compiled AutoIt script file 13->116 20 ocsoffice.exe 1 31 13->20         started        23 cmd.exe 18->23         started        file6 signatures7 process8 file9 82 C:\Users\user\AppData\Local\...\instOCS.exe, PE32 20->82 dropped 84 C:\Users\user\AppData\Local\...\UserInfo.dll, PE32 20->84 dropped 86 C:\Users\user\AppData\Local\...\System.dll, PE32 20->86 dropped 88 C:\Users\user\AppData\Local\...\OcsSetup.exe, PE32 20->88 dropped 25 instOCS.exe 29 20->25         started        28 OCSInventory.exe 23->28         started        30 conhost.exe 23->30         started        process10 file11 90 C:\Users\user\AppData\Local\...\System.dll, PE32 25->90 dropped 32 OcsSetup.exe 7 70 25->32         started        35 cmd.exe 28->35         started        37 cmd.exe 28->37         started        process12 file13 74 C:\Program Files\...\OCSInventory.exe, PE32+ 32->74 dropped 76 C:\Users\user\AppData\Local\...\services.dll, PE32 32->76 dropped 78 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 32->78 dropped 80 30 other files (none is malicious) 32->80 dropped 39 OCSInventory.exe 11 32->39         started        42 OcsService.exe 32->42         started        44 OCSInventory.exe 2 32->44         started        46 powershell.exe 35->46         started        48 conhost.exe 35->48         started        50 conhost.exe 37->50         started        52 cscript.exe 37->52         started        process14 dnsIp15 102 ti.fm2c.com.br 119.8.228.120, 49737, 49738, 49740 HWCLOUDS-AS-APHUAWEICLOUDSHK Singapore 39->102 54 cmd.exe 1 39->54         started        57 cmd.exe 39->57         started        59 conhost.exe 42->59         started        61 ipconfig.exe 46->61         started        process16 signatures17 114 Bypasses PowerShell execution policy 54->114 63 cscript.exe 1 54->63         started        66 conhost.exe 54->66         started        68 powershell.exe 57->68         started        70 conhost.exe 57->70         started        process18 signatures19 118 Writes or reads registry keys via WMI 63->118 120 Uses ipconfig to lookup or modify the Windows network settings 68->120 72 ipconfig.exe 68->72         started        process20

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ocs-office.exe3%ReversingLabs
ocs-office.exe11%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files\OCS Inventory Agent\ComHTTP.dll0%ReversingLabs
C:\Program Files\OCS Inventory Agent\ComHTTP.dll0%VirustotalBrowse
C:\Program Files\OCS Inventory Agent\Download.exe0%ReversingLabs
C:\Program Files\OCS Inventory Agent\Download.exe0%VirustotalBrowse
C:\Program Files\OCS Inventory Agent\OCSInventory Front.dll0%ReversingLabs
C:\Program Files\OCS Inventory Agent\OCSInventory Front.dll0%VirustotalBrowse
C:\Program Files\OCS Inventory Agent\OCSInventory.exe0%ReversingLabs
C:\Program Files\OCS Inventory Agent\OCSInventory.exe0%VirustotalBrowse
C:\Program Files\OCS Inventory Agent\OcsNotifyUser.exe0%ReversingLabs
C:\Program Files\OCS Inventory Agent\OcsNotifyUser.exe0%VirustotalBrowse
C:\Program Files\OCS Inventory Agent\OcsService.exe0%ReversingLabs
C:\Program Files\OCS Inventory Agent\OcsService.exe0%VirustotalBrowse
C:\Program Files\OCS Inventory Agent\OcsSystray.exe0%ReversingLabs
C:\Program Files\OCS Inventory Agent\OcsSystray.exe0%VirustotalBrowse
C:\Program Files\OCS Inventory Agent\OcsWmi.dll0%ReversingLabs
C:\Program Files\OCS Inventory Agent\OcsWmi.dll0%VirustotalBrowse
C:\Program Files\OCS Inventory Agent\SysInfo.dll0%ReversingLabs
C:\Program Files\OCS Inventory Agent\SysInfo.dll0%VirustotalBrowse
C:\Program Files\OCS Inventory Agent\ZipArchive.dll0%ReversingLabs
C:\Program Files\OCS Inventory Agent\ZipArchive.dll0%VirustotalBrowse
C:\Program Files\OCS Inventory Agent\libcurl.dll0%ReversingLabs
C:\Program Files\OCS Inventory Agent\libeay32.dll0%ReversingLabs
C:\Program Files\OCS Inventory Agent\mfc140.dll0%ReversingLabs
C:\Program Files\OCS Inventory Agent\mfc140u.dll0%ReversingLabs
C:\Program Files\OCS Inventory Agent\mfcm140.dll0%ReversingLabs
C:\Program Files\OCS Inventory Agent\mfcm140u.dll0%ReversingLabs
C:\Program Files\OCS Inventory Agent\msvcp140.dll0%ReversingLabs
C:\Program Files\OCS Inventory Agent\msvcr120.dll0%ReversingLabs
C:\Program Files\OCS Inventory Agent\ssleay32.dll0%ReversingLabs
C:\Program Files\OCS Inventory Agent\ucrtbase.dll0%ReversingLabs
C:\Program Files\OCS Inventory Agent\uninst.exe0%ReversingLabs
C:\Program Files\OCS Inventory Agent\vcamp140.dll0%ReversingLabs
C:\Program Files\OCS Inventory Agent\vcomp140.dll0%ReversingLabs
C:\Program Files\OCS Inventory Agent\vcruntime140.dll0%ReversingLabs
C:\Program Files\OCS Inventory Agent\vcruntime140_1.dll0%ReversingLabs
C:\Program Files\OCS Inventory Agent\zlib1.dll0%ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ocsoffice[1].exe3%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\UserInfo.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\KillProcDLL.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\SetACL.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\UserInfo.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\nsExec.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\nsProcess.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\services.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsm5E69.tmp\System.dll0%ReversingLabs
C:\Users\user\Downloads\ocsoffice.exe3%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
portal.fm2c.com.br0%VirustotalBrowse
fp2e7a.wpc.phicdn.net0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://oneget.orgX0%URL Reputationsafe
https://sectigo.com/CPS0D0%URL Reputationsafe
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl00%URL Reputationsafe
https://sectigo.com/CPS00%URL Reputationsafe
http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
https://go.micro0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
http://crl.m0%URL Reputationsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
https://oneget.org0%URL Reputationsafe
http://ti.fm2c.com.br/ocsinventoryOCS0%Avira URL Cloudsafe
https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exe%0%Avira URL Cloudsafe
http://ti.fm2c.com.br/ocsinventory0%Avira URL Cloudsafe
http://www.ocsinventory-ng.orgPublisherOCS0%Avira URL Cloudsafe
https://portal.fm2c.com.br/0%Avira URL Cloudsafe
http://www.ocsinventory-ng.org%s0%Avira URL Cloudsafe
https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exe80%Avira URL Cloudsafe
https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exeH0%Avira URL Cloudsafe
https://portal.fm2c.com.br/0%VirustotalBrowse
http://ti.fm2c.com.br/ocsinventory0%VirustotalBrowse
http://ti.fm2c.com.br/ocsinventoryOCS0%VirustotalBrowse
https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exeexe0%Avira URL Cloudsafe
http://ti.fm2c.com.br/ocsinventorySaturdayOSPLASH0%Avira URL Cloudsafe
https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exeE%0%Avira URL Cloudsafe
http://ti.fm2c.com.br/ocsinventory/USER=/PWD=/SSL=1/CA=cacert.pem/PROXY_TYPE=0/PROXY=/PROXY_PORT=/PR0%Avira URL Cloudsafe
http://ti.fm2c.com.br/ocsinventorynt0%Avira URL Cloudsafe
http://www.artpol-software.com0%Avira URL Cloudsafe
http://www.ocsinventory-ng.orgN0%Avira URL Cloudsafe
http://www.ocsinventory-ng.orgL0%Avira URL Cloudsafe
https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exeS0%Avira URL Cloudsafe
http://ti.fm2c.com.br/ocsinventorynt0%VirustotalBrowse
http://www.artpol-software.com0%VirustotalBrowse
http://www.ocsinventory-ng.orgJ0%Avira URL Cloudsafe
https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exeQ0%Avira URL Cloudsafe
http://www.ocsinventory-ng.orgF0%Avira URL Cloudsafe
http://ti.fm2c.com.br/ocsinventory/USER=/PWD=/SSL=1/CA=cacert.pem/PROXY_TYPE=0/PROXY=/PROXY_PORT=/PR0%VirustotalBrowse
http://ti.fm2c.com.br/ocsinventory:0%Avira URL Cloudsafe
http://www.ocsinventory-ng.orgB0%Avira URL Cloudsafe
http://ti.fm2c.com.br/ocsinventoryERVER=http://ti.fm2c.com.br/ocsinventoryS/NP0%Avira URL Cloudsafe
http://ti.fm2c.com.br/ocsinventoryC:0%Avira URL Cloudsafe
http://ocsp.sectigo.com0J0%Avira URL Cloudsafe
https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exet0%Avira URL Cloudsafe
http://ti.fm2c.com.br/ocsinventory_0%Avira URL Cloudsafe
https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exe0%Avira URL Cloudsafe
http://ti.fm2c.com.br/ocsinventory:0%VirustotalBrowse
http://ti.fm2c.com.br/ocsinventory12ESS:0%Avira URL Cloudsafe
http://www.ocsinventory-ng.orgV0%Avira URL Cloudsafe
https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exe0%VirustotalBrowse
http://ti.fm2c.com.br/ocsinventoryC:0%VirustotalBrowse
http://ti.fm2c.com.br/ocsinventoryERVER=http://ti.fm2c.com.br/ocsinventoryS/NP0%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
ti.fm2c.com.br
119.8.228.120
truefalse
    		unknown
    portal.fm2c.com.br
    		119.8.87.215
    		truefalseunknown
    fp2e7a.wpc.phicdn.net
    		192.229.211.108
    		truefalseunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://ti.fm2c.com.br/ocsinventoryfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exefalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0ocsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://ocsp.sectigo.com0ocsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.openssl.org/VOCSInventory.exe, 00000007.00000002.2031213190.00007FFE0E188000.00000002.00000001.01000000.00000020.sdmp, OCSInventory.exe, 00000007.00000002.2030196745.00007FFDFB541000.00000002.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000008.00000002.2194128263.00007FFDFB541000.00000002.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000008.00000002.2195516634.00007FFE0E188000.00000002.00000001.01000000.00000020.sdmp, OcsService.exe, 00000011.00000002.2231779010.00007FFDFBAB1000.00000002.00000001.01000000.00000018.sdmp, OcsService.exe, 00000013.00000002.2907418466.00007FFDFBAB1000.00000002.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000016.00000002.2413908506.00007FFDFBAB1000.00000002.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000016.00000002.2414740326.00007FFE0E188000.00000002.00000001.01000000.00000020.sdmpfalse
      		high
      http://ti.fm2c.com.br/ocsinventoryOCSocsoffice.exe, 00000001.00000002.2270342274.00000000007A8000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#ocsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://contoso.com/Licensepowershell.exe, 0000001C.00000002.2383777401.000001E8765CE000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#ocsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://portal.fm2c.com.br/ocs-office.exe, 00000000.00000003.2302497939.000001814F495000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000002.2303355822.000001814F496000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000003.2302157006.000001814F492000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exe%ocs-office.exe, 00000000.00000002.2304139728.000001814F7BB000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.openssl.org/support/faq.html.OCSInventory.exe, 00000007.00000002.2030156695.00007FFDFB501000.00000008.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000008.00000002.2194043876.00007FFDFB510000.00000004.00000001.01000000.00000018.sdmp, OcsService.exe, 00000011.00000002.2231710053.00007FFDFBA70000.00000008.00000001.01000000.00000018.sdmp, OcsService.exe, 00000013.00000002.2907341902.00007FFDFBA71000.00000008.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000016.00000002.2413829529.00007FFDFBA80000.00000004.00000001.01000000.00000018.sdmpfalse
        		high
        https://curl.haxx.se/docs/http-cookies.htmlOCSInventory.exe, OCSInventory.exe, 00000007.00000002.2031076819.00007FFE0CFD1000.00000002.00000001.01000000.0000001F.sdmp, OCSInventory.exe, 00000008.00000002.2195219918.00007FFE0CFD1000.00000002.00000001.01000000.0000001F.sdmp, OCSInventory.exe, 00000016.00000002.2414413188.00007FFE0CFD1000.00000002.00000001.01000000.0000001F.sdmpfalse
          		high
          http://www.ocsinventory-ng.orgPublisherOCSOcsSetup.exe, 00000003.00000002.2264098954.0000000000621000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.openssl.org/support/faq.htmlOCSInventory.exe, OCSInventory.exe, 00000007.00000002.2030156695.00007FFDFB501000.00000008.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000008.00000002.2194043876.00007FFDFB510000.00000004.00000001.01000000.00000018.sdmp, OcsService.exe, 00000011.00000002.2231710053.00007FFDFBA70000.00000008.00000001.01000000.00000018.sdmp, OcsService.exe, 00000013.00000002.2907341902.00007FFDFBA71000.00000008.00000001.01000000.00000018.sdmp, OCSInventory.exe, 00000016.00000002.2413829529.00007FFDFBA80000.00000004.00000001.01000000.00000018.sdmpfalse
            		high
            http://www.ocsinventory-ng.org%sOcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		low
            https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exe8ocs-office.exe, 00000000.00000002.2304139728.000001814F7BB000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://curl.haxx.se/docs/copyright.htmlDOCSInventory.exe, 00000007.00000002.2031113260.00007FFE0CFE6000.00000002.00000001.01000000.0000001F.sdmp, OCSInventory.exe, 00000008.00000002.2195277999.00007FFE0CFE6000.00000002.00000001.01000000.0000001F.sdmp, OCSInventory.exe, 00000016.00000002.2414471242.00007FFE0CFE6000.00000002.00000001.01000000.0000001F.sdmpfalse
              		high
              https://contoso.com/powershell.exe, 0000001C.00000002.2383777401.000001E8765CE000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://curl.haxx.se/VOCSInventory.exe, 00000007.00000002.2031113260.00007FFE0CFE6000.00000002.00000001.01000000.0000001F.sdmp, OCSInventory.exe, 00000008.00000002.2195277999.00007FFE0CFE6000.00000002.00000001.01000000.0000001F.sdmp, OCSInventory.exe, 00000016.00000002.2414471242.00007FFE0CFE6000.00000002.00000001.01000000.0000001F.sdmpfalse
                		high
                https://nuget.org/nuget.exepowershell.exe, 0000000F.00000002.2170659052.000001E49A993000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2170659052.000001E49A85C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2132643091.000001E48C21A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2383777401.000001E876498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2383777401.000001E8765CE000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.ocsinventory-ng.orgOcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, OCSInventory.exe, 00000007.00000002.2030907910.00007FFDFF305000.00000002.00000001.01000000.00000016.sdmp, OCSInventory.exe, 00000007.00000002.2031285647.00007FFE126CE000.00000002.00000001.01000000.0000001E.sdmp, OCSInventory.exe, 00000007.00000002.2029620541.000000018000C000.00000002.00000001.01000000.0000001A.sdmp, OCSInventory.exe, 00000008.00000002.2192641356.000000018000C000.00000002.00000001.01000000.0000001A.sdmp, OCSInventory.exe, 00000008.00000002.2195653164.00007FFE126CE000.00000002.00000001.01000000.0000001E.sdmp, OCSInventory.exe, 00000008.00000002.2194956078.00007FFDFF305000.00000002.00000001.01000000.00000016.sdmp, OcsService.exe, 00000011.00000002.2229893566.000000018000C000.00000002.00000001.01000000.0000001A.sdmp, OcsService.exe, 00000011.00000002.2232126021.00007FFE003D5000.00000002.00000001.01000000.00000016.sdmp, OcsService.exe, 00000013.00000002.2905174952.000000018000C000.00000002.00000001.01000000.0000001A.sdmp, OcsService.exe, 00000013.00000002.2907782590.00007FFE003D5000.00000002.00000001.01000000.00000016.sdmp, OCSInventory.exe, 00000016.00000002.2414899125.00007FFE126CE000.00000002.00000001.01000000.0000001E.sdmp, OCSInventory.exe, 00000016.00000002.2414282409.00007FFE003D5000.00000002.00000001.01000000.00000016.sdmp, OCSInventory.exe, 00000016.00000002.2411803423.000000018000C000.00000002.00000001.01000000.0000001A.sdmpfalse
                    		high
                    https://oneget.orgXpowershell.exe, 0000000F.00000002.2132643091.000001E48BFEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2314383504.000001E867C25000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://sectigo.com/CPS0Docsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.openssl.org/OCSInventory.exefalse
                      		high
                      https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exeHocs-office.exe, 00000000.00000003.2302497939.000001814F495000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000002.2303355822.000001814F496000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000003.2302157006.000001814F492000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exeexeocs-office.exe, 00000000.00000002.2303990987.000001814F73D000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://ti.fm2c.com.br/ocsinventorySaturdayOSPLASHOcsSetup.exe, 00000003.00000002.2263622193.0000000000425000.00000004.00000001.01000000.0000000D.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000F.00000002.2132643091.000001E48A7E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2314383504.000001E866421000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exeE%ocs-office.exe, 00000000.00000003.2299749862.000001814F663000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000002.2303809041.000001814F673000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000003.2299633468.000001814F65D000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000003.2299557988.000001814F65B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0ocsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://nuget.org/NuGet.exepowershell.exe, 0000000F.00000002.2170659052.000001E49A993000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2170659052.000001E49A85C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2132643091.000001E48C21A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2383777401.000001E876498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2383777401.000001E8765CE000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://ti.fm2c.com.br/ocsinventory/USER=/PWD=/SSL=1/CA=cacert.pem/PROXY_TYPE=0/PROXY=/PROXY_PORT=/PROCSInventory.exe, 00000007.00000002.2029715162.000002017A01C000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 0000000F.00000002.2132643091.000001E48BFEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2314383504.000001E867C25000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://sectigo.com/CPS0ocsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://ti.fm2c.com.br/ocsinventoryntOCSInventory.exe, 00000008.00000003.2191316015.000001D995901000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000002.2193112052.000001D995901000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000003.2191756385.000001D995901000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000003.2410871338.000001EC3228A000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000003.2410952624.000001EC3229D000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000003.2410745267.000001EC3227F000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000016.00000002.2412303943.000001EC3229F000.00000004.00000020.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.artpol-software.comOcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.ocsinventory-ng.orgNOcsSetup.exe, 00000003.00000002.2263817012.0000000000473000.00000002.00000001.01000000.0000000D.sdmp, OcsSetup.exe, 00000003.00000003.2251156729.00000000030CA000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001C.00000002.2314383504.000001E866652000.00000004.00000800.00020000.00000000.sdmptrue
                            • URL Reputation: malware
                            		unknown
                            http://www.ocsinventory-ng.orgLOcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001C.00000002.2314383504.000001E866652000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exeSocs-office.exe, 00000000.00000002.2304139728.000001814F7BB000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.ocsinventory-ng.orgJOcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2029969363.00007FF7B4CA6000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000008.00000000.2057887829.00007FF7B4CA6000.00000002.00000001.01000000.00000014.sdmp, OCSInventory.exe, 00000016.00000000.2249421655.00007FF7B4CA6000.00000002.00000001.01000000.00000014.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://go.micropowershell.exe, 0000000F.00000002.2132643091.000001E48B412000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2314383504.000001E867052000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exeQocs-office.exe, 00000000.00000003.2302497939.000001814F495000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000002.2303355822.000001814F496000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000003.2302157006.000001814F492000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.ocsinventory-ng.orgFOcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsService.exe, 00000011.00000002.2230743470.00007FF6EED6E000.00000002.00000001.01000000.00000023.sdmp, OcsService.exe, 00000013.00000000.2243916264.00007FF6EED6E000.00000002.00000001.01000000.00000023.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://contoso.com/Iconpowershell.exe, 0000001C.00000002.2383777401.000001E8765CE000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://ti.fm2c.com.br/ocsinventory:instOCS.exe, 00000002.00000002.2267468052.0000000000432000.00000004.00000001.01000000.0000000A.sdmp, instOCS.exe, 00000002.00000002.2268280616.0000000000627000.00000004.00000020.00020000.00000000.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.ocsinventory-ng.orgBOcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://ti.fm2c.com.br/ocsinventoryC:instOCS.exe, 00000002.00000002.2268994035.0000000002750000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2263994646.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264098954.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2263622193.000000000042A000.00000004.00000001.01000000.0000000D.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://nsis.sf.net/NSIS_ErrorErrorocsoffice.exe, 00000001.00000000.1715229113.000000000040A000.00000008.00000001.01000000.00000006.sdmp, ocsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, instOCS.exe, 00000002.00000002.2267468052.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, instOCS.exe, 00000002.00000000.1719645772.000000000040A000.00000008.00000001.01000000.0000000A.sdmp, OcsSetup.exe, 00000003.00000003.2251156729.0000000003081000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2263622193.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, OcsSetup.exe, 00000003.00000000.1724965818.000000000040A000.00000008.00000001.01000000.0000000D.sdmpfalse
                                		high
                                http://ti.fm2c.com.br/ocsinventoryERVER=http://ti.fm2c.com.br/ocsinventoryS/NPOcsSetup.exe, 00000003.00000002.2263622193.0000000000427000.00000004.00000001.01000000.0000000D.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/Pester/Pesterpowershell.exe, 0000001C.00000002.2314383504.000001E866652000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tocsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://crl.mocs-office.exe, 00000000.00000002.2304139728.000001814F7BB000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://nsis.sf.net/NSIS_ErrorOcsSetup.exe, OcsSetup.exe, 00000003.00000003.2251156729.0000000003081000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2263622193.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, OcsSetup.exe, 00000003.00000000.1724965818.000000000040A000.00000008.00000001.01000000.0000000D.sdmpfalse
                                    		high
                                    http://ocsp.sectigo.com0Jocsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.zlib.net/OCSInventory.exefalse
                                      		high
                                      https://portal.fm2c.com.br/paginas/publicFiles/ocsoffice.exetocs-office.exe, 00000000.00000003.2299749862.000001814F663000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000002.2303809041.000001814F673000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000003.2299633468.000001814F65D000.00000004.00000020.00020000.00000000.sdmp, ocs-office.exe, 00000000.00000003.2299557988.000001814F65B000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.zlib.net/DOcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2029556525.0000000066716000.00000002.00000001.01000000.00000017.sdmp, OCSInventory.exe, 00000008.00000002.2192340700.0000000066716000.00000002.00000001.01000000.00000017.sdmp, OcsService.exe, 00000011.00000002.2229759988.0000000066716000.00000002.00000001.01000000.00000017.sdmp, OcsService.exe, 00000013.00000002.2904997429.0000000066716000.00000002.00000001.01000000.00000017.sdmp, OCSInventory.exe, 00000016.00000002.2411679589.0000000066716000.00000002.00000001.01000000.00000017.sdmpfalse
                                        		high
                                        http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#ocsoffice.exe, 00000001.00000002.2269798656.000000000040A000.00000004.00000001.01000000.00000006.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002E53000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp, OcsSetup.exe, 00000003.00000002.2264719899.0000000002DE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://ti.fm2c.com.br/ocsinventory_OCSInventory.exe, 00000008.00000003.2191316015.000001D995901000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000002.2193112052.000001D995901000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000008.00000003.2191756385.000001D995901000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://aka.ms/pscore68powershell.exe, 0000000F.00000002.2132643091.000001E48A7E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2314383504.000001E866421000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://oneget.orgpowershell.exe, 0000000F.00000002.2132643091.000001E48BFEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2314383504.000001E867C25000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://ti.fm2c.com.br/ocsinventory12ESS:OcsSetup.exe, 00000003.00000002.2263622193.0000000000427000.00000004.00000001.01000000.0000000D.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ocsinventory-ng.orgVOcsSetup.exe, 00000003.00000002.2264719899.0000000002855000.00000004.00000020.00020000.00000000.sdmp, OCSInventory.exe, 00000007.00000002.2031437511.00007FFE13241000.00000002.00000001.01000000.00000015.sdmp, OCSInventory.exe, 00000008.00000002.2196531442.00007FFE13241000.00000002.00000001.01000000.00000015.sdmp, OcsService.exe, 00000011.00000002.2232416874.00007FFE13241000.00000002.00000001.01000000.00000015.sdmp, OcsService.exe, 00000013.00000002.2908113490.00007FFE13241000.00000002.00000001.01000000.00000015.sdmp, OCSInventory.exe, 00000016.00000002.2415223849.00007FFE13241000.00000002.00000001.01000000.00000015.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://curl.haxx.se/docs/copyright.htmlOCSInventory.exefalse
                                            		high
                                            https://curl.haxx.se/OCSInventory.exefalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              119.8.228.120
                                              		ti.fm2c.com.brSingapore
                                              		136907HWCLOUDS-AS-APHUAWEICLOUDSHKfalse
                                              119.8.87.215
                                              		portal.fm2c.com.brSingapore
                                              		136907HWCLOUDS-AS-APHUAWEICLOUDSHKfalse

                                              General Information

                                              Joe Sandbox version:40.0.0 Tourmaline
                                              Analysis ID:1401771
                                              Start date and time:2024-03-02 02:22:05 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 10m 5s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:31
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:ocs-office.exe
                                              Detection:MAL
                                              Classification:mal100.evad.winEXE@44/69@2/2
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:
                                              • Successful, ratio: 86%
                                              • Number of executed functions: 71
                                              • Number of non-executed functions: 220
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                              • Excluded IPs from analysis (whitelisted): 13.85.23.86, 72.21.81.240
                                              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, ocsp.edge.digicert.com, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                              • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              02:23:25API Interceptor1x Sleep call for process: OcsSetup.exe modified
                                              02:23:38API Interceptor10x Sleep call for process: powershell.exe modified
                                              02:24:42API Interceptor19x Sleep call for process: OcsService.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              fp2e7a.wpc.phicdn.nethttp://w103.pro/fr35766334/alerte.php?phone=09-70-38-53-21IP:Get hashmaliciousTechSupportScamBrowse
                                              • 192.229.211.108
                                              https://stwesswgckdrkpiskrspws.blob.core.windows.net/stwesswgckdrkpiskrspws/unsb.html#un/22524_md/14/14825/3398/473/706672Get hashmaliciousUnknownBrowse
                                              • 192.229.211.108
                                              http://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onionGet hashmaliciousUnknownBrowse
                                              • 192.229.211.108
                                              http://pp.167-88-166-12.cprapid.com/pp/IP:Get hashmaliciousUnknownBrowse
                                              • 192.229.211.108
                                              https://servicelinknetworker.weebly.com/IP:Get hashmaliciousUnknownBrowse
                                              • 192.229.211.108
                                              https://www.dhl-tracking.com/IP:Get hashmaliciousUnknownBrowse
                                              • 192.229.211.108
                                              http://outlookoficial.hstn.me/accounnt=service=firt.htmlIP:Get hashmaliciousUnknownBrowse
                                              • 192.229.211.108
                                              https://verfydomainnextwork.weebly.com/IP:Get hashmaliciousHTMLPhisherBrowse
                                              • 192.229.211.108
                                              https://sideverfyingsevicenetwork.weebly.com/IP:Get hashmaliciousUnknownBrowse
                                              • 192.229.211.108
                                              https://manual-restore.pages.dev/IP:Get hashmaliciousUnknownBrowse
                                              • 192.229.211.108

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              HWCLOUDS-AS-APHUAWEICLOUDSHK5WTG6N45CH.elfGet hashmaliciousMiraiBrowse
                                              • 159.138.222.4
                                              aA8sPbK4EG.elfGet hashmaliciousMoobotBrowse
                                              • 119.8.64.12
                                              zpIXM3FqqH.elfGet hashmaliciousMiraiBrowse
                                              • 119.8.39.77
                                              huhu.arm5-20240212-0910.elfGet hashmaliciousMirai, OkiruBrowse
                                              • 119.8.40.42
                                              https://kso.page.link/wpsGet hashmaliciousUnknownBrowse
                                              • 114.119.189.26
                                              skyljne.mips.elfGet hashmaliciousMiraiBrowse
                                              • 119.8.88.17
                                              TqA3GrJsfl.elfGet hashmaliciousMiraiBrowse
                                              • 119.10.40.126
                                              https://us.docs.wps.com/module/common/loadplatform?sa=16&st=0t&sid=sicb8ypvckj3kqqy&v=v2Get hashmaliciousUnknownBrowse
                                              • 159.138.103.235
                                              xd.arm.elfGet hashmaliciousMiraiBrowse
                                              • 159.139.52.126
                                              dJSGK4OSJV.elfGet hashmaliciousMiraiBrowse
                                              • 114.119.200.56
                                              HWCLOUDS-AS-APHUAWEICLOUDSHK5WTG6N45CH.elfGet hashmaliciousMiraiBrowse
                                              • 159.138.222.4
                                              aA8sPbK4EG.elfGet hashmaliciousMoobotBrowse
                                              • 119.8.64.12
                                              zpIXM3FqqH.elfGet hashmaliciousMiraiBrowse
                                              • 119.8.39.77
                                              huhu.arm5-20240212-0910.elfGet hashmaliciousMirai, OkiruBrowse
                                              • 119.8.40.42
                                              https://kso.page.link/wpsGet hashmaliciousUnknownBrowse
                                              • 114.119.189.26
                                              skyljne.mips.elfGet hashmaliciousMiraiBrowse
                                              • 119.8.88.17
                                              TqA3GrJsfl.elfGet hashmaliciousMiraiBrowse
                                              • 119.10.40.126
                                              https://us.docs.wps.com/module/common/loadplatform?sa=16&st=0t&sid=sicb8ypvckj3kqqy&v=v2Get hashmaliciousUnknownBrowse
                                              • 159.138.103.235
                                              xd.arm.elfGet hashmaliciousMiraiBrowse
                                              • 159.139.52.126
                                              dJSGK4OSJV.elfGet hashmaliciousMiraiBrowse
                                              • 114.119.200.56

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              37f463bf4616ecd445d4a1937da06e19ortegaHTU6.msiGet hashmaliciousUnknownBrowse
                                              • 119.8.87.215
                                              file.exeGet hashmaliciousVidarBrowse
                                              • 119.8.87.215
                                              rPedido0013.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 119.8.87.215
                                              SecuriteInfo.com.Win64.DropperX-gen.29614.25587.exeGet hashmaliciousMeduza StealerBrowse
                                              • 119.8.87.215
                                              GoTo Webinar Opener (2).exeGet hashmaliciousUnknownBrowse
                                              • 119.8.87.215
                                              GoTo Webinar Opener (2).exeGet hashmaliciousUnknownBrowse
                                              • 119.8.87.215
                                              5567890333.wsfGet hashmaliciousXWormBrowse
                                              • 119.8.87.215
                                              file.exeGet hashmaliciousVidarBrowse
                                              • 119.8.87.215
                                              SecuriteInfo.com.Win32.TrojanX-gen.18566.17153.exeGet hashmaliciousUnknownBrowse
                                              • 119.8.87.215
                                              SecuriteInfo.com.Win32.TrojanX-gen.18566.17153.exeGet hashmaliciousUnknownBrowse
                                              • 119.8.87.215

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Program Files\OCS Inventory Agent\ComHTTP.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):63392
                                              Entropy (8bit):5.920182486485395
                                              Encrypted:false
                                              SSDEEP:1536:W83/92mO0vGedF40OWdHtJADliavnYQ+8iAe:Wq/4YGE40dtJ4Uavn3De
                                              MD5:04CCE3412D3E4703E23B714C17A2977A
                                              SHA1:9205397142100E977FE5F46809585C953D3B93C6
                                              SHA-256:8CCACAC9A0659D3E46567661D11A2D71607D9101B1B9B523F16D10B13F5A8D26
                                              SHA-512:5C94D72CA517D896225121052DB05C20774E32356AFFDC83821BF9720113E27CEB1386AAC5BF53A7554C59A6169160A1A50428AC63AC561DC02FB19BBCD551AB
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:f.V[..V[..V[.._#..P[..B0..P[.../..U[.../.._[.../..O[.../..P[.../..Q[..V[...[.../..S[.../..W[.../..W[..V[..W[.../..W[..RichV[..........PE..d....(rb.........." .....\...x.......V....................................................`.............................................................................)...... ...p...p.......................(.......8............p..X............................text....Z.......\.................. ..`.rdata...X...p...Z...`..............@..@.data...@...........................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ...........................@..B........................................................................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\Download.exe

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):449952
                                              Entropy (8bit):3.7378710944497597
                                              Encrypted:false
                                              SSDEEP:1536:f1gj5jtiKwrqoNuWS8nfoNja1EFFSZMwExLDgCIk/VjaJQ+8iAU:f1AdIkt8j1EvwEFgCIk/daWDU
                                              MD5:1FEB0C8A967C8E5E4D055B20C2A2214E
                                              SHA1:0309A625460A6EFFAEEBFA98940EC9E0BD99B2F8
                                              SHA-256:D93C3976FE59105C33F5C38EA27A2E9A37C2E767EFBA7E2F5F0AC0DD1F6FB8E6
                                              SHA-512:D0BFBB748471B300D84AF787ED4C8CC6364F80350507C1EDD7FDC20DDACAD6B45833AC7CBF9EFBD1F6112E5FB23B28CFCCC05BFD514B92B6FCA7686ADED58011
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U...;...;...;......;..:...;...?...;...8...;...>...;...:...;...:...;...:..;...2...;.......;......;...9...;.Rich..;.................PE..d....(rb.........."......t...F.......i.........@.....................................N....`..........................................................@..0....0...........)..........H...p.......................(.......8...............x............................text....s.......t.................. ..`.rdata..&............x..............@..@.data........ ......................@....pdata.......0......................@..@.rsrc...0....@......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\OCS-transform.xsl

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:XML 1.0 document text (XSL stylesheet) (XSL stylesheet), ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8400
                                              Entropy (8bit):4.794961143638397
                                              Encrypted:false
                                              SSDEEP:96:dXRBjar+czvpxbAGzvHcBcfc/cA+cQcGcdecVcIcpPcwcUcSIcZdcbcl:dXRBWCc7bbHAcfO2RnseSr2PNVNICdwC
                                              MD5:AC3A736E89F5FFB5AC8DB74EB81189ED
                                              SHA1:280900A3DE732A9F5F9D5D196E745FCC2ACBC033
                                              SHA-256:C9F82CADEAAD84D31301B110F64939207B6D6AAB666C4C6589C77349013E3D77
                                              SHA-512:831A172AD35FE4CF564214D5A098A232D44F41402604275CAD2A7240A68D04C27543B2BC4CA5C9EDF2EDE3ADBDB4002D51251A58C643937FD6C5C67AB9FBBED0
                                              Malicious:false
                                              Preview:<?xml version='1.0' ?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> ..<xsl:template match="/REQUEST">..<html>..<head>.. <style type="text/css">.... #OCSstyle table{.. border-collapse:collapse;.. width:90%;.. }.. #OCSstyle th{... font-family:monospace;... border:thin solid #b2b7c9;... padding:0px;... background-color:#D0E3FA;... font-size: xx-small;.. }.. #OCSstyle td{... font-family:sans-serif;... border:thin solid #b2b7c9;... padding:0px;... text-align:center;... font-size: xx-small;.. }.. #OCSstyle caption{.. font-family:sans-serif;.. }.. </style>..</head>..<body>.. <div align="center">.. <H1> OCS Inventory NG Information for Computer<br />.. <xsl:value-of select="CONTENT/HARDWARE/NAME"/>.. </H1>.. <hr/>.. </div> .... <div id="OCSstyle" align="center">.... <h2>General properties</h2> .. <table>.. <tr>.. <th>NAME</th>.. <th>VALUE</th>.

                                              C:\Program Files\OCS Inventory Agent\OCSInventory Front.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):276384
                                              Entropy (8bit):6.152821717410416
                                              Encrypted:false
                                              SSDEEP:3072:a04uYR7QCniNhZjrLyYgjPf5z9b1/gEbghFv5YKBbGUArG4oRa8FD+0:a04NR7QU1jPhz9R/gWgArPlgp
                                              MD5:43AAE6C6CC34F445C7DF342D517D009B
                                              SHA1:E47288EC8ADEF5B9AF97402A06F877F04E64A944
                                              SHA-256:05540ECDAF7A409FB5AB23E7E434DB18579FD1979355E5888780D51FB3EC5DB6
                                              SHA-512:D4DA3F8DD6DA6276DC1A35149D07B271379886D0C01436E7911C4FC7143A29B8D9D0E74D082AC537C57C5FB3D6F64C387F8B574B580574357B3F5A397C197A54
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............f..f..f.......f...b..f.+.g...f.+.e...f.+.b...f.+.c..f...g..f.).g...f..g...f.).o..f.).f..f.)...f.....f.).d..f.Rich.f.........................PE..d....(rb.........." .........................................................P............`.............................................$W...`.......0.. ................)...@...... ...p.......................(.......8............ .. ............................text............................... ..`.rdata..h.... ......................@..@.data...............................@....pdata..............................@..@.rsrc... ....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\OCSInventory.exe

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):486304
                                              Entropy (8bit):4.015400785752245
                                              Encrypted:false
                                              SSDEEP:3072:G4wQGd+WPG0ZFlM6o7rgPyApJJPMBc4AhwEFgCIk/Sk8aDDA:1GdvZ/M6ODc4ADg03A
                                              MD5:38E1FC55C0339A770DD39CA6541437B9
                                              SHA1:1646DDD20409034640844DBF370B3ADE4210E2F0
                                              SHA-256:3A1B250F60AA6AEAF8F910C043A4CF6A7DB0708EEBBA149C3835429461D26BCE
                                              SHA-512:CAD754610DA85DEC3A76EF53C6141F6E5F6EE159368B9D1489B391633C7D5FFD9E6B09C0F693E7D0CD8E26D17319B77F488E7AB8E4C3854C0C858B5E63FD4560
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.............{......Zw......Zw......Zw......Zw......Xw.......h..........]...Xw......Xwp.............Xw......Rich....................PE..d...%(rb.........."............................@.....................................`....`..................................................Q......................B...)...p.......)..p....................+..(....)..8............................................text............................... ..`.rdata..............................@..@.data...(............~..............@....pdata..............................@..@.rsrc..............................@..@.reloc.......p.......@..............@..B........................................................................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\OcsNotifyUser.exe

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):440736
                                              Entropy (8bit):3.611205281831877
                                              Encrypted:false
                                              SSDEEP:1536:D5rBtbc62GRYM+GRYmQgFSZMwExLDgCIk/VlRjWat0Q+8iAB:D5rvbc62FM+FmQWwEFgCIk/3ga5DB
                                              MD5:E353C5B5CA4F346B690419570833ACA5
                                              SHA1:14BD1EA1256F406A9435F346B92177277FABCA1A
                                              SHA-256:82CF940B23A8CDB8DDBA11F837202DD220D0E1F69522C211A41C4166932D0E1E
                                              SHA-512:FC7205BCB96D90B6F4E2CDD237C75BF97415190A498352794834B5023363232A7F6014FD0A32D90053C43EF9A57A3EED9756D4B096E85D26B9864BA87DCD950F
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`...$...$...$...-.f.4...0... ...0...(............... ...............".......!...$...Y.......!.......%...$.b.%.......%...Rich$...................PE..d....(rb.........."......L...H......XD.........@..........................................`....................................................T........................)......d.......p.......................(.......8............`...............................text....J.......L.................. ..`.rdata...V...`...X...P..............@..@.data...p...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\OcsService.exe

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):803232
                                              Entropy (8bit):3.2256644637196716
                                              Encrypted:false
                                              SSDEEP:3072:zVDohihyyAVAxZwEFgCIk/BwEFgCIk/aayD0:B8qQAJg0gai0
                                              MD5:67C17EA1BF6EB610DEAC638E4078D6B4
                                              SHA1:2D389F89CC95BE1E1BADDAD7CE8C0C082E0ED9BC
                                              SHA-256:F42A0E62BD1F1AE410C33A7278973539B4BA13BEC4182D49F2C2BA2EB9BF6BAB
                                              SHA-512:67F5821DA16D41C83DF8DF0D2B15B711B138C438AC9A8FF1B224FDC27EA0FFE56B16E7B991A800827E5E6B7581E3CAE61B262A194B1EC5072033C2D31A5C2F25
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../>.]NP.]NP.]NP.T6..SNP.I%Q.WNP.:T.WNP.:S.^NP.:U.BNP.:Q.[NP.:Q.ZNP.]NQ.NP.:Y.YNP.:..\NP.]N..\NP.:R.\NP.Rich]NP.........PE..d...*(rb.........."......^...........`.........@.............................`......#.....`....................................................h.......PY......D........)...P......H...p.......................(.......8............p...............................text....].......^.................. ..`.rdata..lQ...p...R...b..............@..@.data...............................@....pdata..D...........................@..@.rsrc...PY.......Z..................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\OcsSystray.exe

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):463776
                                              Entropy (8bit):3.7759317016458454
                                              Encrypted:false
                                              SSDEEP:1536:Ha7+dVpvzpH40bmv7yx9vhFSZMwExLDgCIk/VuK9YaJeQ+8iA8X:H3xvzpYKvTwEFgCIk/r9YaDDk
                                              MD5:E6142E8D019297BE55C7531A0CED498A
                                              SHA1:8EB9BC28F42CE3BCA8AA676FEA1B92DD2757C33F
                                              SHA-256:495BDCD09D4B48FBA877D95CAFC49CA323C54C5E189BED63D9056442B705ECC0
                                              SHA-512:F49C245F4A2A4B409121E429BFC7C7807A19F8FB24811D6ADF8B473801BF8A189C91C07025D258AD3079562CB055F7D27116F5E604366CE7164A9A5D4F806614
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A..Q................................................... ..................................q....................Rich............................PE..d....(rb.........."......f..........p\.........@.............................0......X.....`.................................................p............................)... .........p.......................(...P...8............................................text....e.......f.................. ..`.rdata...c.......d...j..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\OcsWmi.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):54688
                                              Entropy (8bit):6.244031138505555
                                              Encrypted:false
                                              SSDEEP:768:nba0g4AbusjCcdhjoV4OP0QiqJKhUh+6f0AESHVa7p9E+8iROZ:Ondh0V4Y0QhJKhUh++0AES1a7Q+8iAZ
                                              MD5:5EE301D79BEA2661BCA836DE2AE4312E
                                              SHA1:414CECD0ECC84BF395044FC1730803DF22876007
                                              SHA-256:1AA3BB3766C5FFFAE2E5A4429D8A53B8E1D0D4451F94E0741CA474C0413EA886
                                              SHA-512:9237C3FE381043589B431BCFE224FC248AA56CD2744EB9AF8CD86D173E57D6B441B6E476B9F574065DBBBEED86358A8DFA1C46570776A0CB937A8709AE5995BB
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w%...v...v...v..v...v..w...v...w...v...w...v...w...v...v...v...w...v..w...v...w...v...w...v...v...v..v...v...w...vRich...v........................PE..d....'rb.........." .....^...T......hW............................................../g.... .........................................p...x...............................)...........}..p.......................(... ~..8............p..X............................text...^].......^.................. ..`.rdata..J5...p...6...b..............@..@.data...(...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\Plugins\Saas.ps1

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:ASCII text
                                              Category:dropped
                                              Size (bytes):744
                                              Entropy (8bit):5.252742514194034
                                              Encrypted:false
                                              SSDEEP:12:9Ycdr+0NJvTyY9vDO8VPsL3zHHFsZVH+2qEBVL2H4lPz5DSiY1:ac/vGY9DO4s3lsrH8EXyGFw1
                                              MD5:0A9BA55DABBF8B0A281BD90EBF457AA4
                                              SHA1:BCFFCEDC07AC9E89879966BE6C9309CF04631C76
                                              SHA-256:8B249DDC3D4F943135CEEC0E4E20A1D5058C77BFB60CFD3C9FA101FBFA5FFD9D
                                              SHA-512:18C61DA9A12AE2B3F144A415837963B5ABE568015A7C3F6A6F153B092F4C6A2D195C0BFACA25A01AD7B5B2B866353ED96DA4BAF43FF5688A56A14638D00BC9F1
                                              Malicious:false
                                              Preview:Function Get-DNSClientCache($pwlang){ . $hash = @{} .. Invoke-Expression "ipconfig /displaydns" | . Select-String -Pattern $pwlang -Context 0,5 | . %{ ....$xml += "<SAAS>`n"....$xml += "<ENTRY>" + ($_.Line -Split ":")[1].Trim().ToLower() + "</ENTRY>`n"....$xml += "<DATA>" + ($_.Context.PostContext[4] -Split ":")[1].Trim().ToLower() + "</DATA>`n"....$xml += "<TTL>" + ($_.Context.PostContext[1] -Split ":")[1].Trim() + "</TTL>`n"....$xml += "</SAAS>`n" . } ....return $xml...} ..$lang = Get-Culture..if($lang.Name -eq "fr-FR"){..$pwlang = "Nom d'enregistrement".}elseif($lang.Name -eq "it-IT"){..$pwlang = "Nome record".}else{..$pwlang = "Record Name".}.. .$dns = Get-DnsClientCache($pwlang) .echo $dns.

                                              C:\Program Files\OCS Inventory Agent\Plugins\o36516user.vbs

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exe
                                              File Type:ASCII text
                                              Category:dropped
                                              Size (bytes):3016
                                              Entropy (8bit):5.30970049375371
                                              Encrypted:false
                                              SSDEEP:48:eYpK5XnJIlg45FhIEX5KeKtRnTXJdYRHQDwXbAiNJpZ3doJXQTN2NkUHm5:lpKI/5vIcKeKTwqaAiNLZoX2UW
                                              MD5:06E43B247299069CA58AD57CAD956A9A
                                              SHA1:B0000965F320EB3632A74B4764C6924F9677DDF2
                                              SHA-256:A6080F6A677068F42C16708F755C606B79492E62B9824D7D7B367421183B6A88
                                              SHA-512:DF2BB6D2D1AB43E44ACC344C908AFCF9AF595A715A7182BDE1AC1CA7F0D38CDEC31CA38BA13C5D21C266FAF6E321D25BDB4B0771CE5001C859C407678034DC9E
                                              Malicious:false
                                              Preview:'----------------------------------------------------------.' Plugin for OCS Inventory NG 2.x.' Script :..Retrieve Office 365 16.0 user info.' Version :..0.10.' Date :..24/02/2021.' Author :..Erich Strewlow.'----------------------------------------------------------.' OS checked [X] on.32b.64b.(Professionnal edition).'.Windows 10. [X].[X].' Windows 2012 [X] [X].' ---------------------------------------------------------.Option Explicit...Const HKEY_USERS = 2147483651..Dim aUsers().Dim aIdent().Dim registryObject .Dim conn.Dim r.Dim k.Dim j.Dim sid.Dim email.Dim name.Dim lastlogin.Dim expirationdate.Dim d.Dim IsoDate.Dim IsoTime.Dim ident..Set registryObject = GetObject("winmgmts:root\default:StdRegProv")..'If OCS agent is started as a service, it knows the local users configuration only.'through HKEY_USERS. We scan all the registered users in the host, listing.'everyone with an Office 16.0 setup.r=registryObject.EnumKey(HKEY_USERS,"",aUsers)..If r <> 0 Then. wscript.quit.End

                                              C:\Program Files\OCS Inventory Agent\SysInfo.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):632224
                                              Entropy (8bit):6.178525704467686
                                              Encrypted:false
                                              SSDEEP:12288:zfQoCYag5EBRGw8Awo3e0NEIiJCn5t/jAWTzgz7g36zC5Hu9lKPZ3h:T7C+z7gq+9R3h
                                              MD5:DF8ED7EE11621FC1F101715BA829E4B6
                                              SHA1:D3500C92CCEF9D575B55D8BFAFA8DB2CC3DC5006
                                              SHA-256:0AC8CD125C88DC14FE3C171A6426C1D44C7897C9C5E0AD21CD86E84D2E4260C2
                                              SHA-512:B06367C16D2782DB3A53916171FE64181624E41BE2A43860417833B7E6B2918DBFDED76BABBDB0AF289C445F1B1C56967219E40ADE07412C3BCA7415C8D8D7A3
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........E.ut..ut..ut......ut...u..ut.;.w..ut.;.p..ut.;.q..ut.;.u..ut.9.u..ut..uu..tt.9.}..ut.9.t..ut.9....ut..u...ut.9.v..ut.Rich.ut.................PE..d....'rb.........." .................n...............................................a....`......................................... ....D...................P..(,...|...).......&...V..p....................Y..(...`W..8............................................text............................... ..`.rdata...p.......r..................@..@.data...h....0......................@....pdata..(,...P......................@..@.rsrc................L..............@..@.reloc...&.......(...T..............@..B................................................................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\ZipArchive.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):523168
                                              Entropy (8bit):6.615608032026026
                                              Encrypted:false
                                              SSDEEP:6144:QrR8BbHiTEhj5Iorxk6RTHe0MVqAuUMTBmYvOWT9vHhwmzfP:QrR8tCo1IobRTHbMwT8YvDT9vuufP
                                              MD5:55C8912360A1BD660ED1C2B9D8308365
                                              SHA1:32439E6C08C6998E1CCCAB4FF8946BF95DB5A3EA
                                              SHA-256:420DEEB85A7ACC5CFF44912BFE1C048C0017109F052637272A092B006726DB1B
                                              SHA-512:BD4EE097F65037C6B1714BDBAB2CCF275F21CA5AE3E56388D6E799BC122D45B5C7D697276436033EF620C685667E3FB46FB4D6B1D181B46968733B65687C9161
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................1.....?....?....?......?...........e...=.....=....=.]....5...=....Rich..........PE..d....R.b.........." .........D......p.....................................................`.........................................................`....... ...3.......)...p......0q..p............................q..8...............(............................text............................... ..`.rdata..............................@..@.data....`..........................@....pdata...3... ...4..................@..@.rsrc........`......................@..@.reloc.......p......................@..B................................................................................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\libcurl.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):436640
                                              Entropy (8bit):6.4037412947819945
                                              Encrypted:false
                                              SSDEEP:6144:1Pgo1fTzVGpEc/zSE+R8luQIQbo53JOuSmu1HzuGUzPfbou7cVI/3I3HWSdsfPDU:14gfQph7SrRWovu1H7g7cVgnD+7
                                              MD5:688728C7F73BCB78841F01E25E8D8CC0
                                              SHA1:E97D4A7DD26E3381BE52B0CB0DCFB79E16F7F392
                                              SHA-256:3A9BCDFC95231D12CBC31B2842F3F27E78B3E453623EFC4478EEEDBC052477D7
                                              SHA-512:E35ED6C6F83832B01DDC2C383BA19AFD17B56EA2AF5EB8BD09514CF4B4A7EDC8E10015B4D72E8CE1A200FAF11573FE260B0890FEBE956B13AD2E91B7105FB583
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t...............m .....!a.......zN.....!a......!a......!a.......~......#a..............#a..q...#a......#aL.....#a......Rich............................PE..d....R.b.........." ................................................................4.....`..........................................&......D/..T............`..`9.......)..............................................8............................................text............................... ..`.rdata.. 4.......6..................@..@.data........P.......:..............@....pdata..`9...`...:...<..............@..@.rsrc................v..............@..@.reloc...............|..............@..B........................................................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\libeay32.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):1722784
                                              Entropy (8bit):6.543782984552167
                                              Encrypted:false
                                              SSDEEP:24576:ZE7sit6XDU2LbArX24hOhBgc0tcDabuGJhnk7lAcxP4hqDjPP5Exf:Dt42PArX24hO8cDOJhQAcxyqHPP6
                                              MD5:F83051511CEB0E2446B85F71DE1AD1BB
                                              SHA1:76312FF572848D0416536A4152C694601D1C12C7
                                              SHA-256:209D6C3083BE0FE7A32D5659626C3620E4661A86D6032A97546D841E58E139B0
                                              SHA-512:59A09890B732C5CC3F7020B476572E0975F19D74B93A3E3A38279F9B090B0B186008E00D697B51C3976CBF676641DB406B63F37B88A11BE03797D8B33DE01436
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@.................................................................................I.............q.............Rich....................PE..d....Q.b.........." .....v..........\}...................................................`.........................................04..........h....0..H.......T.... ...)...@...A...W..T...........................`W..8............... ............................text....t.......v.................. ..`.rdata..Rk.......l...z..............@..@.data...............................@....pdata..T...........................@..@.rsrc...H....0......................@..@.reloc...A...@...B..................@..B........................................................................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\mfc140.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):5607312
                                              Entropy (8bit):6.744551361376272
                                              Encrypted:false
                                              SSDEEP:49152:YWIju42P38QRul8ydnGT0CMFku/9qphaG0J4Y3HzmcgSyJj37uSwIbFLOAkGy3z9:rL3dLcsFLOAkGkzdnEVomFHKnP/
                                              MD5:06B1A0DFEFDC8BB48DB5A4BFF80E1AFD
                                              SHA1:8387C99DDBC866189E5716B73D22FE633503867A
                                              SHA-256:ACF5A630718AB82E499A163D8DA1638D5CD3D0D6EEEB96F70F61CD2C98D3BE95
                                              SHA-512:0887B817C0981C3C22F9ACC990583CE87D8DF88EC4F85D790D51359CE583556A621894AE552BE4E6C6D22DFC95FEF35DB65BCB0D014C5549EADC086F4B3D1099
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4...p|.p|.p|....q|....q|....j|.y._.d|....t|....x|....c|.p|.ax....h|....v|.....}....q|...3.q|....q|.Richp|.................PE..d....T^`.........." ......-...(......4,...................................... V.....U.U...`A.........................................?:.d...4.;.......?.......<..6...lU..#....T.$o...l5.T............................`..8............ -......,:......................text.....-.......-................. ..`.rdata..vQ... -..R....-.............@..@.data....4....;......X;.............@....pdata...6....<..8...&<.............@..@.didat..H.....?......^>.............@....rsrc.........?......d>.............@..@.reloc..$o....T..p....S.............@..B................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\mfc140u.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):5640568
                                              Entropy (8bit):6.7289957808607515
                                              Encrypted:false
                                              SSDEEP:49152:36jqWNjLlOwKt9FIKWqI5slMjDU414Z7Rh7GbmFDfqSA7vmUD4BwdpttcE6lruSB:36d9OX6cmIlFFLOAkGkzdnEVomFHKnPK
                                              MD5:6D200B52081D4CA30DCF2AB088AA767B
                                              SHA1:022FFAE9DEE8C4CE28716A7877D3AF1FCAF574B5
                                              SHA-256:2F8B69BFB5CDD55A8AAB17AEC44BED2A8C7DF39AF6DEE5569AD86279E808FEAB
                                              SHA-512:9F9CA5F0BCA7D27AD623AA8B52B3DCF640F6285A9A12172BCD148C06DD44BA15D579B04F9B9A0F077511424BEAAD85B9D9B1AA319EE1FFFAD41A8F23ED227512
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......*...n..n..n.....o.....o.....t..g._.z.....j.....f.....}..n........v.....h...........o....3.o.....o..Richn..........................PE..d....T^`.........." .....&-..,).....0W,.......................................V......aV...`A..........................................:.....(.;.......?......0=..8....U.x#... U.,p....5.T...........................`...8............@-.P....:......................text...L%-......&-................. ..`.rdata.......@-......*-.............@..@.data....6....;.......;.............@....pdata...8...0=..:....<.............@..@.didat..H....p?.......>.............@....rsrc.........?.......>.............@..@.reloc..,p... U..r...|T.............@..B........................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\mfcm140.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):84880
                                              Entropy (8bit):6.141383165715554
                                              Encrypted:false
                                              SSDEEP:1536:Sq3TGyLH5++0yWf5aZfNtSkaELru04/swGRkaMBm9/20Abvgf:XGij0yjVaELru04/syNe2k
                                              MD5:204F150EFF6AF9DC81160EBD1CB1EC95
                                              SHA1:26647AF75428CF9800AB167005CEF33F34E72D9E
                                              SHA-256:2CE7F83679C00FB2E6A82D1DFB7B09F6D3A28FC21E5579A635E28397D22348B8
                                              SHA-512:630C40B4068EC0278501CF1E88D26CD621DB9EB5ECDE9A20756DDAA1ECAEC5D4EDF695044C79766D7932B77FFA58B561FE893B7035FCEACBDE9213D123196527
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=..xy.+y.+y.+...*{.+g.'+{.+...*..+...*q.+...*z.+p.'+}.+...*|.+y.+..+...*\.+...*x.+..K+x.+...*x.+Richy.+................PE..d....T^`.........." .....F..........QO..............................................1*....`A.........................................0......@1.......p.......`.......(...#...........y..T...........................Px..8............p..p............u..H............text...|@.......B.................. ..`.nep.........`.......F.............. ..`.rdata..(....p.......J..............@..@.data...h....@......................@....pdata.......`......................@..@.rsrc........p......."..............@..@.reloc...............&..............@..B................................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\mfcm140u.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):84880
                                              Entropy (8bit):6.133297780794333
                                              Encrypted:false
                                              SSDEEP:1536:DC3upamWV+0fYRQs4MYkafzjGi4/swGxvVOi9Qm9/20/EvU:vpt0f8/4MnafzjGi4/sHD9d1Z
                                              MD5:CA26AEB869F362999F98D8EE445F2FA9
                                              SHA1:DB0D16C8E2EA1E06785843CCD41437E528978957
                                              SHA-256:41B1489817B6361659224E1DF06133E906049B3E83CA6F6A629058E1637F2163
                                              SHA-512:09D7B5BADF4E9DA198790138017FC9B78089BC10655EB7B342FCBE337A7445E24E4588A8F310A2C7FBC55A627D1040655077385185D632D02E717DAA9ABD7AE2
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=..xy.+y.+y.+...*{.+g.'+{.+...*..+...*q.+...*z.+p.'+}.+...*|.+y.+..+...*\.+...*x.+..K+x.+...*x.+Richy.+................PE..d....T^`.........." .....F..........QO..............................................[0....`A.........................................0......@1.......p.......`.......(...#...........y..T...........................Px..8............p..p............u..H............text...|@.......B.................. ..`.nep.........`.......F.............. ..`.rdata..(....p.......J..............@..@.data...h....@......................@....pdata.......`......................@..@.rsrc........p......."..............@..@.reloc...............&..............@..B................................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\msvcp140.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):564112
                                              Entropy (8bit):6.4815093653930145
                                              Encrypted:false
                                              SSDEEP:12288:eUfve/yP6vdqumz2etG5ePx2Fl5/G3XLSNPDaQEKZm+jWodEEVf9+:ePbl9G32ZDaQEKZm+jWodEEB9+
                                              MD5:AAD273615E4370EEE181313CE425A738
                                              SHA1:2B970508D5089912CADA1F28DA05FB43AE4C37CB
                                              SHA-256:45AB2B54C433C6721589B1D7918F9C3F52F198A187DF4531B9A81E9DAB1385E1
                                              SHA-512:7E1AB0B6A9CDD7E4C2D981AF42C4A22763CA36013AA346D6499C339C58D0F7F1DC13DAC50F21479DEB9C4E2731E1FB5D2BDD9F7889E0BED0E18E2C1739836B7B
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................s........9.......X..N......N......N......N......N......N.U....N......Rich...................PE..d....R^`.........." .....8...Z......0$..............................................$.....`A.........................................2..h...X...,............p...9...x...#......0.......T..............................8............P...............................text...L6.......8.................. ..`.rdata.......P.......<..............@..@.data...p:...0......................@....pdata...9...p...:...0..............@..@.rsrc................j..............@..@.reloc..0............n..............@..B........................................................................................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\msvcr120.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):971064
                                              Entropy (8bit):6.965132668528083
                                              Encrypted:false
                                              SSDEEP:24576:wmFyjHVMxBuwQLYucGp4iiqgNb3HoIbiIw:2My2yRgFoIbnw
                                              MD5:2FB20C782C237F8B23DF112326048479
                                              SHA1:B2D5A8B5C0FD735038267914B5080AAB57B78243
                                              SHA-256:E0305AA54823E6F39D847F8B651B7BD08C085F1DBBCB5C3C1CE1942C0FA1E9FA
                                              SHA-512:4C1A67DA2A56BC910436F9E339203D939F0BF854B589E26D3F4086277F2BEC3DFCE8B1F60193418C2544EF0C55713C90F6997DF2BFB43F1429F3D00BA46B39B0
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0iP.^:P.^:P.^:..:S.^:P._:..^:]L.:..^:]L.:1.^:]L.:f.^:]L.:..^:]L.:Q.^:]L.:Q.^:]L.:Q.^:RichP.^:........PE..L.....~W.........."!.....................................................................@.........................`........R..(....p..................8?......D]......8...............................@............P...............................text...y........................... ..`.data...<e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..D].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\ssleay32.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):373152
                                              Entropy (8bit):6.18826988009013
                                              Encrypted:false
                                              SSDEEP:6144:3k6a2HMG1O3NI6GMEydEZN/ynK6IMBVwxrhjEqU36sCE1fj7bnvF131I1k4cq/Fi:U6a2HMG1sNI6GMEydEv6KrMBVwxrhjED
                                              MD5:9E38C4E6116F32B1D3F9A7FE9A853676
                                              SHA1:7658720F300180B22538B29DAEA7511027CC65FB
                                              SHA-256:73A5A3AC966167983F35B13C8D8ACD337617307899B1F114072068AD4C7FFA7F
                                              SHA-512:1773AF66F1DC920B31E5A1BC98E1796E211ED2F074431CCFC82E41EDCC95ECEBDE1509A3A2669FF05AD308A6763E33B978FE678BF737E21FCAE54DB21ABF2753
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........& ..Hs..Hs..Hs...s..HsX.Ir..Hs..Ir..HsX.Mr..HsX.Lr..HsX.Kr..HsZ.Ir..Hs..Is(.HsZ.Lr..HsZ.Hr..HsZ..s..HsZ.Jr..HsRich..Hs........PE..d....Q.b.........." ......................................................................`..........................................6...)..P`..........H.......,%.......)..........`...T...............................8...............@............................text...(........................... ..`.rdata..............................@..@.data...p............\..............@....pdata..,%.......&...N..............@..@.rsrc...H............t..............@..@.reloc...............z..............@..B................................................................................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\ucrtbase.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1128496
                                              Entropy (8bit):6.806056436078238
                                              Encrypted:false
                                              SSDEEP:24576:hsh8IBDlcakOq8x8XISuTJQuR0J7mcvIZPoy4UW:hg8Oh7GuTJQuCJwW
                                              MD5:4CD086A05C35D5E53CB5682B3A015BA2
                                              SHA1:1721F82F06E6ADC8D6284DF30F45D570D764AB85
                                              SHA-256:9704512EECD0B666F54A0B5E14932A5C3EFFB3762026CDBE0D2E7CC9D41E41CE
                                              SHA-512:40C70A6F098FD6F6F996781CF73DC3A0DE4AD088734B46EE70D1486AFF2B7DA11F42810EC893D9714EB8C4AE0FE9E11EE6DECFA6FD0D68E633EB20891C415428
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.@yu..*u..*u..*|.*F..*u./*...*>..*t..*>.*+c..*>..+t..*>.-+...*>.+++..*>. +...*>..*t..*>.,+t..*Richu..*........PE..L..................!.....,..........`........@............................... ............@A.........................^......xb..........................0L.........\...T............................"..@............`..p............................text...P+.......,.................. ..`.data...4....@.......0..............@....idata..2....`.......@..............@..@.rsrc................V..............@..@.reloc..............\..............@..B........................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\uninst.exe

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Category:dropped
                                              Size (bytes):436548
                                              Entropy (8bit):3.8009488650090337
                                              Encrypted:false
                                              SSDEEP:3072:zEre7GjyCaFvc4gCIk/7wEpvtUj95YSQt:zPX5g2FUfYSc
                                              MD5:A7D9E0DFF0A9C0FD0327EC9C140DF053
                                              SHA1:6A558D18B967AA32322153878035CDEBBE1B7FC2
                                              SHA-256:FC9B378C7679F171CA04FB9BB42423AFD48B0B7F62D4468A6A17689121DE5119
                                              SHA-512:3991E5D89FD89DAC48265A41CE5152CB4BFDC123973AEE942F0630D27C7E4164E4F2069AC60E5C1977971806EAAABE12995549BC9613484F12FCC164E261124F
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....$_.................d..........a4............@...................................Z...@.................................8.........................Y..)...........................................................................................text...<b.......d.................. ..`.rdata..t............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\vcamp140.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):394640
                                              Entropy (8bit):6.339925813861082
                                              Encrypted:false
                                              SSDEEP:6144:PxanGaVFSxLukLxUrcYntAPTbRLbcCoK61AyDG2KJMNLraYIvUBrB+vr:HEFqsr1nKPTbRLbcwEAyLO6LWqBI
                                              MD5:BA3FF067C8C20EB5D6B587C3CD93C7A9
                                              SHA1:AAE5A0F304B22A4D732DC6CC013C80F480165CD2
                                              SHA-256:E0EB5DFD4E56C3208B96A75A1F714DA33140064F77B1B50F95E52AE58A65BFE6
                                              SHA-512:4B730C417F4C4F347709882455F8814F0DA9A5D75CE27EB5D82D5119A5F26CB5077D13EEF87EE12A98A3B9F920F8DEC67F1E84A5E83DE46C8EC84C67A922F647
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........e.6.6.6..n6.6...6.6>.7.6>.7...6>.7.6>.7.6..7.6.6...6>.7.6>.7.6>.l6.6..6.6>.7.6Rich.6........PE..d....T^`.........." .........:.......I....................................... ......oF....`A............................................,8..,G..T.......8$......x6.......#......<....(..T....................*..(...`(..8...............(............................text...l........................... ..`.rdata..n...........................@..@.data....3...`...,...P..............@....pdata..x6.......8...|..............@..@.rsrc...8$.......&..................@..@.reloc..<...........................@..B........................................................................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\vcomp140.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):177552
                                              Entropy (8bit):6.3300341814058285
                                              Encrypted:false
                                              SSDEEP:3072:uawAPnMhspAuNoREJFpyiYsLZD1YY7hmUDOJaR96Om/6:bpfYoAufptYsLZRpOJ26Z/6
                                              MD5:C9C027D49E59E4E8FAA38B64D6B301B6
                                              SHA1:FB98FA62D0579A341369C169FBD8312D806AE226
                                              SHA-256:E5065D53BE0A991607C396278F51C720E083AB1D0740364A0E537A31DCF61513
                                              SHA-512:8F817ADE11BD48C2153352B74D048D4B957A1BFF72A4E98992B4AFF755094B9A287229D8B27F5E299772161F744096FC80451CC4CA832813D21D35F7283BD5B0
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Jm.$>.$>.$>..'?..$>..!?..$>.. ?..$>+.!?.$>+. ?..$>..%?.$>.%>..$>+.'?..$>+.-?..$>+.$?.$>+..>.$>+.&?.$>Rich.$>........................PE..d....T^`.........." .................g..............................................Z.....`A.........................................W......Xe..(........................#...... ...8A..T............................A..8............................................text.............................. ..`.rdata..............................@..@.data...4....p.......V..............@....pdata...............b..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc.. ...........................@..B........................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\vcruntime140.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):96120
                                              Entropy (8bit):6.440691568981583
                                              Encrypted:false
                                              SSDEEP:1536:dkb0wrlWxdV4tyfa/PUFSAM/HQUucN2f0MFOqH+F3fecbTUEuvw:dWD4eUp+HQpcNg0MFnH+F3fecbTUED
                                              MD5:4A365FFDBDE27954E768358F4A4CE82E
                                              SHA1:A1B31102EEE1D2A4ED1290DA2038B7B9F6A104A3
                                              SHA-256:6A0850419432735A98E56857D5CFCE97E9D58A947A9863CA6AFADD1C7BCAB27C
                                              SHA-512:54E4B6287C4D5A165509047262873085F50953AF63CA0DCB7649C22ABA5B439AB117A7E0D6E7F0A3E51A23E28A255FFD1CA1DDCE4B2EA7F87BCA1C9B0DBE2722
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~.[...[...[.......Y...R...P...[...w.......V.......K.......D.......Z......Z.......Z...Rich[...................PE..d....R^`.........." .........^......`.....................................................`A.........................................A..4....I...............`..L....T..x#..........H,..T............................,..8............................................text............................... ..`.rdata...?.......@..................@..@.data...@....P.......<..............@....pdata..L....`.......@..............@..@_RDATA.......p.......L..............@..@.rsrc................N..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\vcruntime140_1.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):36728
                                              Entropy (8bit):6.340048377061949
                                              Encrypted:false
                                              SSDEEP:384:nNn62MCmWEPhUcSLt5a9Y6v4HOE5fY/ntz5BBW0O3+XfeuncS79+pWrQKWhD/HRj:YdCm5PhUcxgHY/ntXBzxvV7KtDvCTO
                                              MD5:9CFF894542DC399E0A46DEE017331EDF
                                              SHA1:D1E889D22A5311BD518517537CA98B3520FC99FF
                                              SHA-256:B1D3B6B3CDEB5B7B8187767CD86100B76233E7BBB9ACF56C64F8288F34B269CA
                                              SHA-512:CA254231F12BDFC300712A37D31777FF9D3AA990CCC129129FA724B034F3B59C88ED5006A5F057348FA09A7DE4A0C2E0FB479CE06556E2059F919DDD037F239E
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........k...8...8...8@..9...8}..9...8.._8...8...8...8}..9...8}..9...8}..9...8}..9...8}.38...8}..9...8Rich...8........PE..d....R^`.........." .....:...4......`A....................................................`A.........................................k......<l..x....................l..x#......<...(b..T............................b..8............P..X............................text...u9.......:.................. ..`.rdata..P!...P..."...>..............@..@.data... ............`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..<............j..............@..B................................................................................................................................................................................................................................................................

                                              C:\Program Files\OCS Inventory Agent\zlib1.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):94112
                                              Entropy (8bit):6.679423998554188
                                              Encrypted:false
                                              SSDEEP:1536:532sok7R2s01PuWi4hWFpB7J0gd3InToIf8IOQIOn59vyb+4DakRkQ+8iAH:Ushd2a540FpZdsTBfyGnLvj4DakR7DH
                                              MD5:50D3BE82608F4C17EBB0F80CCA4534D4
                                              SHA1:B213D9702DDAD0EDF20664447078063E6103E224
                                              SHA-256:438333DCA2EF87ABB4667411A6AF26F6DAECADAB3BE892354558E18F24E8094C
                                              SHA-512:A6B334625E0192159077AC8C91D79238A383185C3F715A72CC63A51C7207478B240CB294DD9788D5A53D6A486A1880327221452137B79EE1D899DD4F2634CCE8
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Y...8...8...8...@G..8..0L...8...S...8...8...8..W)..8..0L...8..0L...8..0L...8..2L...8..2L...8..2L...8..2L+..8..2L...8..Rich.8..........................PE..d...^m.`.........." .........|......p.........LZ.....................................+....`..........................................4.......;.......p.......`.......F...)......t....#..T...........................P$..8...............p............................text............................... ..`.rdata..6a.......b..................@..@.data........P.......2..............@....pdata.......`.......4..............@..@.rsrc........p.......@..............@..@.reloc..t............D..............@..B........................................................................................................................................................................................................................

                                              C:\ProgramData\OCS Inventory NG\Agent\Download\ocsinventory.ini

                                              Download File
                                              Process:C:\Program Files\OCS Inventory Agent\OCSInventory.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):128
                                              Entropy (8bit):4.77548397862178
                                              Encrypted:false
                                              SSDEEP:3:1ouRbwX9EqXOpEtCyFpZ13X1p+MyYAmfxJAlboysVy:CuRbwX9CsCUhFoqHs+Vy
                                              MD5:1ECB0A2D364B048956E89D53D37E032A
                                              SHA1:56D892BED17A176CD09E64118D18C23B27FDEA9A
                                              SHA-256:FF239E21A9623C9584E14ABC6B16EF2A4801C2C420FF59FE6899CA260A4B4FCD
                                              SHA-512:6E0373ECD9C1CC8235C0A05F5B8A2AAABBE9ABE4431A4B66D5BB4D3EF7B28D26A8B3C2C5A6057D1E1FF114504E91CA3519256AE452319A7EBCF71D2CD63F1439
                                              Malicious:false
                                              Preview:[OCS Inventory Agent]..FragLatency=10..CycleLatency=60..PeriodLatency=1..PeriodLength=10..Timeout=30..CommandTimeout=120..On=0..

                                              C:\ProgramData\OCS Inventory NG\Agent\Saas.ps1.xml

                                              Download File
                                              Process:C:\Program Files\OCS Inventory Agent\OCSInventory.exe
                                              File Type:ASCII text
                                              Category:dropped
                                              Size (bytes):1686
                                              Entropy (8bit):4.982442517822286
                                              Encrypted:false
                                              SSDEEP:48:QG1HjMVsD+F3+CasFIswFrtbNsXlgk26H521623:lh+h+CasysfgAU
                                              MD5:97487EB34B583A7399BE27164F950215
                                              SHA1:8F84A399E6C361F4FD8D59E6AA7F6A0DEAC9D465
                                              SHA-256:4CFD3A0A6C87BD510FAAB702B14595E11479EF9678EB99DF95408F5C247FE9C2
                                              SHA-512:BDD9658ECDB073471AD64949A0B5260C5C86F7E48259EF4ECE5C1E373EBA44DA53D419B5FE8235FE3A4CB2F2AA0CD572B78DE4D9495E0C6653CB431CD2A3F94D
                                              Malicious:false
                                              Preview:<SAAS>.<ENTRY>portal.fm2c.com.br</ENTRY>.<DATA>119.8.87.215</DATA>.<TTL>3535</TTL>.</SAAS>.<SAAS>.<ENTRY>ti.fm2c.com.br</ENTRY>.<DATA>119.8.228.120</DATA>.<TTL>3578</TTL>.</SAAS>.<SAAS>.<ENTRY>ctldl.windowsupdate.com</ENTRY>.<DATA>wu-bg-shim.trafficmanager.net</DATA>.<TTL>205</TTL>.</SAAS>.<SAAS>.<ENTRY>wu-bg-shim.trafficmanager.net</ENTRY>.<DATA>wu.azureedge.net</DATA>.<TTL>205</TTL>.</SAAS>.<SAAS>.<ENTRY>wu.azureedge.net</ENTRY>.<DATA>wu.ec.azureedge.net</DATA>.<TTL>205</TTL>.</SAAS>.<SAAS>.<ENTRY>wu.ec.azureedge.net</ENTRY>.<DATA>bg.apr-52dd2-0503.edgecastdns.net</DATA>.<TTL>205</TTL>.</SAAS>.<SAAS>.<ENTRY>bg.apr-52dd2-0503.edgecastdns.net</ENTRY>.<DATA>hlb.apr-52dd2-0.edgecastdns.net</DATA>.<TTL>205</TTL>.</SAAS>.<SAAS>.<ENTRY>hlb.apr-52dd2-0.edgecastdns.net</ENTRY>.<DATA>cs11.wpc.v0cdn.net</DATA>.<TTL>205</TTL>.</SAAS>.<SAAS>.<ENTRY>cs11.wpc.v0cdn.net</ENTRY>.<DATA>72.21.81.240</DATA>.<TTL>205</TTL>.</SAAS>.<SAAS>.<ENTRY>ocsp.digicert.com</ENTRY>.<DATA>ocsp.edge.digicert.com</DATA

                                              C:\ProgramData\OCS Inventory NG\Agent\admininfo.conf

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):133
                                              Entropy (8bit):5.07125068656256
                                              Encrypted:false
                                              SSDEEP:3:vFWWMNHU8LdgC4vtdw2aMf2duN1gQ1F2pgukH5pgWKvmSaMv:TMVBdYrw2dBDgAgk5KvmSN
                                              MD5:47C2933791A68A2AD12398F8BD7D703F
                                              SHA1:B9130D8DFE7B3E3DC00E59FFDCF05C99B53ED5B5
                                              SHA-256:4E381A46F8DCB656DDF23F9EF19B726403AB9576CEBD9E72325730F20C22A800
                                              SHA-512:221E2A803B456310C873E984860F8ACC749AF1D2B773BEB44487409426D98072EDEC713E5FDE0CE1FA8367598A2ECE87F872005B9A9A75F7BA006CC049B6F546
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-8" ?>..<ACCOUNTINFO>.. <KEYNAME>TAG</KEYNAME>.. <KEYVALUE>office</KEYVALUE>..</ACCOUNTINFO>..

                                              C:\ProgramData\OCS Inventory NG\Agent\last_state

                                              Download File
                                              Process:C:\Program Files\OCS Inventory Agent\OCSInventory.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1527
                                              Entropy (8bit):5.01780329284287
                                              Encrypted:false
                                              SSDEEP:24:2dPvtYLJqfsnNbDbUCFM9M2uhgbzxqUhi/VHE3VH0A61dwWwSYM5+aNv:cPVYL3pDwCFM9M/gbzxvhi/hc61Twwzv
                                              MD5:83EE660E3BD7B85B633620DCE898AFD9
                                              SHA1:343B319CB303366989E848F2D2155EA6F62D9F03
                                              SHA-256:B97C66617C26DC164D28421FC25C1C8DA1BC1D5700AA4F5B5D620D2BCB87FC9F
                                              SHA-512:0C325E2C462E2914002C42FE8FEB03FE17C3C8D60D4D9D2230780F53054DF695267D74DA2D926FE11231FE72C3BC5D00E08D18B8BFC9E70D49AAFED1ED6B7A35
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-8" ?>..<LAST_STATE>.. <HARDWARE>E210B71BB35F9B4BA5FD87D65D7A1D9488B72A5B</HARDWARE>.. <BIOS>DE724F3CD7B297A3C86EF168AA009CBD7AC5A4B9</BIOS>.. <MEMORIES>5512A3E622FFE91C9650118DA6D5C4AF797DAAA4</MEMORIES>.. <SLOTS>D2F5186B9E8E79A87439AA7A3A4EB4F6FC98532F</SLOTS>.. <REGISTRY />.. <CONTROLLERS>CC9CA58F1FECF52402CE6EE3D007AEDDD4107D29</CONTROLLERS>.. <MONITORS>26BEFF9A9133551FF794D3396B45364A0BDB6A01</MONITORS>.. <PORTS>D773E8DA55D67700B45D90E4070CC756E6D1BC59</PORTS>.. <STORAGES>140AB975169109D2BD71DE22A9DD551519689807</STORAGES>.. <DRIVES>AF2FB26F81125C83D6B04EC6DE8574A527FC5427</DRIVES>.. <INPUTS>F41CF5200451925F8096B69B620EB82D5924E89D</INPUTS>.. <MODEMS />.. <NETWORKS>5742CCA9AEC5023574CBC451CEC6CEC70DF09FCA</NETWORKS>.. <PRINTERS>E633AE7D05D8AB6F640FDBB2A0B95C97DCCEEC18</PRINTERS>.. <SOUNDS>63020CAD866BA09A2111EA173A388AD821DF0284</SOUNDS>.. <VIDEOS>C5BBC1F4103C006A8F3B70742ABBD18829A0DA4E</VIDEOS>..

                                              C:\ProgramData\OCS Inventory NG\Agent\ocsinventory.dat

                                              Download File
                                              Process:C:\Program Files\OCS Inventory Agent\OCSInventory.exe
                                              File Type:zlib compressed data
                                              Category:dropped
                                              Size (bytes):50
                                              Entropy (8bit):4.581467880199449
                                              Encrypted:false
                                              SSDEEP:3:WRCQtgU2S7x4OuuKa:WRTtpfN
                                              MD5:689EA33056B228944B1B16AF8FCC14A6
                                              SHA1:DF299D8D202FE5BE7F47844910970B692009A4C4
                                              SHA-256:0741628E26538A6D438AB15D7B9DA2ACF8E755CBBE801D8FC18967D5C135AA94
                                              SHA-512:A276160CF7A679EBDF2BDCB9330AA9867751CBD24BA7EDDC8267609CFB4F024D80CC6D948827F6FCD38E7B9334DB282157C9A2E4703FE1FCCFE4696EA923A794
                                              Malicious:false
                                              Preview:x.241470.5202.50.50.!#c]c..Wg+7.+''+WG+CS+........

                                              C:\ProgramData\OCS Inventory NG\Agent\ocsinventory.ini

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:Generic INItialization configuration [HTTP]
                                              Category:dropped
                                              Size (bytes):438
                                              Entropy (8bit):5.436232770962316
                                              Encrypted:false
                                              SSDEEP:6:CuRbHQIY5XjKVWVuLyP4TcfihqsZpnX3DgvREvO/KeYyZbleiQeuJuR6jMUo3xzX:uL5XjC+QSiIsZpnDgmvOEg79U6Wq
                                              MD5:3EAD26B2DFDB703694FD376E7D367910
                                              SHA1:84DA6C814064C57CC72B591D1109D74C21C85432
                                              SHA-256:127BA55E416DEA91F57CF874FB793E6A9BE86B0F9273069F2FC76D9BD37ACB5D
                                              SHA-512:554880BB67EF280D75DBF51DE292C2DCE70DE993175768D18C62BFC69621F5872D1F70A8D878AD169954FBEADC628B06F7496DDCB4270751CF081DC4DDFE8B14
                                              Malicious:false
                                              Preview:[OCS Inventory Agent]..ComProvider=ComHTTP.dll..Debug=0..Local=..NoSoftware=0..HKCU=0..NoTAG=0..IpDisc=..WMI_FLAG_MODE=COMPLETE..DEFAULT_USER_DOMAIN=..[HTTP]..Server=http://ti.fm2c.com.br/ocsinventory..SSL=1..CaBundle=cacert.pem..AuthRequired=0..User=..Pwd=..ProxyType=0..Proxy=..ProxyPort=0..ProxyAuthRequired=0..ProxyUser=..ProxyPwd=..[OCS Inventory Service]..PROLOG_FREQ=24..INVENTORY_ON_STARTUP=1..OLD_PROLOG_FREQ=24..TTO_WAIT=27000..

                                              C:\ProgramData\OCS Inventory NG\Agent\ocsinventory.log

                                              Download File
                                              Process:C:\Program Files\OCS Inventory Agent\OCSInventory.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):875
                                              Entropy (8bit):5.056224993741618
                                              Encrypted:false
                                              SSDEEP:12:tNztG1cZI6fZ16ESpMlvxXGmcrmX3ExOCrmKG7aSxdQLWFWSKvLjcSgLeOG7vE1i:1ys1AuGLrmVZLeWFWSmXgYE1Nv0Tf
                                              MD5:68182A0E9C7891597A77B6273F94278F
                                              SHA1:CECA354ECCE656EA17AD7B97FEDE7B11005E8079
                                              SHA-256:DF784EB713418821B87073388C0ADC5992A442238BEA514E75E3B3A36C5F413D
                                              SHA-512:6AD0E50F5E82477930FE7DF16688AA8C3062D4C7001D33C82210D17C270ABA8D7A2A931CD6DB3D8D82F4F26AC22CD0574572DB91FC4E073BC598D42C08F1B275
                                              Malicious:false
                                              Preview:==============================================================================..Starting OCS Inventory Agent on Saturday, March 02, 2024 02:23:53...AGENT => Running OCS Inventory Agent Version 2.9.2.0..AGENT => Using OCS Inventory FrameWork Version 2.9.2.0..AGENT => Loading plug-in(s)..AGENT => Using network connection with Communication Server..AGENT => Using Communication Provider <OCS Inventory cURL Communication Provider> Version <2.9.2.0>..AGENT => Sending Prolog..AGENT => Prolog successfully sent..AGENT => Inventory required..AGENT => Launching hardware and software checks..AGENT => Sending Inventory..INVENTORY => Inventory changed since last run..AGENT => Inventory successfully sent..AGENT => Communication Server asked for Package Download..AGENT => Unloading communication provider..AGENT => Unloading plug-in(s)..AGENT => Execution duration: 00:00:16.....

                                              C:\ProgramData\OCS Inventory NG\Agent\ocsinventory.log.bak

                                              Download File
                                              Process:C:\Program Files\OCS Inventory Agent\OcsService.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1783
                                              Entropy (8bit):5.173516233416579
                                              Encrypted:false
                                              SSDEEP:24:1ms1AuGLrmnxvUU7s1AuGLrm1FOFuiZLeWFWS0yVPXgYE1Nv0w:1ms1VaC+U7s1VaC1FOFuItvVPe
                                              MD5:47BA7C8132A052F531ADC03BAE1D9205
                                              SHA1:919DA7EDCC2A4D4068B78E08A4730BDE7FCE3D06
                                              SHA-256:5BDF41F9C6FD3BAEBF3CE3D6E82596224172E10B7E51761CA4737F26C261B752
                                              SHA-512:7B61503C84858FA902D621699DBAD843C512234D48D90A26B25A0DF3BEF563ADE5B486AD43A9FE04EB09E5BD38240D5E14E1F9A96518BD0CB369F874C44271C8
                                              Malicious:false
                                              Preview:==============================================================================..Starting OCS Inventory Agent on Saturday, March 02, 2024 02:23:31...AGENT => Running OCS Inventory Agent Version 2.9.2.0..AGENT => Using OCS Inventory FrameWork Version 2.9.2.0..AGENT => Loading plug-in(s)..AGENT => Using network connection with Communication Server..AGENT => Using Communication Provider <OCS Inventory cURL Communication Provider> Version <2.9.2.0>..AGENT => Writing configuration to file <C:\ProgramData\OCS Inventory NG\Agent\ocsinventory.ini>..AGENT => Unloading communication provider..AGENT => Unloading plug-in(s)..AGENT => Execution duration: 00:00:00.....==============================================================================..Starting OCS Inventory Agent on Saturday, March 02, 2024 02:23:34...AGENT => Running OCS Inventory Agent Version 2.9.2.0..AGENT => Using OCS Inventory FrameWork Version 2.9.2.0..AGENT => Loading plug-in(s)..AGENT => Using network connection with Communicatio

                                              C:\ProgramData\OCS Inventory NG\Agent\rand

                                              Download File
                                              Process:C:\Program Files\OCS Inventory Agent\OcsService.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1024
                                              Entropy (8bit):7.824981762236599
                                              Encrypted:false
                                              SSDEEP:24:F6+fZwOz0l9GSZPaOEqpYBOLtmJuT5DfqJIdrO19MFQo2Lw+VMYQAzH:FvFzcJZPaOTpQYtmJuTFyIdrO19M6tG+
                                              MD5:44B89EA39408BD1FF7989D7BE4A43A5E
                                              SHA1:46C9E1A7D2C66EEFAD6458EBBC780F3C1D37B044
                                              SHA-256:8A55FEDB9822A6D2EF06DBBDC63EC90E07C024F9EEED9EA58987A041A6F0541C
                                              SHA-512:50F53B80F2B13EE4706B59D904DAD33E5E2677767F6E80FAB6B463D810E81B2C1934D18B80B6B3D5743681D05C2D0E60F27CEFBB2E4E89A865E0848F9C45F8C2
                                              Malicious:false
                                              Preview:..:.0W.A..YF|...y.........2...#c^._#....)/.........A-.j. .E....n.&&0..n.x6..Zw.....#~...7......f,.D.g...........`..sG(KP.1M|.)..... .G,...4...E].v..f.i..~..]..v.S.....~.ZWih~.`..R...^...a+%4|j.n`....d..t...w...s.RE....-..o*.'}.....4.......TC.......X.(..U..d.....Wl..($.s.u..U(.f.].Q.Q]....R@v..;..1..4)..B.g..jz..a...3./..F.d..Y......".t..7..(h.?.).u....5.%+]J.0....w..s..Fk.9.c.;o...H*.......v+FY$.{6.u.uX.z7...t...|........u....ff.i......ek..a@?..D.L.Jg....ch[...3.......PB...8...C.....j[h.o....*G....d..$....Q..-c,.A.qi..n.....4.n....h.. ..._...9..EF......+...X7DLT.Z..s..2].....s.pb.S.....i.ZW+.....|..3N..>..r.c...\........Y...9~t....*Kt.).4.*6.~k]..'.).V.j...aE.@...9...2.....X. .5.a!.j.....g...?.N..\.......:.@...."..-G$..P....{..7..........V.qf..A.:|b..L3.8.IA.L.D..k..Y.>|...'....)....{2H.'.....<..@..i...."...k...YE....c>xflL....[.ze.M...QM.....J`V.<$O.7..6..}`u`Y....a......V........{..."..=ve7C.Z.~.N.b.k"...p.. .W_..dB.=..a..:.7.3...)...H'..

                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ocsoffice[1].exe

                                              Download File
                                              Process:C:\Users\user\Desktop\ocs-office.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Category:dropped
                                              Size (bytes):6225663
                                              Entropy (8bit):7.925666116447602
                                              Encrypted:false
                                              SSDEEP:98304:hk8ZyHrQeSVQxYqYqwD9VjNodewaJ2K1zHPzOYJjBKLOwelpGCy:hk8ZyH1jYqcideH1YOweCCy
                                              MD5:BCD0D1EA9750CA6F018DA33DD41552B1
                                              SHA1:D5AE2A1432CD5397AB0E13C673364B5E153354C0
                                              SHA-256:6E0CEFC100A0C17B46F593078F116053E41CF46A2E272C8694A2CFFA29B640E0
                                              SHA-512:26D303E0D66FFDFDC118BAB0B0E1436C24F6D45B96C6526F515F4F85150342407C37BE0426B2305B2E60A0AEF85A0976E7196AFC9182DCDE6490DD731B0A125E
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 3%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..F..F..F.*....F..G.w.F.*....F..v..F...@..F.Rich.F.........PE..L......].................d...|......k2............@..........................`............@.................................<...........h............................................................................................................text....b.......d.................. ..`.rdata..J............h..............@..@.data....U...........|..............@....ndata...................................rsrc...h...........................@..@................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):1.1940658735648508
                                              Encrypted:false
                                              SSDEEP:3:NlllulJnp/p:NllU
                                              MD5:BC6DB77EB243BF62DC31267706650173
                                              SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                              SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                              SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                              Malicious:false
                                              Preview:@...e.................................X..............@..........

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_imct11v2.4ft.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sl2l4aub.xb2.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OCS-Windows-Agent-Setup-x64.log

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):2464
                                              Entropy (8bit):5.165821133417603
                                              Encrypted:false
                                              SSDEEP:48:wcJ4GJ3I//qGfdEOMFcZxmAw+apFqSmf4WZiJ3W514yoA9S6XxTOKG4Lz:wcaGJ3IHEOMFcZ4lcNZiY/4HA86XxTOo
                                              MD5:D6530B0E0EC8FA2DD80F034A2D84FB05
                                              SHA1:09709AD2D0B68AFCE2F13E931BB3CA6B9A2998CA
                                              SHA-256:9B0C72F8A8DDA39DF4A73290F3E66648891E9E3E5A504E9CDE1B6361055876A1
                                              SHA-512:4ECAC12A5EEB3CD8B7C62E928264C426A57849A976A92B191697D363F07ACA66E660634114656B148F041DE201E454D0083D54F8EBBA32258AD1E0B6523B677C
                                              Malicious:false
                                              Preview:********************************************************..Starting OCS Inventory NG Agent 2.9.2.0 setup on 02/03/2024 at 2:23:01..Checking if setup not already running...OK...Checking Operating System...OK, Windows 2000 or higher...Command line is: "C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe" /S /NP /NOSPLASH /NO_SYSTRAY /NOW /TAG="office" /SERVER=http://ti.fm2c.com.br/ocsinventory..Parsing command line arguments...OK...Checking for silent mode...Enabled...Checking for splash screen...Disabled...Checking if logged in user has Administrator privileges...OK...Creating directory <C:\ProgramData\OCS Inventory NG\Agent>.....SetACL allowing Users / Power users read/write permissions on <C:\ProgramData\OCS Inventory NG\Agent>...Result: error..SetACL propagating inherited permissions on <C:\ProgramData\OCS Inventory NG\Agent\Download>...Result: error..Trying to determine if service was previously installed...No...Trying to stop service and kill processes.....Trying to find pro

                                              C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsPlugins\o36516user.vbs

                                              Download File
                                              Process:C:\Users\user\Downloads\ocsoffice.exe
                                              File Type:ASCII text
                                              Category:dropped
                                              Size (bytes):3016
                                              Entropy (8bit):5.30970049375371
                                              Encrypted:false
                                              SSDEEP:48:eYpK5XnJIlg45FhIEX5KeKtRnTXJdYRHQDwXbAiNJpZ3doJXQTN2NkUHm5:lpKI/5vIcKeKTwqaAiNLZoX2UW
                                              MD5:06E43B247299069CA58AD57CAD956A9A
                                              SHA1:B0000965F320EB3632A74B4764C6924F9677DDF2
                                              SHA-256:A6080F6A677068F42C16708F755C606B79492E62B9824D7D7B367421183B6A88
                                              SHA-512:DF2BB6D2D1AB43E44ACC344C908AFCF9AF595A715A7182BDE1AC1CA7F0D38CDEC31CA38BA13C5D21C266FAF6E321D25BDB4B0771CE5001C859C407678034DC9E
                                              Malicious:false
                                              Preview:'----------------------------------------------------------.' Plugin for OCS Inventory NG 2.x.' Script :..Retrieve Office 365 16.0 user info.' Version :..0.10.' Date :..24/02/2021.' Author :..Erich Strewlow.'----------------------------------------------------------.' OS checked [X] on.32b.64b.(Professionnal edition).'.Windows 10. [X].[X].' Windows 2012 [X] [X].' ---------------------------------------------------------.Option Explicit...Const HKEY_USERS = 2147483651..Dim aUsers().Dim aIdent().Dim registryObject .Dim conn.Dim r.Dim k.Dim j.Dim sid.Dim email.Dim name.Dim lastlogin.Dim expirationdate.Dim d.Dim IsoDate.Dim IsoTime.Dim ident..Set registryObject = GetObject("winmgmts:root\default:StdRegProv")..'If OCS agent is started as a service, it knows the local users configuration only.'through HKEY_USERS. We scan all the registered users in the host, listing.'everyone with an Office 16.0 setup.r=registryObject.EnumKey(HKEY_USERS,"",aUsers)..If r <> 0 Then. wscript.quit.End

                                              C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe

                                              Download File
                                              Process:C:\Users\user\Downloads\ocsoffice.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Category:dropped
                                              Size (bytes):5907776
                                              Entropy (8bit):7.918957013591
                                              Encrypted:false
                                              SSDEEP:98304:9ljyhT2i2FwZ6Y2qoDzPP3KNmM0nucx1HZV24FbBe/2Q+7:9ljyhRx2q6SNmxvC2Q+7
                                              MD5:B2216E895278C44D8168F78188AB4FE9
                                              SHA1:1713934F28B6D254DBE81CA9CE1BC8E0F12B5A21
                                              SHA-256:8849DD8D74071A9120C461D9F6B6AD965165392B0681EAA22EB97CB423B7105A
                                              SHA-512:B7470E3FF93B2A66493B1D0A358D04E09D4DCE27B3DCBDA9B5FADBDF85329A049C7E029A9527A21471EA867600875D79A9D386F3110AE8806A3B448E8429D603
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....$_.................d..........a4............@...................................Z...@.................................8.........................Y..)...........................................................................................text...<b.......d.................. ..`.rdata..t............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\System.dll

                                              Download File
                                              Process:C:\Users\user\Downloads\ocsoffice.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):11776
                                              Entropy (8bit):5.854901984552606
                                              Encrypted:false
                                              SSDEEP:192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4
                                              MD5:0063D48AFE5A0CDC02833145667B6641
                                              SHA1:E7EB614805D183ECB1127C62DECB1A6BE1B4F7A8
                                              SHA-256:AC9DFE3B35EA4B8932536ED7406C29A432976B685CC5322F94EF93DF920FEDE7
                                              SHA-512:71CBBCAEB345E09306E368717EA0503FE8DF485BE2E95200FEBC61BCD8BA74FB4211CD263C232F148C0123F6C6F2E3FD4EA20BDECC4070F5208C35C6920240F0
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L......]...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\UserInfo.dll

                                              Download File
                                              Process:C:\Users\user\Downloads\ocsoffice.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):4096
                                              Entropy (8bit):3.3137381198157176
                                              Encrypted:false
                                              SSDEEP:48:qKDco4hlWl4WXXqQr1wHslNzrToTod/J/AMVyjlZSg7/R5gYpY7:5AZWRKQruHsLoodhNVyPgY
                                              MD5:E167F9A565781A30C03FF10370033319
                                              SHA1:1858758B076946073DE375C6EB1BEC9867AA3689
                                              SHA-256:A912514823DF595BA3A048099D3B89E925A4D41742AFC67E772060952892F312
                                              SHA-512:96D8F5AC8E2C0961BA71075DE52D12515E7A058CDDF3FA1EC14E77545B0B5F4E29324A13E2EB287A447F1D24DC9F09E0A70B0A25401B0EF8D90E6E4A96CE6C61
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..................[.........Rich..........................PE..L......]...........!................q........ ...............................P............@.........................@"......l ..<............................@..p.................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data...X....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exe

                                              Download File
                                              Process:C:\Users\user\Downloads\ocsoffice.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Category:dropped
                                              Size (bytes):417337
                                              Entropy (8bit):3.5034809290466633
                                              Encrypted:false
                                              SSDEEP:1536:rXoKlnzpMyqDQ+IJDDctJUX0DKR+colLDgCIk/V1wErZNF6H53Ro:bomnzVincQDKgc0gCIk/7wEaNRo
                                              MD5:3F4CD95A8DF390E36298093C74B3BF7E
                                              SHA1:AEC24EED92E075A02374E5C0735A0255BFA807A5
                                              SHA-256:235E273AAB3681F966A22EE1238E3E5D1E4865502D97ECA4D0C4ECAAA2E2AE06
                                              SHA-512:0E14C6B48F8EE22490615C4D28984481003A3CAEBF1EAFD2E5A9D08D0E3848AF3377158F2B8921B1CA125F1A7EBDD66928128DA588CB8B210D2FF2B2E84500C5
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..F..F..F.*....F..G.w.F.*....F..v..F...@..F.Rich.F.........PE..L......].................d...|......k2............@..........................P............@.................................<...........P............................................................................................................text....b.......d.................. ..`.rdata..J............h..............@..@.data....U...........|..............@....ndata...................................rsrc...P...........................@..@................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\ocsdat.ini

                                              Download File
                                              Process:C:\Users\user\Downloads\ocsoffice.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):271
                                              Entropy (8bit):5.32024493343668
                                              Encrypted:false
                                              SSDEEP:6:pDW6XVouRLaRAXWZouRmuRojwWDwkn23fwAruEhIvd2uDgvn:I6XUAXWUTwJfo1Pdjgv
                                              MD5:5348BB6D7130E3BE3BA54031F91DBDDF
                                              SHA1:859AA661563E76AEBFD55A0EAA45F0851F219ECE
                                              SHA-256:E0E7E69219FB7C6842048CC58527805BA4D8E588FEEE6BEFF61BA2A1C3FD88F0
                                              SHA-512:A223D7B7D56CEF7FA5A3102F87F2083A5AFEF726EB45CC5A18BE606A53092017503866ED6078AB9AC5D4A5973E3FDCB45F4ED448DA1BBE6C1CBBF30C58779BA9
                                              Malicious:false
                                              Preview:[Config]..InstallFolder=C:\Program Files\OCS Inventory Agent..DataFolder=C:\ProgramData\OCS Inventory NG\Agent..LogFile=C:\Users\user\AppData\Local\Temp\ocspackage.log..CmdLine= /S /NP /NOSPLASH /NO_SYSTRAY /NOW /TAG="office" /SERVER=http://ti.fm2c.com.br/ocsinventory..

                                              C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\KillProcDLL.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):32768
                                              Entropy (8bit):5.083312243715674
                                              Encrypted:false
                                              SSDEEP:384:3rYz6grZodORNWATt4TBmlk5ooyzFh7BukAUdJoUtSOSR:3QggDWATWNCFh7BNddJoxO+
                                              MD5:83142EAC84475F4CA889C73F10D9C179
                                              SHA1:DBE43C0DE8EF881466BD74861B2E5B17598B5CE8
                                              SHA-256:AE2F1658656E554F37E6EAC896475A3862841A18FFC6FAD2754E2D3525770729
                                              SHA-512:1C66EAB21F0C9E0B99ECC3844516A6978F52E0C7F489405A427532ECBE78947C37DAC5B4C8B722CC8BC1EDFB74BA4824519D56099E587E754E5C668701E83BD1
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b..^&..&..&..]..'...........5..D..%..&..c.....%.....'..Rich&..........................PE..L......>...........!.....@...@...............P...................................................................... Z..K....U..(....................................................................................P...............................text....?.......@.................. ..`.rdata..k....P.......P..............@..@.data...h....`.......`..............@....reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\SetACL.exe

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):559528
                                              Entropy (8bit):6.0903310211485335
                                              Encrypted:false
                                              SSDEEP:12288:ZM9AwIce16TCkcgxjouFmQGzt/B6QziZUt2qaV7se:ZM9Sce16TCkcgxMuFmQGztZZiSAqA7R
                                              MD5:3E350EB5DF15C06DEC400A39DD1C6F29
                                              SHA1:F1434CFEF2C05FDA919922B721EC1A17ADB3194E
                                              SHA-256:427FF43693CB3CA2812C4754F607F107A6B2D3F5A8B313ADDEE57D89982DF419
                                              SHA-512:B6B6CDFE2B08AA49254E48302385A3A2A8385E2228BDCFFD3032757ACF1A1D4ABFF1270F5488083CFA4480439FF161A9D0EA5F193CABC1EB1E7B1255CE262AB6
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X..0..c..c..c...c..cs.>c..c.o.c..c.o>c'.c.o?c..c...c..c..c..c.o:c..c.o.c..c...c..c.o.c..cRich..c........................PE..d...QLNP..........".................8..........@.....................................'....@.................................................t...........`....`..|>...r...............................................................................................text............................... ..`.rdata..............................@..@.data....T.......,..................@....pdata..|>...`...@..................@..@.rsrc...`............L..............@..@.reloc..0............`..............@..B........................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\System.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):11776
                                              Entropy (8bit):5.855045165595541
                                              Encrypted:false
                                              SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                              MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                              SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                              SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                              SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\UserInfo.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):4096
                                              Entropy (8bit):3.3299050324162005
                                              Encrypted:false
                                              SSDEEP:48:qKiRbhg7V46Br1wHsl9rECxZShMmj3tPRYBA:52OVZruHs1xH6t+i
                                              MD5:ACBDA33DD5700C122E2FE48E3D4351FD
                                              SHA1:2C154BAF7C64052EE712B7CDF9C36B7697DD3FC8
                                              SHA-256:943B33829F9013E4D361482A5C8981BA20A7155C78691DBE02A8F8CD2A02EFA0
                                              SHA-512:D090ADF65A74AC5B910B18BB67E989714335E7B4778CD771CFF154D7186351A1BEBBC7103CCA849BDFA2709C991947FFFF6C1D8FDF16A74F4DFB614BCE3FF6FD
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..................[.........Rich..........................PE..L.....$_...........!................|........ ...............................P............@.........................@"......l ..<............................@..p.................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data...X....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\agent.ini

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:Generic INItialization configuration [Field 1]
                                              Category:dropped
                                              Size (bytes):1181
                                              Entropy (8bit):5.185937957037153
                                              Encrypted:false
                                              SSDEEP:24:ZYOwK01VZJRmoIp8NXRRoTlcx3/V1Bx77ouFjrpcSyFZJ1:SsAVFLRwuj77copDK
                                              MD5:B3443D34166CF60740E1900EB9F31DE1
                                              SHA1:D37381B5493D326191E77F1860B20B937F6EB1D5
                                              SHA-256:18CC4ECE01A1EF091F9283FB58E26D13896FD33DCFC95F5C4DFD072444F91484
                                              SHA-512:A35A034ADE5C0B7F0564CFF77B93F680A649FE4412A0ABFC109D5BFAEDE9E09BA24D972709DD8AFCB8BD263A399D5241508E331CBA44D091865716FCF9ABDC24
                                              Malicious:false
                                              Preview:; Ini file generated by the HM NIS Edit IO designer...[Settings]..NumFields=10....[Field 1]..Type=Groupbox..Text=General options.....Left=0..Right=300..Top=0..Bottom=70....[Field 2]..Type=Groupbox..Text=Setup options.....Left=0..Right=300..Top=75..Bottom=136....[Field 3]..Type=Label..Text=Specify TAG value :..Left=15..Right=78..Top=54..Bottom=62....[Field 4]..Type=Checkbox..Text=Enable verbose log..Left=15..Right=290..Top=12..Bottom=22..State=0....[Field 5]..Type=Checkbox..Text=Never ask for TAG..State=0..Left=15..Right=290..Top=38..Bottom=48....[Field 6]..Type=Text..Left=80..Right=290..Top=52..Bottom=64..State=office....[Field 7]..Type=Checkbox..Text=Do not register service - agent must be launched manually (= /NO_SERVICE) ..Left=15..Right=290..Top=89..Bottom=100..State=0....[Field 8]..Type=Checkbox..Text=Do not register Systray applet to automatically start (= /NO_SYSTRAY)..Left=15..Right=290..Top=105..Bottom=115..State=1....[Field 9]..Type=Checkbox..Text=Immediately launch inventory

                                              C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\agent2.ini

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:Generic INItialization configuration [Field 1]
                                              Category:dropped
                                              Size (bytes):971
                                              Entropy (8bit):5.178089567295516
                                              Encrypted:false
                                              SSDEEP:12:ZYrltNkSeVpdJup7Lacl7r7v2NVWpyiZK7BpVoL4pCtXuplhsG5611pJhh5qFgE7:ZYOSI4FaEyVW/KBUZ+mG5611jh2Ft
                                              MD5:EDD5C98CA00BE1B4517A4D1B28C152FC
                                              SHA1:C1686F1DD9F6B35C1D83CEF9CD75FC115C0BD840
                                              SHA-256:ED8BA600B5DAF2F9DEADF00862CEC84DC9BF6DCAB8995EFC0DB7A75FEA1C40C6
                                              SHA-512:10AAF9A669674142233FCF7649ECB2EF6E1431541A324D83CE33E5F455819C703A8DA3ABB876B0D0B8D4E06C8DF7755D4F8457FC3F57B1BD64B93244622707D7
                                              Malicious:false
                                              Preview:; Ini file generated by the HM NIS Edit IO designer...[Settings]..NumFields=9....[Field 1]..Type=Groupbox..Text=WMI options.....Left=0..Right=300..Top=3..Bottom=102....[Field 2]..Type=Label..Text=Behavior of WMI calls :..Left=9..Right=85..Top=17..Bottom=27....[Field 3]..Type=Label..Text=Default user domain :..Left=9..Right=78..Top=81..Bottom=96....[Field 4]..Type=Text..Left=80..Right=290..Top=80..Bottom=92..State=....[Field 5]..Type=Label..Text=COMPLETE: Allow WMI to retrieve current domain user..Left=9..Right=285..Top=32..Bottom=40....[Field 6]..Type=Label..Text=If the WMI does not allow the recovery of the current user..Left=9..Right=292..Top=54..Bottom=64....[Field 7]..Type=Label..Text=READ: Not allow..Left=9..Right=62..Top=41..Bottom=49....[Field 8]..Type=Label..Text=which default user should OCS return ?..Left=9..Right=132..Top=65..Bottom=73....[Field 9]..Type=Droplist..State=COMPLETE..ListItems=COMPLETE|READ..Left=88..Right=290..Top=14..Bottom=107....

                                              C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\local.ini

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:Generic INItialization configuration [Field 1]
                                              Category:dropped
                                              Size (bytes):619
                                              Entropy (8bit):5.119705333270295
                                              Encrypted:false
                                              SSDEEP:12:ZYrltNMMc2j9MxLiVkjapLgDM2vgA8Nyr9itXCRh:ZYJcmwLskja18jgA8NmitXCRh
                                              MD5:06F67F6875C9F578509F1C65457875DF
                                              SHA1:D680727C9F4A126D1BE130B32B8A9DA553AFD6F0
                                              SHA-256:4EB25F2DF800FAAF060AFAC330B19EDE713D7218F79148428FB825652652604A
                                              SHA-512:84F766F0E62704EBFC9563A6E84EDC39F68D30EB31BF878B05E856D6CBC759D15E7D67A4EB034277CE6C4BDE931E4C1B2CBA2ABFCD6A6573D169B3C1A8F910DA
                                              Malicious:false
                                              Preview:; Ini file generated by the HM NIS Edit IO designer...[Settings]..NumFields=6....[Field 1]..Type=Groupbox..Text=General options.....Left=1..Right=300..Top=1..Bottom=70....[Field 2]..Type=Groupbox..Text=Save inventory result file to folder.....Left=0..Right=300..Top=76..Bottom=134....[Field 3]..Type=Label..Text=Specify TAG value :..Left=15..Right=78..Top=51..Bottom=59....[Field 4]..Type=Checkbox..Text=Enable verbose log..State=0..Left=15..Right=289..Top=25..Bottom=33....[Field 5]..Type=Text..Left=80..Right=290..Top=49..Bottom=60....[Field 6]..Type=DirRequest..State=C:\..Left=12..Right=288..Top=112..Bottom=124....

                                              C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\nsExec.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):6656
                                              Entropy (8bit):5.151298966041169
                                              Encrypted:false
                                              SSDEEP:96:pBNUBGfVwhcAlhPRJAixx+3eDEsgcBbcB/NFyVOHd0+uisX4:qBGfV5AlJJfFgcBbcB/N8Ved0P
                                              MD5:09C2E27C626D6F33018B8A34D3D98CB6
                                              SHA1:8D6BF50218C8F201F06ECF98CA73B74752A2E453
                                              SHA-256:114C6941A8B489416C84563E94FD266EA5CAD2B518DB45CD977F1F9761E00CB1
                                              SHA-512:883454BEF7B6DE86D53AF790755AE624F756B48B23970F865558BA03A5AECFA8D15F14700E92B3C51546E738C93E53DC50B8A45F79EF3F00AA84382853440954
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........PE..L.....$_...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\nsProcess.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):4608
                                              Entropy (8bit):4.666004851298707
                                              Encrypted:false
                                              SSDEEP:48:iYXzAm8HGJLvwM8GJFd6I7W4JtT2bxNNAa4GsNf+CJ8aYqmtlKdgAtgma1QvtCSJ:lz2mJkpGR6GY74GQ1YqmstgGCtR
                                              MD5:FAA7F034B38E729A983965C04CC70FC1
                                              SHA1:DF8BDA55B498976EA47D25D8A77539B049DAB55E
                                              SHA-256:579A034FF5AB9B732A318B1636C2902840F604E8E664F5B93C07A99253B3C9CF
                                              SHA-512:7868F9B437FCF829AD993FF57995F58836AD578458994361C72AE1BF1DFB74022F9F9E948B48AFD3361ED3426C4F85B4BB0D595E38EE278FEE5C4425C4491DBF
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.I...I...I...n|f.L...I...Q...@..K...@..H...@..H...RichI...........PE..L...`..N...........!......................... ...............................`.......................................#....... ..<....@.......................P..|.................................................... ..`............................text............................... ..`.rdata....... ......................@..@.data... ....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\proxy.ini

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:Generic INItialization configuration [Field 1]
                                              Category:dropped
                                              Size (bytes):999
                                              Entropy (8bit):5.034814430563346
                                              Encrypted:false
                                              SSDEEP:24:ZYjtKtWWvp8sI4WRPHPgp1CVQVneyAVmsRDVn:Sj3shWNKmymb
                                              MD5:B98FBEDAF51931F5CF86D4074BF8ABC3
                                              SHA1:92DCCB682430766CC99A3E9107B04F62644FA935
                                              SHA-256:9E12DDB4AA9F97B4DC36950D4DFA47B4ED45843DBA54CE03920D5C683B45C1DC
                                              SHA-512:50A25139C07DD7DBB2562BA196FD38E911A3C762FCF91F214CA62AA4FBDEAC8DD6D3BAFF41D692E79FFFD8E366237978D79304803421813B661E6A4E504055BC
                                              Malicious:false
                                              Preview:; Ini file generated by the HM NIS Edit IO designer...[Settings]..NumFields=11....[Field 1]..Type=Groupbox..Text=Proxy credentials (optional).....Left=0..Right=300..Top=75..Bottom=136....[Field 2]..Type=Label..Text=Proxy type :..Left=0..Right=60..Top=0..Bottom=8....[Field 3]..Type=Label..Text=Address :..Left=0..Right=60..Top=25..Bottom=33....[Field 4]..Type=Label..Text=Port :..Left=0..Right=60..Top=49..Bottom=57....[Field 5]..Type=Label..Text=User :..Left=30..Right=60..Top=94..Bottom=105....[Field 6]..Type=Label..Text=Password :..Left=30..Right=60..Top=112..Bottom=120....[Field 7]..Type=DropList..Text=DropList..State=None..ListItems=None|HTTP|Socks 4|Socks 5..Left=70..Right=300..Top=0..Bottom=14....[Field 8]..Type=Text..Left=70..Right=300..Top=25..Bottom=38..State=....[Field 9]..Type=Text..Left=70..Right=300..Top=49..Bottom=62..State=....[Field 10]..Type=Text..Left=80..Right=280..Top=94..Bottom=107..State=....[Field 11]..Type=Password..Left=80..Right=280..Top=112..Bottom=124..State=..

                                              C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\server.ini

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:Generic INItialization configuration [Field 1]
                                              Category:dropped
                                              Size (bytes):1185
                                              Entropy (8bit):5.22612925152494
                                              Encrypted:false
                                              SSDEEP:24:ZYsVJPVnu3ug+uVRMkup8KgouU4K2zJSo8b1KgVVVVOw4tTbhNB+r:Skdu3FBFpZHN9SRm5Va
                                              MD5:E78E5E31987538F7ECD33B27ABFBFF9A
                                              SHA1:989683D4D072E2AADE6FEEF2152C6041FF9827AA
                                              SHA-256:40631602F68588699B51DF5461E915DF9760A5A472901BDDE35D236B45C4D021
                                              SHA-512:E9C0D69FB0B0BAFE487C7CDF95C936CFF663C3D40B1FD4224BD87AE90125FD6417DE93834A53BC4C2C99C6CB2813E6FC9B5DEE71685482350BFCCF8D37E19FB5
                                              Malicious:false
                                              Preview:; Ini file generated by the HM NIS Edit IO designer...[Settings]..NumFields=11....[Field 1]..Type=Groupbox..Text=Server credentials (optional).....Left=0..Right=300..Top=35..Bottom=81....[Field 2]..Type=Groupbox..Text=Server security (DISABLING THIS IS NOT RECOMMENDED).....Left=0..Right=300..Top=89..Bottom=137....[Field 3]..Type=Label..Text=Server URL ( http[s]://your_ocs_server[:ocs_server_port]:/ocsinventory )..Left=0..Right=300..Top=0..Bottom=9....[Field 4]..Type=Label..Text=User :..Left=30..Right=66..Top=52..Bottom=62....[Field 5]..Type=Label..Text=Password :..Left=30..Right=66..Top=65..Bottom=73....[Field 6]..Type=Label..Text=CA Certificate path :..Left=31..Right=93..Top=121..Bottom=129....[Field 7]..Type=Text..Left=0..Right=300..Top=14..Bottom=25..State=http://ti.fm2c.com.br/ocsinventory....[Field 8]..Type=Text..Left=80..Right=280..Top=49..Bottom=59..State=....[Field 9]..Type=Password..Left=80..Right=280..Top=65..Bottom=76..State=....[Field 10]..Type=Checkbox..Text=Validate certi

                                              C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\services.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):7680
                                              Entropy (8bit):5.131018530714358
                                              Encrypted:false
                                              SSDEEP:96:XrXHYWyrDznMnpuQQQjGVw1DVjjQrFUsuL579yAwEN3sKPqg3k+9tyz:XzbcUpuQQcCSDVjjQrFDkZ9Fw+3fiYH
                                              MD5:89408795F143525890BBDA9281C42F45
                                              SHA1:BD9F08641CBE86D18C985CEA5325DC2AD8525AA6
                                              SHA-256:065564C3D7E19E7DEA083FB9A426DFDFEABBA6CA3A7587BEE938F75DB5753114
                                              SHA-512:BA11A243B97326F6CD12F7F6F8B81E67F7E8F55B5DCF63A7E705813F85C9AF1866891770077514051CE153527B074DCBA2881B94BDB1925DEDC81354E9A84CD6
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................0..................0............L......Rich............................PE..L.....[?...........!......................... ...............................P...................................... %..2.... ..P............................@..4.................................................... ...............................text............................... ..`.rdata..R.... ......................@..@.data...d....0......................@....reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nsi60BC.tmp\splash.bmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:PC bitmap, Windows 3.x format, 586 x 265 x 24, image size 466400, resolution 2835 x 2835 px/m, cbSize 466454, bits offset 54
                                              Category:dropped
                                              Size (bytes):466454
                                              Entropy (8bit):2.507425489748098
                                              Encrypted:false
                                              SSDEEP:384:wMbhZgu9gey6+Y6VgOo85W7yMphwD5GJUfBgfHu1rMcExEVEozmH2H1/n9gWr4OP:gz2EKe9RfkBw86/EmH
                                              MD5:DA0E7BCC28506AA8C754F228BCC37C24
                                              SHA1:C47F912301BE4D0EC4B1DA7905794AA57B57CACC
                                              SHA-256:308FF588C323A37A657C114A46B37844CF65D61D075CFB89DDD95E4A348688DD
                                              SHA-512:8C782E355756C3E8CA8BAF91BBEC6566EF91C75161B5B61F81870538C8AF763D93DA04B499885D33BFFD70DB6132B243FA321C70F96D3F3979DD55BC248D5778
                                              Malicious:false
                                              Preview:BM........6...(...J.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nsm5E69.tmp\System.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):11776
                                              Entropy (8bit):5.854901984552606
                                              Encrypted:false
                                              SSDEEP:192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4
                                              MD5:0063D48AFE5A0CDC02833145667B6641
                                              SHA1:E7EB614805D183ECB1127C62DECB1A6BE1B4F7A8
                                              SHA-256:AC9DFE3B35EA4B8932536ED7406C29A432976B685CC5322F94EF93DF920FEDE7
                                              SHA-512:71CBBCAEB345E09306E368717EA0503FE8DF485BE2E95200FEBC61BCD8BA74FB4211CD263C232F148C0123F6C6F2E3FD4EA20BDECC4070F5208C35C6920240F0
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L......]...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nst60AC.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):23487376
                                              Entropy (8bit):6.598032666398724
                                              Encrypted:false
                                              SSDEEP:196608:9yKuVc8qHI5UqPbWodL35FLOyomFHKnP1d9OzmIjFLOyomFHKnPP8kaAHEnnLV/S:9yKIcdHI5rbtFsTYF3FAHEnnLV/S
                                              MD5:F7AB04DBAF19089143E3F1A8EC5237B0
                                              SHA1:3B3437968B534EA904D6EC8340B55B005D4E5050
                                              SHA-256:32B8A6BEA730A699CA1AAA46248F42028748EF05C914B0967B2073310310237F
                                              SHA-512:8B79A610E87801B96F47A25006E4083376160E73BBF7AEDAB63AA320A8248CE5FC36FCF2230AAF826157989157ABFB627F2AB637362611906B5D7F2C2082AA3B
                                              Malicious:false
                                              Preview:........,.......,...............`K...........................................I..........................^.......j...........2...........w...............^I..pI...............................................................................................................................I...I..............................C...............................................f.......D...I...M.......3.......................-...............h.......N...S...^.......3...............................................o.......|.......................................................}.......................................................................................................................................................................................................................................................g......._...d...e.......3.......................................j.......f...k...l.......3...............................................................................................

                                              C:\Users\user\AppData\Local\Temp\ocspackage.log

                                              Download File
                                              Process:C:\Users\user\Downloads\ocsoffice.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):3097
                                              Entropy (8bit):4.983587260656619
                                              Encrypted:false
                                              SSDEEP:48:2S5s4oredjm5xxD5Ila6rs2aM31R7Y5IU4omIX5LPL0tcDpxoxIs41Zs4T:ZovzMl9ZoLJLRpqg1T
                                              MD5:4F40E0F74B0054E4FFB8BAB236E7CFE9
                                              SHA1:25B1DCC2A2A0DF8C91D351F16E9BB224418BC359
                                              SHA-256:9FC03E61E467D8D068DD96EE29D71EAAD500EA97F0E495E9F9CB288A9213D829
                                              SHA-512:34BF474746291F6426C46C530686A02767FD02410E38BCA5467271993CA18CE2E19C1C51A6FB81167A6A52CF2CC2DB13E1F2DF752C4E4E573B3EAEE20176683C
                                              Malicious:false
                                              Preview:OCS Inventory NG Packager (All-In-One Agent Installer) : ********************************************************..OCS Inventory NG Packager (All-In-One Agent Installer) : Starting OCS Inventory NG Packager (All-In-One Agent Installer) on 02/03/2024 at 2:23:00..OCS Inventory NG Packager (All-In-One Agent Installer) : Installing <OCS-Windows-Agent-Setup-x64.exe> version <2.9.2.0>..OCS Inventory NG Packager (All-In-One Agent Installer) : Installing from <C:\Users\user\AppData\Local\Temp\nsg5C75.tmp>\..OCS Inventory NG Packager (All-In-One Agent Installer) : Extracting privilegied installer..OCS Inventory NG Packager (All-In-One Agent Installer) : Extracting Agent setup file..OCS Inventory NG Packager (All-In-One Agent Installer) : Extracting Agent configuration files..OCS Inventory NG Packager (All-In-One Agent Installer) : Extracting Agent plugin files..OCS Inventory NG Packager (All-In-One Agent Installer) : Installing Agent to folder <C:\Program Files\OCS Inventory Agent>..OCS Invent

                                              C:\Users\user\Downloads\ocsoffice.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\ocs-office.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Category:dropped
                                              Size (bytes):6225663
                                              Entropy (8bit):7.925666116447602
                                              Encrypted:false
                                              SSDEEP:98304:hk8ZyHrQeSVQxYqYqwD9VjNodewaJ2K1zHPzOYJjBKLOwelpGCy:hk8ZyH1jYqcideH1YOweCCy
                                              MD5:BCD0D1EA9750CA6F018DA33DD41552B1
                                              SHA1:D5AE2A1432CD5397AB0E13C673364B5E153354C0
                                              SHA-256:6E0CEFC100A0C17B46F593078F116053E41CF46A2E272C8694A2CFFA29B640E0
                                              SHA-512:26D303E0D66FFDFDC118BAB0B0E1436C24F6D45B96C6526F515F4F85150342407C37BE0426B2305B2E60A0AEF85A0976E7196AFC9182DCDE6490DD731B0A125E
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 3%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..F..F..F.*....F..G.w.F.*....F..v..F...@..F.Rich.F.........PE..L......].................d...|......k2............@..........................`............@.................................<...........h............................................................................................................text....b.......d.................. ..`.rdata..J............h..............@..@.data....U...........|..............@....ndata...................................rsrc...h...........................@..@................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):1.1510207563435464
                                              Encrypted:false
                                              SSDEEP:3:Nlllul5:NllU
                                              MD5:01CA458C9AEC24C26DF28176496D33B9
                                              SHA1:E41CCB28F9F732BB67B40ECC67E2050C4D3D59B7
                                              SHA-256:A8535BB2871004BE1159B84779D898BF3FC765C30E96C2669E81315B71FD0CEA
                                              SHA-512:A7E16B0CB841A79D6F4E851273D58B7AA16B0FAF63E55C0CE4FE29620CA479F5DA75A75B6FD5DCDF824A99CA3792122ED34AB7AFEEC74D3796AC3940A48C8484
                                              Malicious:false
                                              Preview:@...e.................................l..............@..........

                                              C:\Windows\Temp\__PSScriptPolicyTest_v1l4ozou.vrd.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Windows\Temp\__PSScriptPolicyTest_yde5xl00.tis.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              Static File Info

                                              General

                                              File type:PE32+ executable (GUI) x86-64, for MS Windows
                                              Entropy (8bit):6.485082971590613
                                              TrID:
                                              • Win64 Executable GUI (202006/5) 92.65%
                                              • Win64 Executable (generic) (12005/4) 5.51%
                                              • Generic Win/DOS Executable (2004/3) 0.92%
                                              • DOS Executable Generic (2002/1) 0.92%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:ocs-office.exe
                                              File size:1'166'336 bytes
                                              MD5:9ca1a4c10e82450b64100ad0723bc23f
                                              SHA1:2250f749cedc73924c998c8e38448cd739c4095b
                                              SHA256:2cb1be6c34d9992150169d9abe3236b700f946c6ff9f8f76507d46331d4bb431
                                              SHA512:5521f9867e52bdaa6a188ff8ee5dd6c62594ba7c23776486163ca4efee3045b64ba3931ca2033e38530855f4eb51a8fe2f9234c644673ebc1dc7a60938877502
                                              SSDEEP:24576:0rORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9TvaiYzN:02EYTb8atv1orq+pEiSDTj1VyvBaiU
                                              TLSH:21455C0D63A441AEFEE7D176DD12C90ADAB17C47027E862F05A65FB12E336F1A61E310
                                              File Content Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......o1).+PG.+PG.+PG.....>PG......PG......PG.....*PG.y8B..PG.y8C.:PG.y8D.#PG."(..#PG."(..*PG."(...PG.+PF..RG..9I.{PG..9D.*PG..9..*PG

                                              File Icon

                                              Icon Hash:749a5c97d5582058

                                              Static PE Info

                                              General

                                              Entrypoint:0x14002549c
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x140000000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x64AD5843 [Tue Jul 11 13:25:23 2023 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:5
                                              OS Version Minor:2
                                              File Version Major:5
                                              File Version Minor:2
                                              Subsystem Version Major:5
                                              Subsystem Version Minor:2
                                              Import Hash:fadc5a257419d2541a6b13dfb5e311e2

                                              Entrypoint Preview

                                              Instruction
                                              dec eax
                                              sub esp, 28h
                                              call 00007FDF8CF159B0h
                                              dec eax
                                              add esp, 28h
                                              jmp 00007FDF8CF152BFh
                                              int3
                                              int3
                                              inc eax
                                              push ebx
                                              dec eax
                                              sub esp, 20h
                                              dec eax
                                              mov ebx, ecx
                                              dec eax
                                              mov eax, edx
                                              dec eax
                                              lea ecx, dword ptr [0009466Dh]
                                              dec eax
                                              mov dword ptr [ebx], ecx
                                              dec eax
                                              lea edx, dword ptr [ebx+08h]
                                              xor ecx, ecx
                                              dec eax
                                              mov dword ptr [edx], ecx
                                              dec eax
                                              mov dword ptr [edx+08h], ecx
                                              dec eax
                                              lea ecx, dword ptr [eax+08h]
                                              call 00007FDF8CF16EC9h
                                              dec eax
                                              lea eax, dword ptr [0009467Dh]
                                              dec eax
                                              mov dword ptr [ebx], eax
                                              dec eax
                                              mov eax, ebx
                                              dec eax
                                              add esp, 20h
                                              pop ebx
                                              ret
                                              int3
                                              dec eax
                                              and dword ptr [ecx+10h], 00000000h
                                              dec eax
                                              lea eax, dword ptr [00094674h]
                                              dec eax
                                              mov dword ptr [ecx+08h], eax
                                              dec eax
                                              lea eax, dword ptr [00094659h]
                                              dec eax
                                              mov dword ptr [ecx], eax
                                              dec eax
                                              mov eax, ecx
                                              ret
                                              int3
                                              int3
                                              inc eax
                                              push ebx
                                              dec eax
                                              sub esp, 20h
                                              dec eax
                                              mov ebx, ecx
                                              dec eax
                                              mov eax, edx
                                              dec eax
                                              lea ecx, dword ptr [0009460Dh]
                                              dec eax
                                              mov dword ptr [ebx], ecx
                                              dec eax
                                              lea edx, dword ptr [ebx+08h]
                                              xor ecx, ecx
                                              dec eax
                                              mov dword ptr [edx], ecx
                                              dec eax
                                              mov dword ptr [edx+08h], ecx
                                              dec eax
                                              lea ecx, dword ptr [eax+08h]
                                              call 00007FDF8CF16E69h
                                              dec eax
                                              lea eax, dword ptr [00094645h]
                                              dec eax
                                              mov dword ptr [ebx], eax
                                              dec eax
                                              mov eax, ebx
                                              dec eax
                                              add esp, 20h
                                              pop ebx
                                              ret
                                              int3
                                              dec eax
                                              and dword ptr [ecx+10h], 00000000h
                                              dec eax
                                              lea eax, dword ptr [0009463Ch]
                                              dec eax
                                              mov dword ptr [ecx+08h], eax
                                              dec eax
                                              lea eax, dword ptr [00000021h]

                                              Rich Headers

                                              Programming Language:
                                              • [ C ] VS2008 SP1 build 30729
                                              • [IMP] VS2008 SP1 build 30729

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xe5c100x17c.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xfb0000x28204.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0xf40000x6f48.pdata
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1240000xa74.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xc70500x1c.rdata
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0xd9aa00x28.rdata
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xc70700x100.rdata
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0xb50000x1138.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000xb33280xb3400507a8505198e35cc9675301d53e3b1c4False0.5503358721234309data6.5212967575920215IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0xb50000x342040x344009eda36be0cf076085a2f9772c1ee5803False0.30884139503588515data5.360588077813426IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0xea0000x91200x5000ec6b77d6ef8898b0d3b7d48c042d66a0False0.040673828125DOS executable (block device driver)0.5749243362866429IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .pdata0xf40000x6f480x70004416e27f8be9f9271c439d2fd34d1b2dFalse0.49612862723214285data5.911479421450324IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .rsrc0xfb0000x282040x284001782d923936543118cc639be9072c3e0False0.5198527270962733data6.290951218939824IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x1240000xa740xc005ddb0e422ace102fe530e589a0cbec6fFalse0.4850260416666667data5.139847116863034IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0xfb4580x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                              RT_ICON0xfb5800x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                              RT_ICON0xfb6a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                              RT_ICON0xfb7d00x13b00Device independent bitmap graphic, 150 x 260 x 32, image size 78000, resolution 3779 x 3779 px/mEnglishGreat Britain0.12134176587301587
                                              RT_MENU0x10f2d00x50dataEnglishGreat Britain0.9
                                              RT_STRING0x10f3200x594dataEnglishGreat Britain0.3333333333333333
                                              RT_STRING0x10f8b40x68adataEnglishGreat Britain0.2735961768219833
                                              RT_STRING0x10ff400x490dataEnglishGreat Britain0.3715753424657534
                                              RT_STRING0x1103d00x5fcdataEnglishGreat Britain0.3087467362924282
                                              RT_STRING0x1109cc0x65cdataEnglishGreat Britain0.34336609336609336
                                              RT_STRING0x1110280x466dataEnglishGreat Britain0.3605683836589698
                                              RT_STRING0x1114900x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                              RT_RCDATA0x1115e80x11700data1.0004340277777777
                                              RT_GROUP_ICON0x122ce80x14dataEnglishGreat Britain1.25
                                              RT_GROUP_ICON0x122cfc0x14dataEnglishGreat Britain1.25
                                              RT_GROUP_ICON0x122d100x14dataEnglishGreat Britain1.15
                                              RT_GROUP_ICON0x122d240x14dataEnglishGreat Britain1.25
                                              RT_VERSION0x122d380xdcdataEnglishGreat Britain0.6181818181818182
                                              RT_MANIFEST0x122e140x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                              Imports

                                              DLLImport
                                              WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                              VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                              COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                              MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                              WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                              PSAPI.DLLGetProcessMemoryInfo
                                              IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                              USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                              UxTheme.dllIsThemeActive
                                              KERNEL32.dllWaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, GetFullPathNameW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, EnterCriticalSection, DuplicateHandle, GetStdHandle, CreatePipe, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetSystemTimeAsFileTime, CreateThread, GetCurrentProcess, GetCurrentThread, LeaveCriticalSection, InitializeSListHead, RtlUnwindEx, RtlPcToFileHeader, SetLastError, TlsAlloc, ResetEvent, WaitForSingleObjectEx, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, CloseHandle, WriteConsoleW, MoveFileW, RtlCaptureContext
                                              USER32.dllGetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetWindowLongW, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongPtrW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, SetWindowLongPtrW, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, IsCharUpperW, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, GetClipboardData, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, IsCharLowerW, IsCharAlphaNumericW, IsCharAlphaW, GetKeyboardLayoutNameW, ClientToScreen, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, SetMenuDefaultItem, CloseClipboard, GetWindowRect, SetUserObjectSecurity, IsClipboardFormatAvailable, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, OpenClipboard, GetWindowLongPtrW
                                              GDI32.dllEndPath, DeleteObject, GetDeviceCaps, ExtCreatePen, StrokePath, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, GetTextExtentPoint32W, CreateCompatibleBitmap, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StretchBlt, SelectObject, CreateCompatibleDC, StrokeAndFillPath
                                              COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                              ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegSetValueExW, GetSecurityDescriptorDacl, GetAclInformation, RegCreateKeyExW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW, GetUserNameW
                                              SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                              ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                              OLEAUT32.dllVariantChangeType, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, VariantTimeToSystemTime, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, VariantInit, VariantClear, VariantCopy, SysAllocString, SafeArrayCreateVector, VarR8FromDec, SafeArrayAllocDescriptorEx, SafeArrayAllocData, SysStringLen, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, SysReAllocString, SafeArrayAccessData

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishGreat Britain

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Mar 2, 2024 02:22:53.760170937 CET49729443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:53.760255098 CET44349729119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:53.760376930 CET49729443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:53.770282030 CET49729443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:53.770318985 CET44349729119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:54.430536032 CET44349729119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:54.430704117 CET49729443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:54.611444950 CET49729443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:54.611499071 CET44349729119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:54.611819983 CET44349729119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:54.612013102 CET49729443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:54.614670038 CET49729443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:54.657928944 CET44349729119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:55.048764944 CET44349729119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:55.048810005 CET44349729119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:55.048824072 CET44349729119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:55.048881054 CET49729443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:55.048943996 CET49729443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:55.048968077 CET44349729119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:55.049031019 CET49729443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:55.049591064 CET44349729119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:55.049607038 CET44349729119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:55.049666882 CET49729443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:55.049684048 CET44349729119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:55.049752951 CET49729443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:55.052361012 CET49729443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:55.052402020 CET49729443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:55.052407026 CET44349729119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:55.052472115 CET49729443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:55.055083036 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:55.055176973 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:55.055289030 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:55.055687904 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:55.055720091 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:55.487821102 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:55.487926960 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:55.495111942 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:55.495131969 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:55.495376110 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:55.495433092 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:55.495837927 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:55.537918091 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.175209045 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.175270081 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.175288916 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.175446987 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.175487995 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.175517082 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.175538063 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.175642014 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.175642014 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.175642967 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.175662994 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.175717115 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.389626026 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.389647961 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.389828920 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.389853001 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.389921904 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.390104055 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.390130997 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.390175104 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.390187979 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.390214920 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.390233040 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.390463114 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.390479088 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.390535116 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.390547037 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.390589952 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.604916096 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.604945898 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.605137110 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.605160952 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.605211020 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.605628967 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.605657101 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.605707884 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.605725050 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.605753899 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.605775118 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.606506109 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.606520891 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.606587887 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.606601000 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.606650114 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.607445955 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.607465982 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.607515097 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.607526064 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.607553959 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.607573986 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.608413935 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.608433008 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.608494997 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.608506918 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.608552933 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.649003983 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.649019957 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.649085999 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.649100065 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.649158955 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.821304083 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.821326971 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.821506023 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.821532965 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.821594954 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.822468996 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.822488070 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.822552919 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.822566032 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.822609901 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.824107885 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.824122906 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.824260950 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.824274063 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.824321985 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.826517105 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.826533079 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.826622009 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.826634884 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.826678991 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.827605963 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.827621937 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.827689886 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.827702045 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.827763081 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.830063105 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.830079079 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.830180883 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.830193996 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.830245972 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.831176996 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.831192017 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.831275940 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.831290007 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.831340075 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.832726955 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.832741976 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.832819939 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.832832098 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.832885981 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.834199905 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.834214926 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.834294081 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.834305048 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.834356070 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.835583925 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.835602999 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.835696936 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.835721970 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.835784912 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.863398075 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.863416910 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.863497019 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:56.863512993 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:56.863564968 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.037343979 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.037368059 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.037550926 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.037571907 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.037627935 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.038541079 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.038562059 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.038625002 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.038638115 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.038686037 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.039498091 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.039511919 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.039578915 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.039591074 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.039637089 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.041208029 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.041232109 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.041287899 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.041305065 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.041332960 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.041352987 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.041920900 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.041935921 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.042001009 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.042012930 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.042056084 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.042481899 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.042495966 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.042553902 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.042565107 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.042610884 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.042946100 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.042959929 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.043020010 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.043030977 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.043087959 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.044342995 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.044363976 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.044425011 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.044435978 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.044481039 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.045021057 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.045036077 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.045099974 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.045110941 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.045165062 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.045537949 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.045553923 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.045614958 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.045627117 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.045695066 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.045922995 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.045963049 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.046019077 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.046030045 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.046082020 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.046899080 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.046914101 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.046978951 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.046989918 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.047034025 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.047617912 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.047632933 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.047703981 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.047714949 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.047759056 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.048235893 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.048249006 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.048317909 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.048327923 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.048369884 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.048896074 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.048923016 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.048983097 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.048995972 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.049036026 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.049323082 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.049336910 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.049396992 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.049407959 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.049472094 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.049789906 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.049810886 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.049856901 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.049868107 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.049913883 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.049913883 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.050359011 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.050379038 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.050440073 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.050451040 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.050497055 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.050873995 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.050893068 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.050945044 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.050956011 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.051018000 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.051457882 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.051471949 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.051532984 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.051543951 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.051588058 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.052172899 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.052194118 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.052257061 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.052272081 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.052297115 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.052315950 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.077299118 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.077312946 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.077490091 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.077502012 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.077554941 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.250585079 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.250614882 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.250787973 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.250808954 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.250860929 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.251180887 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.251203060 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.251262903 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.251275063 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.251324892 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.251775026 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.251795053 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.251842976 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.251853943 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.251879930 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.251904011 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.252343893 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.252367973 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.252424002 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.252439022 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.252465010 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.252485991 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.252811909 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.252831936 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.252871990 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.252882957 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.252912998 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.252928019 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.253237963 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.253252029 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.253312111 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.253324032 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.253375053 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.253740072 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.253755093 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.253815889 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.253827095 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.253880024 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.255383015 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.255400896 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.255474091 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.255486012 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.255534887 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.256211996 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.256238937 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.256283045 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.256293058 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.256316900 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.256336927 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.256541014 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.256555080 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.256614923 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.256625891 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.256678104 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.256975889 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.256990910 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.257046938 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.257059097 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.257110119 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.257761955 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.257788897 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.257832050 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.257843018 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.257865906 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.257884026 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.258419037 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.258443117 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.258488894 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.258500099 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.258524895 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.258543968 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.258882999 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.258905888 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.258955956 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.258965969 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.259013891 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.259015083 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.259221077 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.259234905 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.259294987 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.259305954 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.259361982 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.259720087 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.259747028 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.259783983 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.259794950 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.259820938 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.259843111 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.260262012 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.260276079 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.260338068 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.260349035 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.260395050 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.260662079 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.260677099 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.260735035 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.260746002 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.260797024 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.261023045 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.261043072 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.261082888 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.261092901 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.261116982 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.261138916 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.261471987 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.261492968 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.261535883 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.261547089 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.261586905 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.261607885 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.262310028 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.262325048 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.262379885 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.262391090 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.262437105 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.262727022 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.262742996 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.262789011 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.262799978 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.262852907 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.263334036 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.263354063 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.263406992 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.263417959 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.263463020 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.264076948 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.264096975 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.264142990 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.264153957 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.264177084 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.264197111 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.264902115 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.264915943 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.264971972 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.264986992 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.265008926 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.265033007 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.266774893 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.266797066 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.266836882 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.266848087 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.266871929 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.266890049 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.267354012 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.267368078 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.267426968 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.267438889 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.267488003 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.268248081 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.268261909 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.268321991 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.268333912 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.268381119 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.269181967 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.269208908 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.269248009 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.269258976 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.269283056 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.269301891 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.270153999 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.270167112 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.270226002 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.270236969 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.270278931 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.270951986 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.270971060 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.271028996 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.271040916 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.271089077 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.271895885 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.271909952 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.271976948 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.271989107 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.272036076 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.272670031 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.272696972 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.272731066 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.272742033 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.272766113 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.272783995 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.273418903 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.273436069 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.273489952 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.273500919 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.273540974 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.274138927 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.274172068 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.274207115 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.274216890 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.274240971 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.274260044 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.274935007 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.274954081 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.275002003 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.275013924 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.275062084 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.275332928 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.275352955 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.275384903 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.275394917 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.275418997 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.275437117 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.275768042 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.275789022 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.275830030 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.275840998 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.275893927 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.276174068 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.276199102 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.276227951 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.276237965 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.276261091 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.276278019 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.276496887 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.276511908 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.276554108 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.276563883 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.276590109 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.276607990 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.276889086 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.276911020 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.276946068 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.276957035 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.276981115 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.276999950 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.277340889 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.277354956 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.277400970 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.277411938 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.277455091 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.277956009 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.277970076 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.278012037 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.278023005 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.278047085 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.278067112 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.290951014 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.290966034 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.291029930 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.291040897 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.291083097 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.291083097 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.463330030 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.463351011 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.463428974 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.463449001 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.463499069 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.464097023 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.464111090 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.464169979 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.464181900 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.464234114 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.464498997 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.464513063 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.464567900 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.464579105 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.464641094 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.465013027 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.465027094 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.465085983 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.465096951 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.465146065 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.465414047 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.465429068 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.465485096 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.465497017 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.465548038 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.465816975 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.465831041 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.465883017 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.465908051 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.465960026 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.466363907 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.466378927 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.466443062 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.466454983 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.466506958 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.467263937 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.467278957 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.467335939 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.467346907 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.467396021 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.468022108 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.468054056 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.468096018 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.468106985 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.468132973 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.468153000 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.468383074 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.468398094 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.468453884 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.468465090 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.468514919 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.468754053 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.468775034 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.468825102 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.468837023 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.468884945 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.469182968 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.469197989 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.469254017 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.469280005 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.469326019 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.469913960 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.469928980 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.469988108 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.469999075 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.470043898 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.470371008 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.470393896 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.470428944 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.470438957 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.470482111 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.470482111 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.470758915 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.470773935 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.470820904 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.470832109 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.470881939 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.471133947 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.471148014 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.471205950 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.471215963 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.471265078 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.471479893 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.471493006 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.471544981 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.471555948 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.471604109 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.472340107 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.472352982 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.472404957 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.472418070 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.472466946 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.472739935 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.472754002 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.472805977 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.472815990 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.472863913 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.473157883 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.473171949 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.473237038 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.473248005 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.473299980 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.473510027 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.473551035 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.473576069 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.473586082 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.473612070 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.473648071 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.474821091 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.474843025 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.474891901 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.474904060 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.474931002 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.474947929 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.475642920 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.475657940 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.475722075 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.475733995 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.475783110 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.476475954 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.476511955 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.476553917 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.476571083 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.476594925 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.476617098 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.476898909 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.476913929 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.476982117 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.476993084 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.477054119 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.477488041 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.477502108 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.477564096 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.477575064 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.477621078 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.478262901 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.478282928 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.478317976 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.478327990 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.478373051 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.478373051 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.479655981 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.479679108 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.479716063 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.479727030 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.479752064 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.479770899 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.481235981 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.481251001 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.481293917 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.481304884 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.481328964 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.481344938 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.481826067 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.481839895 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.481877089 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.481904030 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.481930971 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.481950998 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.482382059 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.482419968 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.482435942 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.482445002 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.482471943 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.482487917 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.482945919 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.482969999 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.483002901 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.483014107 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.483036995 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.483052969 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.483592033 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.483606100 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.483649015 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.483659983 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.483709097 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.484105110 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.484126091 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.484158039 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.484169006 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.484193087 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.484211922 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.484385014 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.484400034 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.484432936 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.484442949 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.484483004 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.484483004 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.484848022 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.484874010 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.484919071 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.484934092 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.484958887 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.484976053 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.485394955 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.485409021 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.485450029 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.485460997 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.485506058 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.485907078 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.485923052 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.485960007 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.485970020 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.485994101 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.486012936 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.486462116 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.486489058 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.486521959 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.486532927 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.486557007 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.486574888 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.486928940 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.486943960 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.486979008 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.486989975 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.487015009 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.487032890 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.487433910 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.487457991 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.487485886 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.487495899 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.487519979 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.487536907 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.488125086 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.488164902 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.488183022 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.488193035 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.488240004 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.488240004 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.488240004 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.488655090 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.488677025 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.488708973 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.488719940 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.488744974 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.488764048 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.489151001 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.489165068 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.489202023 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.489212036 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.489238024 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.489257097 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.489748955 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.489764929 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.489825964 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.489836931 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.489883900 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.490782022 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.490796089 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.490828991 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.490840912 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.490865946 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.490881920 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.491175890 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.491189957 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.491233110 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.491242886 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.491292953 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.491619110 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.491642952 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.491676092 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.491686106 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.491709948 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.491729021 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.492125988 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.492141962 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.492192030 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.492202997 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.492247105 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.492742062 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.492758036 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.492801905 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.492813110 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.492857933 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.493119001 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.493155003 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.493191957 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.493201971 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.493242979 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.493259907 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.493664026 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.493678093 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.493721962 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.493736982 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.493762016 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.493779898 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.494286060 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.494314909 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.494358063 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.494373083 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.494398117 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.494414091 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.495065928 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.495094061 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.495129108 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.495141029 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.495167017 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.495186090 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.495676041 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.495693922 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.495728970 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.495738983 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.495763063 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.495779991 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.496603012 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.496618032 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.496666908 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.496679068 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.496725082 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.498012066 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.498027086 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.498064041 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.498075008 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.498099089 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.498131990 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.498579025 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.498598099 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.498631954 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.498642921 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.498667002 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.498683929 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.499418020 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.499433041 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.499475002 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.499486923 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.499511003 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.499528885 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.908488035 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.908500910 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.908577919 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.908710003 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.908746958 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.908775091 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.908931971 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.908931971 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.908946991 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.908967018 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.908997059 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909001112 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909018993 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909049034 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909049034 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909054995 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909071922 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909075022 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909086943 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909111977 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909116030 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909130096 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909136057 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909147024 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909169912 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909193993 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909199953 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909210920 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909241915 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909254074 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909274101 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909282923 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909301043 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909307003 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909321070 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909324884 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909333944 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909360886 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909365892 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909382105 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909415960 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909423113 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909431934 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909440041 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909449100 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909485102 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909514904 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909532070 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909540892 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909552097 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909585953 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909585953 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909599066 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909610987 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909635067 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909648895 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909662962 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909676075 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909696102 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909703016 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909715891 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909743071 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909756899 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909774065 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909782887 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909782887 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909787893 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909806013 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909815073 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909842014 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909843922 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909867048 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909868002 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909877062 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909907103 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909920931 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909935951 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909955978 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.909967899 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909986973 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.909991980 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910007000 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910015106 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910023928 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910049915 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910059929 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910074949 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910084963 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910094976 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910121918 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910131931 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910139084 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910152912 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910167933 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910177946 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910202980 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910214901 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910218954 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910231113 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910254002 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910263062 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910279989 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910288095 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910309076 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910312891 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910324097 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910346031 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910368919 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910372972 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910382986 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910423994 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910433054 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910449028 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910459995 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910487890 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910490036 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910512924 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910536051 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910553932 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910583019 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910583019 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910594940 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910619020 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910621881 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910633087 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910650969 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910674095 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910687923 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910691977 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910702944 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910734892 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910742998 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910763979 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910769939 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910769939 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910779953 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910804987 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910819054 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910824060 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910835028 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910846949 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910856009 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910875082 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910880089 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910898924 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910900116 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910928965 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910953999 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910976887 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.910981894 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.910999060 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911004066 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911011934 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911031961 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911048889 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911062956 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911063910 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911073923 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911109924 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911115885 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911130905 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911138058 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911149025 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911175013 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911180019 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911191940 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911200047 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911207914 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911216974 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911264896 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911268950 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911284924 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911290884 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911299944 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911324978 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911329031 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911344051 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911355019 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911358118 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911365986 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911391973 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911410093 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911423922 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911437035 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911477089 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911484957 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911497116 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911530018 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911535978 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911551952 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911561012 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911571980 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911596060 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911598921 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911619902 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911624908 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911634922 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911668062 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911669970 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911669970 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911684990 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911695004 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911782026 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911799908 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911804914 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911819935 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911847115 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911861897 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911879063 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911890984 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911890984 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911892891 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911911011 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911921978 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911941051 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911943913 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.911959887 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.911990881 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912004948 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912023067 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912034988 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912039042 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912039042 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912062883 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912077904 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912095070 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912107944 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912141085 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912148952 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912168026 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912190914 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912198067 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912216902 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912228107 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912252903 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912265062 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912276030 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912281036 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912290096 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912314892 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912339926 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912349939 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912355900 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912364960 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912390947 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912405968 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912409067 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912420034 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912451029 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912466049 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912466049 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912481070 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912499905 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912503004 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912523031 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912533045 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912560940 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912565947 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912599087 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912609100 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912626982 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912632942 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912642956 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912652969 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912662029 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912682056 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912686110 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912704945 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912705898 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912739038 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912749052 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912769079 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912774086 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912784100 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912791967 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912805080 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912827969 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912831068 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912844896 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912851095 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912879944 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912889957 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912909031 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912913084 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912923098 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912935019 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912945032 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912967920 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.912969112 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912985086 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.912986994 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913007975 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913017988 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913033962 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913042068 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913048029 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913068056 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913081884 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913104057 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913109064 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913120985 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913130045 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913139105 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913163900 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913163900 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913183928 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913212061 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913212061 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913224936 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913240910 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913248062 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913259029 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913268089 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913275957 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913300037 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913305998 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913315058 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913325071 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913353920 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913362980 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913381100 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913386106 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913398981 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913404942 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913414001 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913436890 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913443089 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913451910 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913460970 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913477898 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913487911 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913515091 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913532972 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913541079 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913548946 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913558006 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913583040 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913594961 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913606882 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913609028 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913619041 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913638115 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913661003 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913674116 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913676977 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913691044 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913713932 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913732052 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913733006 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913742065 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913774014 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913784027 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913796902 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913808107 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913836956 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913841963 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913863897 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913868904 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913880110 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913924932 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913924932 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913934946 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913957119 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913964033 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.913973093 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913991928 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.913994074 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914026022 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914041042 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914057970 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914062977 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914079905 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914089918 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914114952 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914118052 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914134026 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914148092 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914161921 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914180040 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914191008 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914191008 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914194107 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914222002 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914232016 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914248943 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914257050 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914273977 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914278030 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914287090 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914309978 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914326906 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914331913 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914343119 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914377928 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914381981 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914402962 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914407969 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914414883 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914439917 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914441109 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914470911 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914475918 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914484978 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914506912 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914511919 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914539099 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914539099 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914551020 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914572954 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914573908 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914606094 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914617062 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914625883 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914628029 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914668083 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914673090 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914688110 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914707899 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914724112 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914741993 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914752960 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914752960 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914758921 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914789915 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914799929 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914819002 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914824009 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914834023 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914841890 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914850950 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914874077 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914879084 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914899111 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914901018 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914908886 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914915085 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914933920 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914947033 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914961100 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.914967060 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.914978027 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915003061 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915013075 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915015936 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915041924 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915045023 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915055990 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915076017 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915095091 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915105104 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915118933 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915118933 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915127039 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915155888 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915170908 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915184975 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915186882 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915196896 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915205002 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915239096 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915249109 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915257931 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915290117 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915302038 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915311098 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915321112 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915338039 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915355921 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915381908 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915390968 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915404081 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915421963 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915431976 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915466070 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915467024 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915478945 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915498972 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915498972 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915512085 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915534973 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915540934 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915551901 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915570021 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915575981 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915596008 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915616989 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915623903 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915633917 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915652037 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915663958 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915688992 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915697098 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915720940 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915726900 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915750980 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915764093 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915777922 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915800095 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915806055 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915806055 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915819883 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915843010 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915852070 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915868044 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915873051 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915888071 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915893078 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915916920 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915927887 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915947914 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915952921 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915966034 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.915968895 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.915977001 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916002035 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916018963 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916022062 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916043997 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916060925 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916069984 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916095972 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916100979 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916110039 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916117907 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916129112 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916157961 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916162968 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916177034 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916183949 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916193962 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916202068 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916224003 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916233063 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916250944 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916255951 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916268110 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916275024 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916284084 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916306019 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916317940 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916332006 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916337967 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916353941 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916371107 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916382074 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916382074 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916388988 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916419983 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916429996 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916445971 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916455030 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916474104 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916482925 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916512012 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916522980 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916543961 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916548967 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916564941 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916585922 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916593075 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916626930 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916626930 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916640997 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916660070 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916672945 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916696072 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916701078 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916711092 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916738987 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916740894 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916775942 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916786909 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916807890 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916812897 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916836023 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916846037 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916870117 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916874886 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916889906 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916898012 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916908026 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916938066 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916940928 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916940928 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916964054 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.916966915 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.916977882 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917005062 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917020082 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917021990 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917031050 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917076111 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917078972 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917098045 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917109966 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917134047 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917138100 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917160988 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917167902 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917177916 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917200089 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917205095 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917223930 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917248011 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917252064 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917260885 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917300940 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917309999 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917321920 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917331934 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917350054 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917362928 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917396069 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917397022 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917411089 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917426109 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917437077 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917459965 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917464972 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917475939 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917498112 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917500019 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917521954 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917531967 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917551994 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917557955 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917592049 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917592049 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917617083 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917619944 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917656898 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917661905 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917694092 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917699099 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917711973 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917732000 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917736053 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917763948 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917766094 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917774916 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917798042 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917804003 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917817116 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917828083 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917850018 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917855978 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917872906 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917882919 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917929888 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917932034 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917967081 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.917978048 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.917998075 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918004036 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918011904 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918020964 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918030024 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918056965 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918059111 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918073893 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918077946 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918088913 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918097019 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918121099 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918131113 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918145895 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918159962 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918190956 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918206930 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918216944 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918216944 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918222904 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918237925 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918246031 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918268919 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918278933 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918278933 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918283939 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918312073 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918323040 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918344975 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918349981 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918363094 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918373108 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918381929 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918405056 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918411970 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918421984 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918431044 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918437958 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918447018 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918481112 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918486118 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918486118 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918499947 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918504000 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918514967 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918534994 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918555975 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918556929 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918566942 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918600082 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918613911 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918621063 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918629885 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918647051 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918663979 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918684959 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918701887 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918719053 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918745995 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918745995 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918749094 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918766975 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918786049 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918795109 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918813944 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918819904 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918829918 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918838978 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918847084 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918873072 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918888092 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918889999 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918908119 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918914080 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918924093 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918950081 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918956995 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918966055 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918976068 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.918987989 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.918998003 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919019938 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919023991 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.919037104 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919047117 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.919055939 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919081926 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.919086933 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919107914 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919114113 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.919123888 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919147968 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.919152021 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919164896 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.919172049 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919188023 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.919197083 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919223070 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919225931 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.919239998 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919245958 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.919255018 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919279099 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.919281006 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919298887 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919301987 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.919308901 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919333935 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.919352055 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.919373035 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919387102 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919425011 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919435978 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.919445038 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919481039 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.919491053 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919504881 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919513941 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.919524908 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919544935 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919549942 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.919570923 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919594049 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.919594049 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.919609070 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.919631958 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.919663906 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.935025930 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.935041904 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.935113907 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.935122013 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.935164928 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.938417912 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.949767113 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.949783087 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.949848890 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.949862003 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:57.949994087 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:57.969959021 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.122474909 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.122502089 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.122601986 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.122663975 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.122714043 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.139086008 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.139113903 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.139183998 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.139199972 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.139254093 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.139491081 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.139514923 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.139559031 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.139575958 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.139605045 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.139625072 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.139904976 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.139919996 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.139974117 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.139986992 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.140033007 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.141047955 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.141062975 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.141125917 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.141139030 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.141200066 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.141625881 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.141639948 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.141679049 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.141690016 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.141715050 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.141735077 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.142107010 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.142132998 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.142168999 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.142179012 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.142204046 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.142222881 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.142501116 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.142517090 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.142554045 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.142564058 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.142590046 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.142608881 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.142942905 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.142956972 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.143009901 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.143022060 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.143074989 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.143450022 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.143464088 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.143501997 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.143512964 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.143537998 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.143553972 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.144157887 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.144171953 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.144212961 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.144223928 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.144248009 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.144267082 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.144566059 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.144582033 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.144617081 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.144628048 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.144656897 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.144675970 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.144968033 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.144983053 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.145029068 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.145054102 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.145096064 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.145308018 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.145323038 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.145361900 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.145373106 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.145396948 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.145412922 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.145901918 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.145916939 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.145970106 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.145981073 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.146033049 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.146168947 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.146188974 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.146236897 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.146250010 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.146297932 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.146552086 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.146576881 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.146627903 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.146639109 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.146678925 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.146953106 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.146976948 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.147012949 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.147022963 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.147053003 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.147082090 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.147361994 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.147382021 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.147419930 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.147429943 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.147454023 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.147473097 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.147810936 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.147835016 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.147866964 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.147877932 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.147902966 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.147923946 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.148307085 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.148320913 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.148363113 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.148372889 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.148396015 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.148411989 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.148870945 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.148885012 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.148929119 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.148941040 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.148988962 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.149247885 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.149261951 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.149303913 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.149315119 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.149363041 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.149810076 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.149848938 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.149863005 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.149872065 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.149919033 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.149919033 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.150352001 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.150367022 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.150418043 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.150429964 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.150480032 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.150870085 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.150891066 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.150918961 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.150928974 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.150957108 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.150975943 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.151348114 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.151364088 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.151396036 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.151406050 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.151429892 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.151448965 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.151824951 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.151859999 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.151885033 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.151896000 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.151921034 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.151938915 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.152470112 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.152484894 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.152523994 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.152534008 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.152559042 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.152575016 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.152992964 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.153016090 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.153047085 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.153058052 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.153088093 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.153106928 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.153548956 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.153572083 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.153609991 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.153620005 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.153644085 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.153661013 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.153985023 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.154026031 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.154042006 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.154052019 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.154076099 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.154094934 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.154584885 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.154602051 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.154639959 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.154649973 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.154678106 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.154695034 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.155033112 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.155046940 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.155088902 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.155100107 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.155124903 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.155143976 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.155361891 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.155375957 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.155417919 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.155428886 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.155473948 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.155656099 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.155688047 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.155710936 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.155720949 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.155745029 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.155761003 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.156078100 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.156099081 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.156137943 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.156155109 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.156177044 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.156196117 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.156577110 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.156604052 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.156635046 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.156651974 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.156677008 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.156697035 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.156850100 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.156873941 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.156899929 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.156909943 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.156934023 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.156949997 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.157156944 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.157171965 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.157208920 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.157218933 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.157243967 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.157259941 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.157579899 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.157603979 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.157624960 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.157635927 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.157659054 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.157677889 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.157922029 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.157936096 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.157978058 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.157989025 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.158013105 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.158029079 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.158358097 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.158373117 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.158411980 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.158422947 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.158453941 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.158453941 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.158905983 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.158926010 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.158960104 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.158970118 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.159013033 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.159013033 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.159367085 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.159385920 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.159416914 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.159426928 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.159468889 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.159487963 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.374823093 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.374860048 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.374921083 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.374942064 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.374975920 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.374996901 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.375405073 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.375422001 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.375475883 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.375488043 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.375515938 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.375535965 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.375536919 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.375555992 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.375564098 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.375597000 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.375614882 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.375631094 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.375652075 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.375689983 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.375684023 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.375715971 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.375747919 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.375747919 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.375775099 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.375791073 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.375965118 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.375983953 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.376018047 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.376034021 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.376055956 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.376090050 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.376358986 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.376373053 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.376410961 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.376420975 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.376445055 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.376463890 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.376723051 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.376744032 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.376787901 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.376797915 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.376822948 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.376838923 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.377049923 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.377063990 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.377116919 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.377127886 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.377145052 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.377170086 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.377186060 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.377202034 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.377234936 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.377235889 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.377254009 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.377516985 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.377531052 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.377576113 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.377588034 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.377635956 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.377808094 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.377820969 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.377857924 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.377873898 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.377912998 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.377913952 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.378416061 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.378431082 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.378482103 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.378494024 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.378540993 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.379242897 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.379268885 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.379296064 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.379306078 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.379329920 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.379349947 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.379461050 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.379475117 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.379514933 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.379527092 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.379560947 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.379574060 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.379585028 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.379606009 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.379611015 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.379631996 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.379641056 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.379667044 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.379684925 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.379878998 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.379894972 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.379940033 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.379950047 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.379992008 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380009890 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380085945 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380100965 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380143881 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380152941 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380161047 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380204916 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380206108 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380224943 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380254984 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380265951 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380289078 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380294085 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380309105 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380316973 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380326033 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380354881 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380357981 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380378008 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380388975 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380409002 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380414963 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380434036 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380443096 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380465031 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380470991 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380484104 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380489111 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380517006 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380537033 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380549908 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380552053 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380552053 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380582094 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380593061 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380623102 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380629063 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380645990 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380646944 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380660057 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380675077 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380702972 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380706072 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380713940 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380752087 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380757093 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380769968 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380778074 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380788088 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380810022 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380829096 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380844116 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380848885 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380860090 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380880117 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380886078 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380899906 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380904913 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380914927 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.380939960 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.380960941 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.381752968 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.383811951 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.383826017 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.383883953 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.383896112 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.383944988 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.383976936 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.384005070 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.384037018 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.384052992 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.384076118 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.384093046 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.384207010 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.384222984 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.384260893 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.384274006 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.384298086 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.384318113 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.384584904 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.384598970 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.384634972 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.384644985 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.384670019 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.384689093 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.385093927 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.385107994 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.385149002 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.385159016 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.385185957 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.385195971 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.385210037 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.385214090 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.385222912 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:58.385243893 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:58.385278940 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:59.381165028 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:59.381179094 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:59.381280899 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:59.381417036 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:59.381465912 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:59.381625891 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:59.809762001 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:59.809778929 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:59.809847116 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:59.809858084 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:59.809910059 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:22:59.809942007 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:22:59.809961081 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:23:00.022923946 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:23:00.022937059 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:23:00.023005009 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:23:00.023029089 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:23:00.023056030 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:23:00.023089886 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:23:00.023121119 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:23:00.023130894 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:23:00.023166895 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:23:00.023722887 CET49730443192.168.2.4119.8.87.215
                                              Mar 2, 2024 02:23:00.023752928 CET44349730119.8.87.215192.168.2.4
                                              Mar 2, 2024 02:23:36.099915028 CET4973780192.168.2.4119.8.228.120
                                              Mar 2, 2024 02:23:36.313322067 CET8049737119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:23:36.313412905 CET4973780192.168.2.4119.8.228.120
                                              Mar 2, 2024 02:23:36.314280033 CET4973780192.168.2.4119.8.228.120
                                              Mar 2, 2024 02:23:36.527775049 CET8049737119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:23:36.531534910 CET8049737119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:23:36.531913042 CET4973780192.168.2.4119.8.228.120
                                              Mar 2, 2024 02:23:36.744920015 CET8049737119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:23:36.745240927 CET4973780192.168.2.4119.8.228.120
                                              Mar 2, 2024 02:23:47.800517082 CET4973880192.168.2.4119.8.228.120
                                              Mar 2, 2024 02:23:48.014477968 CET8049738119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:23:48.014590025 CET4973880192.168.2.4119.8.228.120
                                              Mar 2, 2024 02:23:48.014831066 CET4973880192.168.2.4119.8.228.120
                                              Mar 2, 2024 02:23:48.228214979 CET8049738119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:23:48.231133938 CET8049738119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:23:48.231519938 CET4973880192.168.2.4119.8.228.120
                                              Mar 2, 2024 02:23:48.445764065 CET8049738119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:23:48.445805073 CET8049738119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:23:48.445837021 CET8049738119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:23:48.445943117 CET8049738119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:23:48.608431101 CET8049738119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:23:48.608692884 CET4973880192.168.2.4119.8.228.120
                                              Mar 2, 2024 02:23:48.822426081 CET8049738119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:23:48.822484016 CET4973880192.168.2.4119.8.228.120
                                              Mar 2, 2024 02:23:54.865155935 CET4974080192.168.2.4119.8.228.120
                                              Mar 2, 2024 02:23:55.079158068 CET8049740119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:23:55.079257011 CET4974080192.168.2.4119.8.228.120
                                              Mar 2, 2024 02:23:55.080013037 CET4974080192.168.2.4119.8.228.120
                                              Mar 2, 2024 02:23:55.293392897 CET8049740119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:23:55.298631907 CET8049740119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:23:55.298949957 CET4974080192.168.2.4119.8.228.120
                                              Mar 2, 2024 02:23:55.512777090 CET8049740119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:23:55.512871027 CET4974080192.168.2.4119.8.228.120
                                              Mar 2, 2024 02:24:09.713870049 CET4974180192.168.2.4119.8.228.120
                                              Mar 2, 2024 02:24:09.928236008 CET8049741119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:24:09.928344011 CET4974180192.168.2.4119.8.228.120
                                              Mar 2, 2024 02:24:09.928865910 CET4974180192.168.2.4119.8.228.120
                                              Mar 2, 2024 02:24:10.149447918 CET8049741119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:24:10.149837017 CET4974180192.168.2.4119.8.228.120
                                              Mar 2, 2024 02:24:10.364444017 CET8049741119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:24:10.364485025 CET8049741119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:24:10.364518881 CET8049741119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:24:10.364604950 CET8049741119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:24:10.499927044 CET8049741119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:24:10.501602888 CET4974180192.168.2.4119.8.228.120
                                              Mar 2, 2024 02:24:10.715354919 CET8049741119.8.228.120192.168.2.4
                                              Mar 2, 2024 02:24:10.715440989 CET4974180192.168.2.4119.8.228.120

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Mar 2, 2024 02:22:53.210650921 CET5967353192.168.2.41.1.1.1
                                              Mar 2, 2024 02:22:53.737226963 CET53596731.1.1.1192.168.2.4
                                              Mar 2, 2024 02:23:35.621685028 CET4990053192.168.2.41.1.1.1
                                              Mar 2, 2024 02:23:36.029583931 CET53499001.1.1.1192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Mar 2, 2024 02:22:53.210650921 CET192.168.2.41.1.1.10xf1a5Standard query (0)portal.fm2c.com.brA (IP address)IN (0x0001)false
                                              Mar 2, 2024 02:23:35.621685028 CET192.168.2.41.1.1.10xb770Standard query (0)ti.fm2c.com.brA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Mar 2, 2024 02:22:53.737226963 CET1.1.1.1192.168.2.40xf1a5No error (0)portal.fm2c.com.br119.8.87.215A (IP address)IN (0x0001)false
                                              Mar 2, 2024 02:23:11.793181896 CET1.1.1.1192.168.2.40xe12dNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                              Mar 2, 2024 02:23:11.793181896 CET1.1.1.1192.168.2.40xe12dNo error (0)fp2e7a.wpc.phicdn.net192.229.211.108A (IP address)IN (0x0001)false
                                              Mar 2, 2024 02:23:24.735702038 CET1.1.1.1192.168.2.40xec6aNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                              Mar 2, 2024 02:23:24.735702038 CET1.1.1.1192.168.2.40xec6aNo error (0)fp2e7a.wpc.phicdn.net192.229.211.108A (IP address)IN (0x0001)false
                                              Mar 2, 2024 02:23:36.029583931 CET1.1.1.1192.168.2.40xb770No error (0)ti.fm2c.com.br119.8.228.120A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • portal.fm2c.com.br
                                              • ti.fm2c.com.br

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.449737119.8.228.120806540C:\Program Files\OCS Inventory Agent\OCSInventory.exe
                                              TimestampBytes transferredDirectionData
                                              Mar 2, 2024 02:23:36.314280033 CET301OUTPOST /ocsinventory HTTP/1.1
                                              Host: ti.fm2c.com.br
                                              User-Agent: OCS-NG_WINDOWS_AGENT_v2.9.2.0
                                              Accept: */*
                                              Content-Type: application/x-compressed
                                              Content-Length: 131
                                              Data Raw: 78 9c b2 b1 af c8 cd 51 28 4b 2d 2a ce cc cf b3 55 32 d4 33 50 52 48 cd 4b ce 4f c9 cc 4b b7 55 0a 0d 71 d3 b5 50 52 b0 b7 e3 b2 09 72 0d 0c 75 0d 0e b1 e3 52 00 02 1b 17 d7 30 4f 67 57 4f 17 3b 43 13 43 73 03 03 5d 23 03 23 13 5d 03 63 5d 03 23 10 32 32 d6 35 36 b1 d1 87 2b 82 e8 71 f6 f7 0b 71 f5 0b 51 d0 87 f2 81 e6 05 45 da 05 04 f9 fb f8 bb db e8 43 78 5c 36 fa 70 8b 00 00 00 00 ff ff
                                              Data Ascii: xQ(K-*U23PRHKOKUqPRruR0OgWO;CCs]##]c]#2256+qqQECx\6p
                                              Mar 2, 2024 02:23:36.531534910 CET410INHTTP/1.1 200 OK
                                              Date: Sat, 02 Mar 2024 01:23:36 GMT
                                              Server: Apache/2.4.41 (Ubuntu)
                                              content-length: 236
                                              Cache-control: no-cache
                                              Content-Type: application/x-compressed
                                              Data Raw: 78 9c 6d 90 31 4f c3 30 10 85 f7 fc 0a cb 4b 26 48 53 10 62 b0 5d 59 ce 25 44 72 ee 5c c7 81 66 ca 50 2a 54 09 52 09 24 c4 cf c7 ae 50 9b 81 ed de f7 de 9d 9e 4e 6c 7e 3e de d9 f7 e1 f3 eb 78 9a 65 5e de ae 72 76 98 f7 a7 d7 e3 fc 26 f3 21 d4 37 8f f9 46 65 c2 83 b3 a3 ca 18 13 ce 93 a5 66 aa 3d 6c d5 fa 5e 14 4b 9d fc 16 9f 01 03 f9 71 22 9c fa a0 7d 18 9c 2a 45 f1 2f 4f 0b e4 42 4b 98 c6 74 5d 7b dd 31 d8 81 19 12 9d 42 db 01 0d 41 f2 72 bd e2 cc 81 6f a9 9a ac 0e 80 66 8c 90 b3 4b e0 2e fa 84 92 2f 62 80 4d 78 8a a9 88 cc 68 2c 5c 17 1f 22 0a a3 03 c9 0d 61 cd 59 ed 75 b3 38 1b dd e2 af 10 ea 0e 54 45 2f 68 49 57 a2 38 cb d4 ba b8 d6 8e cf e9 1d 61 0f aa 07 8c 99 8b cc d2 7c fe db 2f be 83 5e 6c
                                              Data Ascii: xm1O0K&HSb]Y%Dr\fP*TR$PNl~>xe^rv&!7Fef=l^Kq"}*E/OBKt]{1BArofK./bMxh,\"aYu8TE/hIW8a|/^l


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.449738119.8.228.120806540C:\Program Files\OCS Inventory Agent\OCSInventory.exe
                                              TimestampBytes transferredDirectionData
                                              Mar 2, 2024 02:23:48.014831066 CET193OUTPOST /ocsinventory HTTP/1.1
                                              Host: ti.fm2c.com.br
                                              User-Agent: OCS-NG_WINDOWS_AGENT_v2.9.2.0
                                              Accept: */*
                                              Content-Type: application/x-compressed
                                              Content-Length: 4352
                                              Expect: 100-continue
                                              Mar 2, 2024 02:23:48.231133938 CET25INHTTP/1.1 100 Continue
                                              Mar 2, 2024 02:23:48.231519938 CET4352OUTData Raw: 78 9c ec 9d 5b 73 a3 36 14 c7 df fb 29 34 db 97 64 a6 0e 37 9b d8 1d 96 16 83 12 d3 18 43 01 6f ba 7d c9 b0 36 49 98 3a 90 c1 24 dd f4 d3 57 c8 97 70 33 66 b7 dd 6a a7 7b 32 c9 0c 48 47 e2 9c df 91 25 fe f2 4c a4 fc f4 f1 61 85 9e c3 74 1d 25 f1
                                              Data Ascii: x[s6)4d7Co}6I:$Wp3fj{2HG%Lat%7"YF7s7|~RS\{"?:6U<y/7g6ExbzG\*c*M=K/4UkDxBVrum[rcZPfE{L01"
                                              Mar 2, 2024 02:23:48.608431101 CET264INHTTP/1.1 200 OK
                                              Date: Sat, 02 Mar 2024 01:23:48 GMT
                                              Server: Apache/2.4.41 (Ubuntu)
                                              content-length: 91
                                              Cache-control: no-cache
                                              Content-Type: application/x-compressed
                                              Data Raw: 78 9c b3 b1 af c8 cd 51 28 4b 2d 2a ce cc cf b3 55 37 d4 33 50 57 48 cd 4b ce 4f c9 cc 4b b7 55 0f 0d 71 d3 b5 50 b7 b7 e3 b2 09 72 0d f0 89 b4 e3 52 50 00 b2 82 03 fc fd 82 5d ed fc fc e3 1d 9d 9d fd 43 fd 42 e2 43 03 5c 1c 43 5c 6d f4 e1 72 5c 20 36 58 07 00 84 71 1b 9f
                                              Data Ascii: xQ(K-*U73PWHKOKUqPrRP]CBC\C\mr\ 6Xq


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.449740119.8.228.120801464C:\Program Files\OCS Inventory Agent\OCSInventory.exe
                                              TimestampBytes transferredDirectionData
                                              Mar 2, 2024 02:23:55.080013037 CET301OUTPOST /ocsinventory HTTP/1.1
                                              Host: ti.fm2c.com.br
                                              User-Agent: OCS-NG_WINDOWS_AGENT_v2.9.2.0
                                              Accept: */*
                                              Content-Type: application/x-compressed
                                              Content-Length: 131
                                              Data Raw: 78 9c b2 b1 af c8 cd 51 28 4b 2d 2a ce cc cf b3 55 32 d4 33 50 52 48 cd 4b ce 4f c9 cc 4b b7 55 0a 0d 71 d3 b5 50 52 b0 b7 e3 b2 09 72 0d 0c 75 0d 0e b1 e3 52 00 02 1b 17 d7 30 4f 67 57 4f 17 3b 43 13 43 73 03 03 5d 23 03 23 13 5d 03 63 5d 03 23 10 32 32 d6 35 36 b1 d1 87 2b 82 e8 71 f6 f7 0b 71 f5 0b 51 d0 87 f2 81 e6 05 45 da 05 04 f9 fb f8 bb db e8 43 78 5c 36 fa 70 8b 00 00 00 00 ff ff
                                              Data Ascii: xQ(K-*U23PRHKOKUqPRruR0OgWO;CCs]##]c]#2256+qqQECx\6p
                                              Mar 2, 2024 02:23:55.298631907 CET411INHTTP/1.1 200 OK
                                              Date: Sat, 02 Mar 2024 01:23:55 GMT
                                              Server: Apache/2.4.41 (Ubuntu)
                                              content-length: 237
                                              Cache-control: no-cache
                                              Content-Type: application/x-compressed
                                              Data Raw: 78 9c 6d 90 41 4f c3 30 0c 85 ef fd 15 51 2e 3d 41 d6 81 10 87 34 53 d4 ba a5 52 6a 87 34 85 e5 d4 c3 98 d0 24 e8 24 90 10 3f 9f a4 88 6d 07 4e f6 f7 9e 6d 3d 59 6e be df df d8 d7 fe e3 f3 70 9c cb bc b8 5e e5 6c 3f ef 8e 2f 87 f9 b5 cc 47 df 5c dd e7 1b 95 49 07 d6 04 95 31 16 bb c1 12 0e a0 06 c0 5a 8a 13 26 8f ac ef 08 53 1b 01 75 0f aa a6 67 34 a4 e3 e0 82 bf 8e d5 4e f7 cc 82 eb a8 9e 8c f6 80 55 28 79 c1 19 6c a1 1a d3 89 c9 77 3d d0 e8 a3 ba 5e 71 76 a2 9b 08 7f 7b 80 ad 7f 88 03 51 22 2c 79 2c 8d d3 ed c5 bd b4 18 2c 94 bc 22 6c 38 ab 42 65 e0 6c df 45 5b 2c a9 c5 39 b6 ec f0 09 d0 93 0b 53 0c 31 78 ed fc 68 55 21 c5 bf 7a 5a b0 8e 0c b5 53 e3 e0 51 ad 6f a5 b8 e4 2c bd 67 f9 db 0f d7 db 5e 6c
                                              Data Ascii: xmAO0Q.=A4SRj4$$?mNm=Ynp^l?/G\I1Z&Sug4NU(ylw=^qv{Q",y,,"l8BelE[,9S1xhU!zZSQo,g^l


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.449741119.8.228.120801464C:\Program Files\OCS Inventory Agent\OCSInventory.exe
                                              TimestampBytes transferredDirectionData
                                              Mar 2, 2024 02:24:09.928865910 CET193OUTPOST /ocsinventory HTTP/1.1
                                              Host: ti.fm2c.com.br
                                              User-Agent: OCS-NG_WINDOWS_AGENT_v2.9.2.0
                                              Accept: */*
                                              Content-Type: application/x-compressed
                                              Content-Length: 4656
                                              Expect: 100-continue
                                              Mar 2, 2024 02:24:10.149447918 CET25INHTTP/1.1 100 Continue
                                              Mar 2, 2024 02:24:10.149837017 CET4656OUTData Raw: 78 9c ec 9d 5b 6f a3 38 18 86 ef e7 57 58 dd 9b 56 da 10 0e 39 55 ca 30 4b 88 a7 41 0d 81 05 32 dd ee 4d 45 80 a6 68 09 44 40 da e9 fc fa 35 e4 d0 00 81 d0 66 5b 8f 76 5c b5 23 b0 3f db af 9f cf d8 bc 73 43 ff cb f7 85 07 1e 9d 30 72 03 ff f3 19
                                              Data Ascii: x[o8WXV9U0KA2MEhD@5f[v\#?sC0rCgv;_O}9?$JCi1]n4j\f_kp~sn#*N6={Qn&cE#I74B.z)_Au`-,75`<\R=XIQ16*=I
                                              Mar 2, 2024 02:24:10.499927044 CET264INHTTP/1.1 200 OK
                                              Date: Sat, 02 Mar 2024 01:24:10 GMT
                                              Server: Apache/2.4.41 (Ubuntu)
                                              content-length: 91
                                              Cache-control: no-cache
                                              Content-Type: application/x-compressed
                                              Data Raw: 78 9c b3 b1 af c8 cd 51 28 4b 2d 2a ce cc cf b3 55 37 d4 33 50 57 48 cd 4b ce 4f c9 cc 4b b7 55 0f 0d 71 d3 b5 50 b7 b7 e3 b2 09 72 0d f0 89 b4 e3 52 50 00 b2 82 03 fc fd 82 5d ed fc fc e3 1d 9d 9d fd 43 fd 42 e2 43 03 5c 1c 43 5c 6d f4 e1 72 5c 20 36 58 07 00 84 71 1b 9f
                                              Data Ascii: xQ(K-*U73PWHKOKUqPrRP]CBC\C\mr\ 6Xq


                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.449729119.8.87.2154436556C:\Users\user\Desktop\ocs-office.exe
                                              TimestampBytes transferredDirectionData
                                              2024-03-02 01:22:54 UTC97OUTGET /paginas/publicFiles/ocsoffice.exe HTTP/1.1
                                              User-Agent: AutoIt
                                              Host: portal.fm2c.com.br
                                              2024-03-02 01:22:55 UTC262INHTTP/1.1 200 OK
                                              Content-Type: application/octet-stream
                                              Last-Modified: Tue, 11 Jul 2023 13:27:24 GMT
                                              Accept-Ranges: bytes
                                              ETag: "e57a46efbb3d91:0"
                                              Server: Microsoft-IIS/10.0
                                              Date: Sat, 02 Mar 2024 01:22:54 GMT
                                              Connection: close
                                              Content-Length: 6225663
                                              2024-03-02 01:22:55 UTC16122INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad f1 28 81 e9 90 46 d2 e9 90 46 d2 e9 90 46 d2 2a 9f 19 d2 eb 90 46 d2 e9 90 47 d2 77 90 46 d2 2a 9f 1b d2 e6 90 46 d2 bd b3 76 d2 e3 90 46 d2 2e 96 40 d2 e8 90 46 d2 52 69 63 68 e9 90 46 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 f0 d4 f6 5d 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 64 00 00 00 7c 02 00 00 04 00 00 6b 32 00 00 00 10 00 00 00 80 00 00 00 00 40
                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$(FFF*FGwF*FvF.@FRichFPEL]d|k2@
                                              2024-03-02 01:22:55 UTC16384INData Raw: 45 08 89 5d e0 a3 80 f4 42 00 a1 4c f4 42 00 c1 e0 02 50 6a 40 c7 45 f0 02 00 00 00 ff 15 58 81 40 00 53 53 53 53 6a 6e a3 68 a8 42 00 ff 35 00 f4 42 00 ff 15 34 82 40 00 83 0d 5c a8 42 00 ff 68 ab 50 40 00 6a fc 89 45 f4 ff 75 fc ff 15 4c 82 40 00 53 6a 06 6a 21 57 57 a3 64 a8 42 00 ff 15 38 80 40 00 68 ff 00 ff 00 a3 54 a8 42 00 ff 75 f4 50 ff 15 3c 80 40 00 ff 35 54 a8 42 00 6a 02 68 09 11 00 00 ff 75 fc ff d6 53 53 68 1c 11 00 00 ff 75 fc ff d6 3b c7 7d 0c 53 57 68 1b 11 00 00 ff 75 fc ff d6 ff 75 f4 ff 15 60 80 40 00 33 ff 8b 45 e8 8b 04 b8 3b c3 74 27 83 ff 20 74 03 89 5d f0 50 53 e8 6d 14 00 00 50 53 68 43 01 00 00 ff 75 f8 ff d6 57 50 68 51 01 00 00 ff 75 f8 ff d6 47 83 ff 21 7c c9 8b 7d 14 8b 45 f0 ff 74 87 30 6a 15 ff 75 08 e8 a7 f4 ff ff 8b 45
                                              Data Ascii: E]BLBPj@EX@SSSSjnhB5B4@\BhP@jEuL@Sjj!WWdB8@hTBuP<@5TBjhuSShu;}SWhuu`@3E;t' t]PSmPShCuWPhQuG!|}Et0juE


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.449730119.8.87.2154436556C:\Users\user\Desktop\ocs-office.exe
                                              TimestampBytes transferredDirectionData
                                              2024-03-02 01:22:55 UTC122OUTGET /paginas/publicFiles/ocsoffice.exe HTTP/1.1
                                              User-Agent: AutoIt
                                              Host: portal.fm2c.com.br
                                              Cache-Control: no-cache
                                              2024-03-02 01:22:56 UTC262INHTTP/1.1 200 OK
                                              Content-Type: application/octet-stream
                                              Last-Modified: Tue, 11 Jul 2023 13:27:24 GMT
                                              Accept-Ranges: bytes
                                              ETag: "e57a46efbb3d91:0"
                                              Server: Microsoft-IIS/10.0
                                              Date: Sat, 02 Mar 2024 01:22:55 GMT
                                              Connection: close
                                              Content-Length: 6225663
                                              2024-03-02 01:22:56 UTC16122INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad f1 28 81 e9 90 46 d2 e9 90 46 d2 e9 90 46 d2 2a 9f 19 d2 eb 90 46 d2 e9 90 47 d2 77 90 46 d2 2a 9f 1b d2 e6 90 46 d2 bd b3 76 d2 e3 90 46 d2 2e 96 40 d2 e8 90 46 d2 52 69 63 68 e9 90 46 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 f0 d4 f6 5d 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 64 00 00 00 7c 02 00 00 04 00 00 6b 32 00 00 00 10 00 00 00 80 00 00 00 00 40
                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$(FFF*FGwF*FvF.@FRichFPEL]d|k2@
                                              2024-03-02 01:22:56 UTC16384INData Raw: 45 08 89 5d e0 a3 80 f4 42 00 a1 4c f4 42 00 c1 e0 02 50 6a 40 c7 45 f0 02 00 00 00 ff 15 58 81 40 00 53 53 53 53 6a 6e a3 68 a8 42 00 ff 35 00 f4 42 00 ff 15 34 82 40 00 83 0d 5c a8 42 00 ff 68 ab 50 40 00 6a fc 89 45 f4 ff 75 fc ff 15 4c 82 40 00 53 6a 06 6a 21 57 57 a3 64 a8 42 00 ff 15 38 80 40 00 68 ff 00 ff 00 a3 54 a8 42 00 ff 75 f4 50 ff 15 3c 80 40 00 ff 35 54 a8 42 00 6a 02 68 09 11 00 00 ff 75 fc ff d6 53 53 68 1c 11 00 00 ff 75 fc ff d6 3b c7 7d 0c 53 57 68 1b 11 00 00 ff 75 fc ff d6 ff 75 f4 ff 15 60 80 40 00 33 ff 8b 45 e8 8b 04 b8 3b c3 74 27 83 ff 20 74 03 89 5d f0 50 53 e8 6d 14 00 00 50 53 68 43 01 00 00 ff 75 f8 ff d6 57 50 68 51 01 00 00 ff 75 f8 ff d6 47 83 ff 21 7c c9 8b 7d 14 8b 45 f0 ff 74 87 30 6a 15 ff 75 08 e8 a7 f4 ff ff 8b 45
                                              Data Ascii: E]BLBPj@EX@SSSSjnhB5B4@\BhP@jEuL@Sjj!WWdB8@hTBuP<@5TBjhuSShu;}SWhuu`@3E;t' t]PSmPShCuWPhQuG!|}Et0juE
                                              2024-03-02 01:22:56 UTC16384INData Raw: 46 4f 4c 44 45 52 00 00 00 00 53 48 41 75 74 6f 43 6f 6d 70 6c 65 74 65 00 00 53 48 4c 57 41 50 49 00 53 48 45 4c 4c 33 32 00 49 6e 69 74 69 61 74 65 53 68 75 74 64 6f 77 6e 41 00 00 00 52 65 67 44 65 6c 65 74 65 4b 65 79 45 78 41 00 41 44 56 41 50 49 33 32 00 00 00 00 47 65 74 55 73 65 72 44 65 66 61 75 6c 74 55 49 4c 61 6e 67 75 61 67 65 00 00 00 00 47 65 74 44 69 73 6b 46 72 65 65 53 70 61 63 65 45 78 41 00 53 65 74 44 65 66 61 75 6c 74 44 6c 6c 44 69 72 65 63 74 6f 72 69 65 73 00 00 00 00 4b 45 52 4e 45 4c 33 32 00 00 00 00 5c 2a 2e 2a 00 00 00 00 6e 73 61 00 0a 5b 00 00 5b 52 65 6e 61 6d 65 5d 0d 0a 00 00 25 73 3d 25 73 0d 0a 00 2a 3f 7c 3c 3e 2f 22 3a 00 00 00 00 25 73 25 73 2e 64 6c 6c 00 00 00 00 00 00 01 00 03 00 07 00 0f 00 1f 00 3f 00 7f 00 ff
                                              Data Ascii: FOLDERSHAutoCompleteSHLWAPISHELL32InitiateShutdownARegDeleteKeyExAADVAPI32GetUserDefaultUILanguageGetDiskFreeSpaceExASetDefaultDllDirectoriesKERNEL32\*.*nsa[[Rename]%s=%s*?|<>/":%s%s.dll?
                                              2024-03-02 01:22:56 UTC16384INData Raw: 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e
                                              Data Ascii: ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
                                              2024-03-02 01:22:56 UTC16384INData Raw: 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e
                                              Data Ascii: ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
                                              2024-03-02 01:22:56 UTC16384INData Raw: 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e
                                              Data Ascii: ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
                                              2024-03-02 01:22:56 UTC16384INData Raw: 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2d 95 ff af 73 b2 ff e5 dc e4 ff ec eb ec ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff be 90 c0 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e
                                              Data Ascii: ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-s,,,,,,,,,,,,,,,,,,,,,,
                                              2024-03-02 01:22:56 UTC16384INData Raw: 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff bf 94 c1 ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff e9 e6 e9 ff a4 5a a9 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e
                                              Data Ascii: ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Z,,,,,,,,,,,,,,,,,,,,
                                              2024-03-02 01:22:56 UTC16384INData Raw: 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff c1 99 c3 ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff e9 e6 e9 ff a4 5a a9 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e
                                              Data Ascii: ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Z,,,,,,,,,,,,,,,,,,,,
                                              2024-03-02 01:22:56 UTC16384INData Raw: 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8e 2c 95 ff 8f 2f 96 ff ab 6a af ff df d2 df ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff ed ec ed ff ed
                                              Data Ascii: ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/j


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:02:22:51
                                              Start date:02/03/2024
                                              Path:C:\Users\user\Desktop\ocs-office.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Users\user\Desktop\ocs-office.exe
                                              Imagebase:0x7ff78ea80000
                                              File size:1'166'336 bytes
                                              MD5 hash:9CA1A4C10E82450B64100AD0723BC23F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:1
                                              Start time:02:22:59
                                              Start date:02/03/2024
                                              Path:C:\Users\user\Downloads\ocsoffice.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Downloads\ocsoffice.exe
                                              Imagebase:0x7ff7699e0000
                                              File size:6'225'663 bytes
                                              MD5 hash:BCD0D1EA9750CA6F018DA33DD41552B1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 3%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:02:23:00
                                              Start date:02/03/2024
                                              Path:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\instOCS.exe
                                              Wow64 process (32bit):true
                                              Commandline:instocs.exe
                                              Imagebase:0x400000
                                              File size:417'337 bytes
                                              MD5 hash:3F4CD95A8DF390E36298093C74B3BF7E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:02:23:00
                                              Start date:02/03/2024
                                              Path:C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Local\Temp\nsg5C75.tmp\OcsSetup.exe" /S /NP /NOSPLASH /NO_SYSTRAY /NOW /TAG="office" /SERVER=http://ti.fm2c.com.br/ocsinventory
                                              Imagebase:0x400000
                                              File size:5'907'776 bytes
                                              MD5 hash:B2216E895278C44D8168F78188AB4FE9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:02:23:31
                                              Start date:02/03/2024
                                              Path:C:\Program Files\OCS Inventory Agent\OCSInventory.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\OCS Inventory Agent\ocsinventory.exe" /SAVE_CONF /SERVER=http://ti.fm2c.com.br/ocsinventory /USER= /PWD= /SSL=1 /CA="cacert.pem" /PROXY_TYPE=0 /PROXY= /PROXY_PORT= /PROXY_USER= /PROXY_PWD= /DEBUG=0 /TAG="office" /WMI_FLAG_MODE="COMPLETE" /DEFAULT_USER_DOMAIN="" /NO_SYSTRAY
                                              Imagebase:0x7ff7b4c30000
                                              File size:486'304 bytes
                                              MD5 hash:38E1FC55C0339A770DD39CA6541437B9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              • Detection: 0%, Virustotal, Browse
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:02:23:34
                                              Start date:02/03/2024
                                              Path:C:\Program Files\OCS Inventory Agent\OCSInventory.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Program Files\OCS Inventory Agent\ocsinventory.exe
                                              Imagebase:0x7ff7b4c30000
                                              File size:486'304 bytes
                                              MD5 hash:38E1FC55C0339A770DD39CA6541437B9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:02:23:36
                                              Start date:02/03/2024
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\cmd.exe" /c cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbs
                                              Imagebase:0x7ff72bec0000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:02:23:36
                                              Start date:02/03/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:02:23:36
                                              Start date:02/03/2024
                                              Path:C:\Windows\System32\cscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbs"
                                              Imagebase:0x7ff6a8fb0000
                                              File size:161'280 bytes
                                              MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:02:23:37
                                              Start date:02/03/2024
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\cmd.exe" /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}
                                              Imagebase:0x7ff7eba00000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:14
                                              Start time:02:23:37
                                              Start date:02/03/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:15
                                              Start time:02:23:37
                                              Start date:02/03/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}"
                                              Imagebase:0x7ff788560000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:16
                                              Start time:02:23:39
                                              Start date:02/03/2024
                                              Path:C:\Windows\System32\ipconfig.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\system32\ipconfig.exe" /displaydns
                                              Imagebase:0x7ff621120000
                                              File size:35'840 bytes
                                              MD5 hash:62F170FB07FDBB79CEB7147101406EB8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:17
                                              Start time:02:23:50
                                              Start date:02/03/2024
                                              Path:C:\Program Files\OCS Inventory Agent\OcsService.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\OCS Inventory Agent\OcsService.exe" -install
                                              Imagebase:0x7ff6eed60000
                                              File size:803'232 bytes
                                              MD5 hash:67C17EA1BF6EB610DEAC638E4078D6B4
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              • Detection: 0%, Virustotal, Browse
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:18
                                              Start time:02:23:50
                                              Start date:02/03/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:19
                                              Start time:02:23:52
                                              Start date:02/03/2024
                                              Path:C:\Program Files\OCS Inventory Agent\OcsService.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Program Files\OCS Inventory Agent\OcsService.exe
                                              Imagebase:0x7ff6eed60000
                                              File size:803'232 bytes
                                              MD5 hash:67C17EA1BF6EB610DEAC638E4078D6B4
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:false

                                              General

                                              Target ID:20
                                              Start time:02:23:53
                                              Start date:02/03/2024
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\cmd.exe" /c "C:\Program Files\OCS Inventory Agent\ocsinventory.exe
                                              Imagebase:0x7ff7eba00000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:21
                                              Start time:02:23:53
                                              Start date:02/03/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:22
                                              Start time:02:23:53
                                              Start date:02/03/2024
                                              Path:C:\Program Files\OCS Inventory Agent\OCSInventory.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Program Files\OCS Inventory Agent\ocsinventory.exe
                                              Imagebase:0x7ff7b4c30000
                                              File size:486'304 bytes
                                              MD5 hash:38E1FC55C0339A770DD39CA6541437B9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:23
                                              Start time:02:23:55
                                              Start date:02/03/2024
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\cmd.exe" /c cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbs
                                              Imagebase:0x7ff7eba00000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:24
                                              Start time:02:23:55
                                              Start date:02/03/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:25
                                              Start time:02:23:55
                                              Start date:02/03/2024
                                              Path:C:\Windows\System32\cscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:cscript /nologo "C:\Program Files\OCS Inventory Agent\plugins\o36516user.vbs"
                                              Imagebase:0x7ff6a8fb0000
                                              File size:161'280 bytes
                                              MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:26
                                              Start time:02:23:56
                                              Start date:02/03/2024
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\cmd.exe" /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}
                                              Imagebase:0x7ff7eba00000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:27
                                              Start time:02:23:56
                                              Start date:02/03/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:28
                                              Start time:02:23:56
                                              Start date:02/03/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "& {& 'C:\Program Files\OCS Inventory Agent\plugins\Saas.ps1'; [Environment]::Exit(1)}"
                                              Imagebase:0x7ff788560000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:29
                                              Start time:02:23:57
                                              Start date:02/03/2024
                                              Path:C:\Windows\System32\ipconfig.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\system32\ipconfig.exe" /displaydns
                                              Imagebase:0x7ff621120000
                                              File size:35'840 bytes
                                              MD5 hash:62F170FB07FDBB79CEB7147101406EB8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:3.4%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:13%
                                                Total number of Nodes:1852
                                                Total number of Limit Nodes:48
                                                execution_graph 98643 7ff78ea85dec 98644 7ff78ea85df4 98643->98644 98645 7ff78ea85e98 98644->98645 98646 7ff78ea85e28 98644->98646 98666 7ff78ea85e96 98644->98666 98650 7ff78ea85e9e 98645->98650 98651 7ff78eacc229 98645->98651 98647 7ff78ea85e35 98646->98647 98648 7ff78ea85f21 PostQuitMessage 98646->98648 98652 7ff78eacc2af 98647->98652 98653 7ff78ea85e40 98647->98653 98655 7ff78ea85e7c 98648->98655 98649 7ff78ea85e6b DefWindowProcW 98649->98655 98656 7ff78ea85ecc SetTimer RegisterWindowMessageW 98650->98656 98657 7ff78ea85ea5 98650->98657 98699 7ff78ea9ede4 8 API calls 98651->98699 98711 7ff78eafa40c 16 API calls __scrt_fastfail 98652->98711 98660 7ff78ea85f2b 98653->98660 98661 7ff78ea85e49 98653->98661 98656->98655 98662 7ff78ea85efc CreatePopupMenu 98656->98662 98658 7ff78ea85eae KillTimer 98657->98658 98659 7ff78eacc1b8 98657->98659 98685 7ff78ea85d88 98658->98685 98670 7ff78eacc1bd 98659->98670 98671 7ff78eacc1f7 MoveWindow 98659->98671 98689 7ff78eaa4610 98660->98689 98661->98666 98675 7ff78ea85f0b 98661->98675 98676 7ff78ea85e5f 98661->98676 98662->98655 98664 7ff78eacc255 98700 7ff78eaa2c44 47 API calls Concurrency::wait 98664->98700 98666->98649 98667 7ff78eacc2c3 98667->98649 98667->98655 98672 7ff78eacc1e4 SetFocus 98670->98672 98673 7ff78eacc1c2 98670->98673 98671->98655 98672->98655 98673->98676 98677 7ff78eacc1cb 98673->98677 98697 7ff78ea85f3c 26 API calls __scrt_fastfail 98675->98697 98676->98649 98682 7ff78ea85d88 Shell_NotifyIconW 98676->98682 98698 7ff78ea9ede4 8 API calls 98677->98698 98681 7ff78ea85f1f 98681->98655 98683 7ff78eacc280 98682->98683 98701 7ff78ea86258 98683->98701 98686 7ff78ea85d99 __scrt_fastfail 98685->98686 98687 7ff78ea85de4 98685->98687 98688 7ff78ea85db8 Shell_NotifyIconW 98686->98688 98696 7ff78ea87098 DeleteObject DestroyWindow Concurrency::wait 98687->98696 98688->98687 98690 7ff78eaa461a __scrt_fastfail 98689->98690 98691 7ff78eaa46db 98689->98691 98712 7ff78ea872c8 98690->98712 98691->98655 98693 7ff78eaa46a2 KillTimer SetTimer 98693->98691 98694 7ff78eaa4660 98694->98693 98695 7ff78eaeaaa1 Shell_NotifyIconW 98694->98695 98695->98693 98696->98655 98697->98681 98698->98655 98699->98664 98700->98676 98702 7ff78ea86287 __scrt_fastfail 98701->98702 98804 7ff78ea861c4 98702->98804 98706 7ff78ea8634e Shell_NotifyIconW 98708 7ff78ea872c8 6 API calls 98706->98708 98707 7ff78eacc644 Shell_NotifyIconW 98709 7ff78ea86365 98708->98709 98709->98666 98710 7ff78ea8632d 98710->98706 98710->98707 98711->98667 98713 7ff78ea872f4 98712->98713 98732 7ff78ea873bc Concurrency::wait 98712->98732 98734 7ff78ea898e8 98713->98734 98715 7ff78ea87303 98716 7ff78eaccdfc LoadStringW 98715->98716 98717 7ff78ea87310 98715->98717 98719 7ff78eacce1e 98716->98719 98737 7ff78ea87cf4 98717->98737 98756 7ff78ea8e0a8 98719->98756 98720 7ff78ea87324 98722 7ff78eacce30 98720->98722 98723 7ff78ea87336 98720->98723 98725 7ff78ea87c24 4 API calls 98722->98725 98723->98719 98724 7ff78ea87343 98723->98724 98747 7ff78ea87c24 98724->98747 98726 7ff78eacce3c 98725->98726 98730 7ff78ea8734f __scrt_fastfail wcscpy 98726->98730 98760 7ff78ea871f8 98726->98760 98729 7ff78eacce63 98733 7ff78ea871f8 4 API calls 98729->98733 98731 7ff78ea873a3 Shell_NotifyIconW 98730->98731 98731->98732 98732->98694 98733->98730 98770 7ff78eaa4c68 98734->98770 98736 7ff78ea89918 98736->98715 98738 7ff78ea87d0d 98737->98738 98739 7ff78eacd2c8 98737->98739 98742 7ff78ea87d24 98738->98742 98744 7ff78ea87d51 98738->98744 98780 7ff78ea8dda4 98739->98780 98741 7ff78eacd2d3 98779 7ff78ea87e4c RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 98742->98779 98744->98741 98746 7ff78eaa4c68 4 API calls 98744->98746 98745 7ff78ea87d2f memcpy_s 98745->98720 98746->98745 98748 7ff78ea87c36 98747->98748 98749 7ff78eacd21e 98747->98749 98789 7ff78ea87c48 98748->98789 98797 7ff78eaa364c RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 98749->98797 98752 7ff78ea87c42 98752->98730 98753 7ff78eacd22b 98754 7ff78ea8e0a8 4 API calls 98753->98754 98755 7ff78eacd236 Concurrency::wait 98754->98755 98757 7ff78ea8e0b6 98756->98757 98758 7ff78ea8e0bb 98756->98758 98803 7ff78ea8f0ec RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 98757->98803 98758->98730 98761 7ff78ea8721c 98760->98761 98762 7ff78eaccd0c 98760->98762 98763 7ff78ea87274 98761->98763 98764 7ff78eaccd66 memcpy_s 98761->98764 98766 7ff78eaa4c68 4 API calls 98762->98766 98765 7ff78ea8b960 4 API calls 98763->98765 98768 7ff78eaa4c68 4 API calls 98764->98768 98767 7ff78ea87283 memcpy_s 98765->98767 98766->98764 98767->98729 98769 7ff78eaccdda memcpy_s 98768->98769 98775 7ff78eaa4c2c 98770->98775 98771 7ff78eaa4c50 98771->98736 98775->98770 98775->98771 98776 7ff78eaa925c EnterCriticalSection LeaveCriticalSection fread_s 98775->98776 98777 7ff78eaa5600 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 98775->98777 98778 7ff78eaa5620 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 98775->98778 98776->98775 98778->98775 98779->98745 98781 7ff78ea8dda9 98780->98781 98783 7ff78ea8ddc7 memcpy_s 98780->98783 98781->98783 98784 7ff78ea8a7c0 98781->98784 98783->98741 98785 7ff78ea8a7ed 98784->98785 98788 7ff78ea8a7dd memcpy_s 98784->98788 98786 7ff78eace7da 98785->98786 98787 7ff78eaa4c68 4 API calls 98785->98787 98787->98788 98788->98783 98790 7ff78ea87c73 98789->98790 98794 7ff78ea87cab memcpy_s 98789->98794 98791 7ff78ea87c9c 98790->98791 98793 7ff78eacd256 98790->98793 98790->98794 98798 7ff78ea8b960 98791->98798 98795 7ff78eaa4c68 4 API calls 98793->98795 98794->98752 98796 7ff78eacd2a6 memcpy_s 98795->98796 98797->98753 98799 7ff78ea8b981 98798->98799 98802 7ff78ea8b976 memcpy_s 98798->98802 98800 7ff78eaa4c68 4 API calls 98799->98800 98801 7ff78eacef2a 98799->98801 98800->98802 98802->98794 98803->98758 98805 7ff78eacc5f8 98804->98805 98806 7ff78ea861e0 98804->98806 98805->98806 98807 7ff78eacc602 DestroyIcon 98805->98807 98806->98710 98808 7ff78eafad94 39 API calls wcsftime 98806->98808 98807->98806 98808->98710 98809 7ff78eaa5328 98834 7ff78eaa4cac 98809->98834 98812 7ff78eaa5474 98868 7ff78eaa57e4 7 API calls __scrt_fastfail 98812->98868 98813 7ff78eaa5344 98815 7ff78eaa547e 98813->98815 98816 7ff78eaa5362 98813->98816 98869 7ff78eaa57e4 7 API calls __scrt_fastfail 98815->98869 98824 7ff78eaa53a4 __scrt_is_nonwritable_in_current_image __scrt_release_startup_lock 98816->98824 98840 7ff78eabae1c 98816->98840 98818 7ff78eaa5489 abort 98821 7ff78eaa5387 98823 7ff78eaa540d 98851 7ff78eaa5930 98823->98851 98824->98823 98865 7ff78eaa9204 35 API calls FindHandlerForForeignException 98824->98865 98826 7ff78eaa5412 98854 7ff78ea83730 98826->98854 98831 7ff78eaa5435 98831->98818 98867 7ff78eaa4e90 8 API calls 2 library calls 98831->98867 98833 7ff78eaa544c 98833->98821 98835 7ff78eaa4cce __scrt_initialize_crt 98834->98835 98870 7ff78eaa65ec 98835->98870 98837 7ff78eaa4cd7 98837->98812 98837->98813 98838 7ff78eaa4cd3 __scrt_initialize_crt 98838->98837 98878 7ff78eaa6620 8 API calls 3 library calls 98838->98878 98842 7ff78eabae34 98840->98842 98841 7ff78eaa5383 98841->98821 98844 7ff78eabada4 98841->98844 98842->98841 98903 7ff78eaa5244 98842->98903 98845 7ff78eabade0 98844->98845 98846 7ff78eabadff 98844->98846 98845->98846 98977 7ff78ea81064 98845->98977 98982 7ff78ea810e8 98845->98982 98987 7ff78ea81080 98845->98987 98992 7ff78ea81048 98845->98992 98846->98824 99194 7ff78eaa6240 98851->99194 98855 7ff78ea83743 IsThemeActive 98854->98855 98857 7ff78ea837a3 98854->98857 99196 7ff78eaa92d0 98855->99196 98866 7ff78eaa5974 GetModuleHandleW 98857->98866 98862 7ff78ea8377d 99208 7ff78ea837b0 98862->99208 98865->98823 98866->98831 98867->98833 98868->98815 98869->98818 98871 7ff78eaa65f5 __vcrt_initialize_winapi_thunks __vcrt_initialize 98870->98871 98879 7ff78eaa7290 98871->98879 98874 7ff78eaa6603 98874->98838 98876 7ff78eaa660c 98876->98874 98886 7ff78eaa72d8 DeleteCriticalSection 98876->98886 98878->98837 98881 7ff78eaa7298 98879->98881 98882 7ff78eaa72c9 98881->98882 98883 7ff78eaa65ff 98881->98883 98887 7ff78eaa7614 98881->98887 98892 7ff78eaa72d8 DeleteCriticalSection 98882->98892 98883->98874 98885 7ff78eaa7218 8 API calls 3 library calls 98883->98885 98885->98876 98886->98874 98893 7ff78eaa7310 98887->98893 98890 7ff78eaa765f InitializeCriticalSectionAndSpinCount 98891 7ff78eaa7654 98890->98891 98891->98881 98892->98883 98894 7ff78eaa736c try_get_function 98893->98894 98895 7ff78eaa7371 98893->98895 98894->98895 98896 7ff78eaa73a0 LoadLibraryExW 98894->98896 98899 7ff78eaa7454 98894->98899 98901 7ff78eaa7439 FreeLibrary 98894->98901 98902 7ff78eaa73fb LoadLibraryExW 98894->98902 98895->98890 98895->98891 98896->98894 98897 7ff78eaa73c1 GetLastError 98896->98897 98897->98894 98898 7ff78eaa7462 GetProcAddress 98900 7ff78eaa7473 98898->98900 98899->98895 98899->98898 98900->98895 98901->98894 98902->98894 98904 7ff78eaa5254 98903->98904 98920 7ff78eab2584 98904->98920 98906 7ff78eaa5260 98926 7ff78eaa4cf8 98906->98926 98909 7ff78eaa5279 _RTC_Initialize 98918 7ff78eaa52ce 98909->98918 98931 7ff78eaa4f0c 98909->98931 98910 7ff78eaa52fa __scrt_initialize_default_local_stdio_options 98910->98842 98912 7ff78eaa528e 98934 7ff78eaba09c 98912->98934 98916 7ff78eaa52a3 98917 7ff78eabaebc 35 API calls 98916->98917 98917->98918 98919 7ff78eaa52ea 98918->98919 98957 7ff78eaa57e4 7 API calls __scrt_fastfail 98918->98957 98919->98842 98921 7ff78eab2595 98920->98921 98923 7ff78eab259d 98921->98923 98958 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 98921->98958 98923->98906 98924 7ff78eab25ac 98959 7ff78eabb164 31 API calls _invalid_parameter_noinfo 98924->98959 98927 7ff78eaa4d0d 98926->98927 98930 7ff78eaa4d16 __scrt_initialize_onexit_tables __scrt_release_startup_lock 98926->98930 98927->98930 98960 7ff78eaa57e4 7 API calls __scrt_fastfail 98927->98960 98929 7ff78eaa4dcf 98930->98909 98961 7ff78eaa4ebc 98931->98961 98933 7ff78eaa4f15 98933->98912 98935 7ff78eaba0d0 GetModuleFileNameW 98934->98935 98936 7ff78eaba0ba 98934->98936 98941 7ff78eaba0fd 98935->98941 98966 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 98936->98966 98938 7ff78eaba0bf 98967 7ff78eabb164 31 API calls _invalid_parameter_noinfo 98938->98967 98940 7ff78eaa529a 98940->98918 98956 7ff78eaa5ac4 InitializeSListHead 98940->98956 98968 7ff78eaba038 15 API calls 2 library calls 98941->98968 98943 7ff78eaba13d 98944 7ff78eaba145 98943->98944 98946 7ff78eaba156 98943->98946 98969 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 98944->98969 98948 7ff78eaba1a2 98946->98948 98949 7ff78eaba1bb 98946->98949 98953 7ff78eaba14a 98946->98953 98947 7ff78eabb3c0 __free_lconv_mon 15 API calls 98947->98940 98970 7ff78eabb3c0 98948->98970 98951 7ff78eabb3c0 __free_lconv_mon 15 API calls 98949->98951 98951->98953 98952 7ff78eaba1ab 98954 7ff78eabb3c0 __free_lconv_mon 15 API calls 98952->98954 98953->98947 98955 7ff78eaba1b7 98954->98955 98955->98940 98957->98910 98958->98924 98959->98923 98960->98929 98962 7ff78eaa4eeb 98961->98962 98964 7ff78eaa4ee1 _onexit 98961->98964 98965 7ff78eabab08 34 API calls _onexit 98962->98965 98964->98933 98965->98964 98966->98938 98967->98940 98968->98943 98969->98953 98971 7ff78eabb3c5 RtlRestoreThreadPreferredUILanguages 98970->98971 98975 7ff78eabb3f5 __free_lconv_mon 98970->98975 98972 7ff78eabb3e0 98971->98972 98971->98975 98976 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 98972->98976 98974 7ff78eabb3e5 GetLastError 98974->98975 98975->98952 98976->98974 98997 7ff78ea87ec0 98977->98997 98979 7ff78ea8106d 98980 7ff78eaa4ebc _onexit 34 API calls 98979->98980 98981 7ff78eaa4f15 98980->98981 98981->98845 99084 7ff78eaa1d80 98982->99084 98985 7ff78eaa4ebc _onexit 34 API calls 98986 7ff78eaa4f15 98985->98986 98986->98845 99108 7ff78ea87920 98987->99108 98989 7ff78ea8109e 98990 7ff78eaa4ebc _onexit 34 API calls 98989->98990 98991 7ff78eaa4f15 98990->98991 98991->98845 99176 7ff78ea87718 98992->99176 98995 7ff78eaa4ebc _onexit 34 API calls 98996 7ff78eaa4f15 98995->98996 98996->98845 99033 7ff78ea882b4 98997->99033 99000 7ff78ea882b4 4 API calls 99001 7ff78ea87f3a 99000->99001 99040 7ff78ea89640 99001->99040 99003 7ff78ea87f46 99004 7ff78ea87cf4 4 API calls 99003->99004 99005 7ff78ea87f59 99004->99005 99043 7ff78eaa2d5c 6 API calls 99005->99043 99007 7ff78ea87fa5 99008 7ff78ea89640 4 API calls 99007->99008 99009 7ff78ea87fb1 99008->99009 99010 7ff78ea89640 4 API calls 99009->99010 99011 7ff78ea87fbd 99010->99011 99012 7ff78ea89640 4 API calls 99011->99012 99013 7ff78ea87fc9 99012->99013 99014 7ff78ea89640 4 API calls 99013->99014 99015 7ff78ea8800f 99014->99015 99016 7ff78ea89640 4 API calls 99015->99016 99017 7ff78ea880f7 99016->99017 99044 7ff78ea9ef88 99017->99044 99019 7ff78ea88103 99051 7ff78ea9eec8 99019->99051 99021 7ff78ea8812f 99022 7ff78ea89640 4 API calls 99021->99022 99023 7ff78ea8813b 99022->99023 99062 7ff78ea96d40 99023->99062 99027 7ff78ea881ac 99028 7ff78ea881be GetStdHandle 99027->99028 99029 7ff78ea88220 OleInitializeWOW 99028->99029 99030 7ff78eacd350 99028->99030 99029->98979 99079 7ff78eafffc8 CreateThread 99030->99079 99032 7ff78eacd367 CloseHandle 99034 7ff78ea89640 4 API calls 99033->99034 99035 7ff78ea882c6 99034->99035 99036 7ff78ea89640 4 API calls 99035->99036 99037 7ff78ea882cf 99036->99037 99038 7ff78ea89640 4 API calls 99037->99038 99039 7ff78ea87f2e 99038->99039 99039->99000 99041 7ff78eaa4c68 4 API calls 99040->99041 99042 7ff78ea89663 99041->99042 99042->99003 99043->99007 99045 7ff78ea89640 4 API calls 99044->99045 99046 7ff78ea9efa3 99045->99046 99047 7ff78ea89640 4 API calls 99046->99047 99048 7ff78ea9efac 99047->99048 99049 7ff78ea89640 4 API calls 99048->99049 99050 7ff78ea9f02e 99049->99050 99050->99019 99052 7ff78ea9eede 99051->99052 99053 7ff78ea89640 4 API calls 99052->99053 99054 7ff78ea9eeea 99053->99054 99055 7ff78ea89640 4 API calls 99054->99055 99056 7ff78ea9eef6 99055->99056 99057 7ff78ea89640 4 API calls 99056->99057 99058 7ff78ea9ef02 99057->99058 99059 7ff78ea89640 4 API calls 99058->99059 99060 7ff78ea9ef0e 99059->99060 99061 7ff78ea9ef68 RegisterWindowMessageW 99060->99061 99061->99021 99063 7ff78ea96db9 99062->99063 99070 7ff78ea96d80 99062->99070 99080 7ff78eaa5114 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 99063->99080 99071 7ff78ea8816b 99070->99071 99081 7ff78eaa5114 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 99070->99081 99072 7ff78eaa39a8 99071->99072 99073 7ff78eaea502 99072->99073 99077 7ff78eaa39cc 99072->99077 99082 7ff78ea8ee20 18 API calls Concurrency::wait 99073->99082 99075 7ff78eaea50e 99083 7ff78ea8ee20 18 API calls Concurrency::wait 99075->99083 99077->99027 99078 7ff78eaea52d 99079->99032 99082->99075 99083->99078 99085 7ff78ea89640 4 API calls 99084->99085 99086 7ff78eaa1db2 GetVersionExW 99085->99086 99087 7ff78ea87cf4 4 API calls 99086->99087 99089 7ff78eaa1dfc 99087->99089 99088 7ff78ea8dda4 4 API calls 99088->99089 99089->99088 99090 7ff78eaa1e87 99089->99090 99091 7ff78ea8dda4 4 API calls 99090->99091 99092 7ff78eaa1ea4 99091->99092 99093 7ff78eae9645 99092->99093 99094 7ff78eaa1f3c GetCurrentProcess IsWow64Process 99092->99094 99096 7ff78eae964f 99093->99096 99095 7ff78eaa1f7e __scrt_fastfail 99094->99095 99095->99096 99097 7ff78eaa1f86 GetSystemInfo 99095->99097 99106 7ff78eaf32f4 LoadLibraryA GetProcAddress 99096->99106 99099 7ff78ea810f1 99097->99099 99099->98985 99100 7ff78eae96b1 99101 7ff78eae96b5 99100->99101 99102 7ff78eae96d7 GetSystemInfo 99100->99102 99107 7ff78eaf32f4 LoadLibraryA GetProcAddress 99101->99107 99104 7ff78eae96bf 99102->99104 99104->99099 99105 7ff78eae96f0 FreeLibrary 99104->99105 99105->99099 99106->99100 99107->99104 99109 7ff78ea87948 wcsftime 99108->99109 99110 7ff78ea89640 4 API calls 99109->99110 99111 7ff78ea87a02 99110->99111 99138 7ff78ea85680 99111->99138 99113 7ff78ea87a0c 99145 7ff78eaa3a38 99113->99145 99116 7ff78ea871f8 4 API calls 99117 7ff78ea87a2c 99116->99117 99151 7ff78ea84680 99117->99151 99119 7ff78ea87a3d 99120 7ff78ea89640 4 API calls 99119->99120 99121 7ff78ea87a47 99120->99121 99155 7ff78ea8a854 99121->99155 99124 7ff78eacd05c RegQueryValueExW 99125 7ff78eacd08f 99124->99125 99126 7ff78eacd131 RegCloseKey 99124->99126 99127 7ff78eaa4c68 4 API calls 99125->99127 99128 7ff78ea87a83 Concurrency::wait 99126->99128 99136 7ff78eacd147 wcscat Concurrency::wait 99126->99136 99129 7ff78eacd0b2 99127->99129 99128->98989 99130 7ff78eacd0bf RegQueryValueExW 99129->99130 99131 7ff78eacd0f3 99130->99131 99133 7ff78eacd112 99130->99133 99132 7ff78ea87cf4 4 API calls 99131->99132 99132->99133 99133->99126 99135 7ff78ea84680 4 API calls 99135->99136 99136->99128 99136->99135 99137 7ff78ea89d84 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 99136->99137 99159 7ff78ea8ec00 99136->99159 99137->99136 99164 7ff78eac8f90 99138->99164 99141 7ff78ea8ec00 4 API calls 99142 7ff78ea856b4 99141->99142 99166 7ff78ea856d4 99142->99166 99144 7ff78ea856c1 Concurrency::wait 99144->99113 99146 7ff78eac8f90 wcsftime 99145->99146 99147 7ff78eaa3a44 GetFullPathNameW 99146->99147 99148 7ff78eaa3a74 99147->99148 99149 7ff78ea87cf4 4 API calls 99148->99149 99150 7ff78ea87a1b 99149->99150 99150->99116 99152 7ff78ea8469f 99151->99152 99154 7ff78ea846c8 memcpy_s 99151->99154 99153 7ff78eaa4c68 4 API calls 99152->99153 99153->99154 99154->99119 99156 7ff78ea87a51 RegOpenKeyExW 99155->99156 99157 7ff78ea8a87a 99155->99157 99156->99124 99156->99128 99158 7ff78eaa4c68 4 API calls 99157->99158 99158->99156 99160 7ff78ea8ec1d 99159->99160 99161 7ff78eada5a2 99160->99161 99162 7ff78eaa4c68 4 API calls 99160->99162 99163 7ff78ea8ec55 memcpy_s 99162->99163 99163->99136 99165 7ff78ea8568c GetModuleFileNameW 99164->99165 99165->99141 99167 7ff78eac8f90 wcsftime 99166->99167 99168 7ff78ea856e9 GetFullPathNameW 99167->99168 99169 7ff78ea85712 99168->99169 99170 7ff78eacc03a 99168->99170 99172 7ff78ea87cf4 4 API calls 99169->99172 99171 7ff78ea8a854 4 API calls 99170->99171 99173 7ff78ea8571c 99171->99173 99172->99173 99174 7ff78ea8dda4 4 API calls 99173->99174 99175 7ff78ea85785 99174->99175 99175->99144 99177 7ff78ea89640 4 API calls 99176->99177 99178 7ff78ea8778f 99177->99178 99183 7ff78ea86f24 99178->99183 99181 7ff78ea8782c 99182 7ff78ea81051 99181->99182 99186 7ff78ea87410 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 99181->99186 99182->98995 99187 7ff78ea86f60 99183->99187 99186->99181 99188 7ff78ea86f85 99187->99188 99189 7ff78ea86f52 99187->99189 99188->99189 99190 7ff78ea86f93 RegOpenKeyExW 99188->99190 99189->99181 99190->99189 99191 7ff78ea86faf RegQueryValueExW 99190->99191 99192 7ff78ea86fdd 99191->99192 99193 7ff78ea86ff5 RegCloseKey 99191->99193 99192->99193 99193->99189 99195 7ff78eaa5947 GetStartupInfoW 99194->99195 99195->98826 99256 7ff78eabb9bc EnterCriticalSection 99196->99256 99198 7ff78eaa92e4 99199 7ff78eabba10 _isindst LeaveCriticalSection 99198->99199 99200 7ff78ea8376e 99199->99200 99201 7ff78eaa9334 99200->99201 99202 7ff78eaa933d 99201->99202 99206 7ff78ea83778 99201->99206 99257 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 99202->99257 99204 7ff78eaa9342 99258 7ff78eabb164 31 API calls _invalid_parameter_noinfo 99204->99258 99207 7ff78ea836e8 SystemParametersInfoW SystemParametersInfoW 99206->99207 99207->98862 99209 7ff78ea837cd wcsftime 99208->99209 99210 7ff78ea89640 4 API calls 99209->99210 99211 7ff78ea837dd GetCurrentDirectoryW 99210->99211 99259 7ff78ea857a0 99211->99259 99213 7ff78ea83807 IsDebuggerPresent 99214 7ff78eacb872 MessageBoxA 99213->99214 99215 7ff78ea83815 99213->99215 99216 7ff78eacb894 99214->99216 99215->99216 99217 7ff78ea83839 99215->99217 99373 7ff78ea8e278 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 99216->99373 99333 7ff78ea83f04 99217->99333 99221 7ff78ea83860 GetFullPathNameW 99222 7ff78ea87cf4 4 API calls 99221->99222 99223 7ff78ea838a6 99222->99223 99349 7ff78ea83f9c 99223->99349 99224 7ff78ea839e4 15 API calls 99226 7ff78eacb8dc SetCurrentDirectoryW 99224->99226 99228 7ff78ea838c7 99226->99228 99227 7ff78ea838bf 99227->99224 99227->99228 99229 7ff78ea838d0 99228->99229 99374 7ff78eaed540 AllocateAndInitializeSid CheckTokenMembership FreeSid 99228->99374 99365 7ff78ea83b84 7 API calls 99229->99365 99232 7ff78eacb8f8 99232->99229 99236 7ff78eacb90c 99232->99236 99235 7ff78ea838da 99239 7ff78ea86258 46 API calls 99235->99239 99242 7ff78ea838ef 99235->99242 99237 7ff78ea85680 6 API calls 99236->99237 99238 7ff78eacb916 99237->99238 99240 7ff78ea8ec00 4 API calls 99238->99240 99239->99242 99241 7ff78eacb927 99240->99241 99244 7ff78eacb930 99241->99244 99245 7ff78eacb94d 99241->99245 99243 7ff78ea83913 99242->99243 99246 7ff78ea85d88 Shell_NotifyIconW 99242->99246 99369 7ff78ea839e4 99243->99369 99248 7ff78ea871f8 4 API calls 99244->99248 99251 7ff78ea871f8 4 API calls 99245->99251 99246->99243 99250 7ff78eacb93c 99248->99250 99253 7ff78ea87c24 4 API calls 99250->99253 99254 7ff78eacb963 GetForegroundWindow ShellExecuteW 99251->99254 99253->99245 99255 7ff78eacb99f Concurrency::wait 99254->99255 99255->99243 99257->99204 99258->99206 99260 7ff78ea89640 4 API calls 99259->99260 99261 7ff78ea857d7 99260->99261 99375 7ff78ea89bbc 99261->99375 99263 7ff78ea857fe 99264 7ff78ea85680 6 API calls 99263->99264 99265 7ff78ea85812 99264->99265 99266 7ff78ea8ec00 4 API calls 99265->99266 99267 7ff78ea85823 99266->99267 99389 7ff78ea86460 99267->99389 99270 7ff78ea8584e Concurrency::wait 99274 7ff78ea8e0a8 4 API calls 99270->99274 99271 7ff78eacc05e 99462 7ff78eb02948 99271->99462 99273 7ff78eacc074 99275 7ff78eacc081 99273->99275 99277 7ff78ea8652c 63 API calls 99273->99277 99276 7ff78ea8586a 99274->99276 99480 7ff78ea8652c 99275->99480 99279 7ff78ea8ec00 4 API calls 99276->99279 99277->99275 99280 7ff78ea85888 99279->99280 99283 7ff78eacc099 99280->99283 99415 7ff78ea8eff8 99280->99415 99282 7ff78ea858ad Concurrency::wait 99284 7ff78ea8ec00 4 API calls 99282->99284 99287 7ff78ea85ab4 4 API calls 99283->99287 99285 7ff78ea858d7 99284->99285 99285->99283 99286 7ff78ea8eff8 46 API calls 99285->99286 99289 7ff78ea858fc Concurrency::wait 99286->99289 99288 7ff78eacc0e1 99287->99288 99290 7ff78ea85ab4 4 API calls 99288->99290 99292 7ff78ea89640 4 API calls 99289->99292 99291 7ff78eacc103 99290->99291 99295 7ff78ea85680 6 API calls 99291->99295 99293 7ff78ea8591f 99292->99293 99428 7ff78ea85ab4 99293->99428 99297 7ff78eacc12b 99295->99297 99299 7ff78ea85ab4 4 API calls 99297->99299 99301 7ff78eacc139 99299->99301 99300 7ff78ea85941 99300->99283 99302 7ff78ea85949 99300->99302 99303 7ff78ea8e0a8 4 API calls 99301->99303 99304 7ff78eaa8e28 wcsftime 37 API calls 99302->99304 99305 7ff78eacc14a 99303->99305 99306 7ff78ea85958 99304->99306 99307 7ff78ea85ab4 4 API calls 99305->99307 99306->99288 99308 7ff78ea85960 99306->99308 99309 7ff78eacc15b 99307->99309 99310 7ff78eaa8e28 wcsftime 37 API calls 99308->99310 99313 7ff78ea8e0a8 4 API calls 99309->99313 99311 7ff78ea8596f 99310->99311 99311->99291 99312 7ff78ea85977 99311->99312 99314 7ff78eaa8e28 wcsftime 37 API calls 99312->99314 99315 7ff78eacc172 99313->99315 99316 7ff78ea85986 99314->99316 99317 7ff78ea85ab4 4 API calls 99315->99317 99318 7ff78ea859c6 99316->99318 99320 7ff78ea85ab4 4 API calls 99316->99320 99319 7ff78eacc183 99317->99319 99318->99309 99321 7ff78ea859d3 99318->99321 99322 7ff78ea859a8 99320->99322 99451 7ff78ea8df90 99321->99451 99323 7ff78ea8e0a8 4 API calls 99322->99323 99324 7ff78ea859b5 99323->99324 99326 7ff78ea85ab4 4 API calls 99324->99326 99326->99318 99329 7ff78ea8d670 18 API calls 99330 7ff78ea85a12 99329->99330 99330->99329 99331 7ff78ea85ab4 4 API calls 99330->99331 99332 7ff78ea85a60 Concurrency::wait 99330->99332 99331->99330 99332->99213 99334 7ff78ea83f29 wcsftime 99333->99334 99335 7ff78ea83f4b 99334->99335 99336 7ff78eacba2c __scrt_fastfail 99334->99336 99337 7ff78ea856d4 5 API calls 99335->99337 99339 7ff78eacba4d GetOpenFileNameW 99336->99339 99338 7ff78ea83f56 99337->99338 99841 7ff78ea83eb4 99338->99841 99341 7ff78ea83858 99339->99341 99342 7ff78eacbab0 99339->99342 99341->99221 99341->99227 99344 7ff78ea87cf4 4 API calls 99342->99344 99346 7ff78eacbabc 99344->99346 99347 7ff78ea83f6c 99859 7ff78ea86394 99347->99859 99350 7ff78ea83fb6 wcsftime 99349->99350 99913 7ff78ea89734 99350->99913 99352 7ff78ea83fc4 99364 7ff78ea84050 99352->99364 99923 7ff78ea84d28 99352->99923 99354 7ff78ea83fd3 99354->99364 99931 7ff78ea84b0c 99354->99931 99356 7ff78ea83fe0 99357 7ff78ea83fe8 GetFullPathNameW 99356->99357 99356->99364 99358 7ff78ea87cf4 4 API calls 99357->99358 99359 7ff78ea84014 99358->99359 99360 7ff78ea87cf4 4 API calls 99359->99360 99361 7ff78ea84028 99360->99361 99362 7ff78eacbac2 wcscat 99361->99362 99363 7ff78ea87cf4 4 API calls 99361->99363 99363->99364 99364->99227 99983 7ff78ea83d90 7 API calls 99365->99983 99367 7ff78ea838d5 99368 7ff78ea83cbc CreateWindowExW CreateWindowExW ShowWindow ShowWindow 99367->99368 99370 7ff78ea839ff 99369->99370 99371 7ff78ea83a41 Concurrency::wait 99370->99371 99984 7ff78ea83b20 99370->99984 99373->99227 99374->99232 99376 7ff78ea89be5 wcsftime 99375->99376 99377 7ff78ea87cf4 4 API calls 99376->99377 99378 7ff78ea89c1b 99376->99378 99377->99378 99387 7ff78ea89c4a Concurrency::wait 99378->99387 99486 7ff78ea89d84 99378->99486 99380 7ff78ea89d84 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 99380->99387 99381 7ff78ea8ec00 4 API calls 99382 7ff78ea89d4a 99381->99382 99384 7ff78ea84680 4 API calls 99382->99384 99383 7ff78ea8ec00 4 API calls 99383->99387 99385 7ff78ea89d57 Concurrency::wait 99384->99385 99385->99263 99386 7ff78ea84680 4 API calls 99386->99387 99387->99380 99387->99383 99387->99386 99388 7ff78ea89d21 99387->99388 99388->99381 99388->99385 99489 7ff78ea86d64 99389->99489 99392 7ff78ea8649d 99394 7ff78ea864ba FreeLibrary 99392->99394 99395 7ff78ea864c0 99392->99395 99393 7ff78ea86d64 2 API calls 99393->99392 99394->99395 99493 7ff78eab48e0 99395->99493 99398 7ff78eacc8f6 99401 7ff78ea8652c 63 API calls 99398->99401 99399 7ff78ea864db LoadLibraryW 99512 7ff78ea86cc4 99399->99512 99403 7ff78eacc8fe 99401->99403 99405 7ff78ea86cc4 3 API calls 99403->99405 99407 7ff78eacc907 99405->99407 99406 7ff78ea86505 99406->99407 99408 7ff78ea86512 99406->99408 99534 7ff78ea867d8 99407->99534 99410 7ff78ea8652c 63 API calls 99408->99410 99412 7ff78ea85846 99410->99412 99412->99270 99412->99271 99414 7ff78eacc93f 99736 7ff78ea91a30 99415->99736 99417 7ff78ea8f029 99418 7ff78eada7a8 99417->99418 99419 7ff78ea8f040 99417->99419 99752 7ff78ea8ee20 18 API calls Concurrency::wait 99418->99752 99422 7ff78eaa4c68 4 API calls 99419->99422 99421 7ff78eada7bc 99423 7ff78ea8f066 99422->99423 99425 7ff78ea8f08f 99423->99425 99751 7ff78ea8f0ec RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 99423->99751 99747 7ff78ea8f1bc 99425->99747 99427 7ff78ea8f0c6 99427->99282 99429 7ff78ea85ac6 99428->99429 99430 7ff78ea85ae4 99428->99430 99432 7ff78ea8e0a8 4 API calls 99429->99432 99431 7ff78ea87cf4 4 API calls 99430->99431 99433 7ff78ea8592d 99431->99433 99432->99433 99434 7ff78eaa8e28 99433->99434 99435 7ff78eaa8e3f 99434->99435 99436 7ff78eaa8ea4 99434->99436 99439 7ff78eaa8e63 99435->99439 99754 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 99435->99754 99756 7ff78eaa8d98 35 API calls _mbstowcs_s_l 99436->99756 99439->99300 99440 7ff78eaa8ed6 99442 7ff78eaa8ee2 99440->99442 99448 7ff78eaa8ef9 99440->99448 99441 7ff78eaa8e49 99755 7ff78eabb164 31 API calls _invalid_parameter_noinfo 99441->99755 99757 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 99442->99757 99445 7ff78eaa8e54 99445->99300 99446 7ff78eaa8ee7 99758 7ff78eabb164 31 API calls _invalid_parameter_noinfo 99446->99758 99449 7ff78eaa8ef2 99448->99449 99450 7ff78eab2c80 37 API calls wcsftime 99448->99450 99449->99300 99450->99448 99452 7ff78ea8dfac 99451->99452 99453 7ff78eaa4c68 4 API calls 99452->99453 99454 7ff78ea859f5 99452->99454 99453->99454 99455 7ff78ea8d670 99454->99455 99456 7ff78ea8d698 99455->99456 99457 7ff78ea8d6a2 99456->99457 99759 7ff78ea8880c RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 99456->99759 99461 7ff78ea8d7de 99457->99461 99760 7ff78ea8ee20 18 API calls Concurrency::wait 99457->99760 99460 7ff78ead9d43 99461->99330 99463 7ff78eb029c8 99462->99463 99761 7ff78eb02b70 99463->99761 99466 7ff78ea867d8 45 API calls 99467 7ff78eb02a03 99466->99467 99468 7ff78ea867d8 45 API calls 99467->99468 99469 7ff78eb02a23 99468->99469 99470 7ff78ea867d8 45 API calls 99469->99470 99471 7ff78eb02a49 99470->99471 99472 7ff78ea867d8 45 API calls 99471->99472 99473 7ff78eb02a6d 99472->99473 99474 7ff78ea867d8 45 API calls 99473->99474 99475 7ff78eb02ac5 99474->99475 99476 7ff78eb0240c 32 API calls 99475->99476 99477 7ff78eb02ada 99476->99477 99479 7ff78eb029de 99477->99479 99766 7ff78eb01d48 99477->99766 99479->99273 99481 7ff78ea8653d 99480->99481 99483 7ff78ea86542 99480->99483 99482 7ff78eab4970 62 API calls 99481->99482 99482->99483 99484 7ff78ea86558 99483->99484 99485 7ff78ea8656f FreeLibrary 99483->99485 99484->99283 99485->99484 99487 7ff78ea8a7c0 4 API calls 99486->99487 99488 7ff78ea89d99 99487->99488 99488->99378 99490 7ff78ea86490 99489->99490 99491 7ff78ea86d74 LoadLibraryA 99489->99491 99490->99392 99490->99393 99491->99490 99492 7ff78ea86d89 GetProcAddress 99491->99492 99492->99490 99494 7ff78eab47fc 99493->99494 99495 7ff78eab482a 99494->99495 99498 7ff78eab485c 99494->99498 99554 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 99495->99554 99497 7ff78eab482f 99555 7ff78eabb164 31 API calls _invalid_parameter_noinfo 99497->99555 99500 7ff78eab4862 99498->99500 99501 7ff78eab486f 99498->99501 99556 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 99500->99556 99542 7ff78eabfeb4 99501->99542 99502 7ff78ea864cf 99502->99398 99502->99399 99506 7ff78eab4890 99549 7ff78eac0304 99506->99549 99507 7ff78eab4883 99557 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 99507->99557 99510 7ff78eab48a3 99558 7ff78eaadf60 LeaveCriticalSection 99510->99558 99695 7ff78ea86d1c 99512->99695 99515 7ff78ea86d1c 2 API calls 99518 7ff78ea86cf1 99515->99518 99516 7ff78ea864f7 99519 7ff78ea86580 99516->99519 99517 7ff78ea86d0f FreeLibrary 99517->99516 99518->99516 99518->99517 99520 7ff78eaa4c68 4 API calls 99519->99520 99521 7ff78ea865b5 memcpy_s 99520->99521 99522 7ff78eacc9f5 99521->99522 99523 7ff78ea86740 CreateStreamOnHGlobal 99521->99523 99532 7ff78ea86602 99521->99532 99699 7ff78eb02e00 45 API calls 99522->99699 99525 7ff78ea86759 FindResourceExW 99523->99525 99523->99532 99525->99532 99526 7ff78eacc97e LoadResource 99528 7ff78eacc997 SizeofResource 99526->99528 99526->99532 99527 7ff78ea867d8 45 API calls 99527->99532 99530 7ff78eacc9ae LockResource 99528->99530 99528->99532 99529 7ff78eacc9fd 99531 7ff78ea867d8 45 API calls 99529->99531 99530->99532 99533 7ff78ea866e8 99531->99533 99532->99526 99532->99527 99532->99529 99532->99533 99533->99406 99535 7ff78ea867f7 99534->99535 99536 7ff78eacca6c 99534->99536 99700 7ff78eab4c5c 99535->99700 99539 7ff78eb0240c 99719 7ff78eb02200 99539->99719 99541 7ff78eb02430 99541->99414 99559 7ff78eabb9bc EnterCriticalSection 99542->99559 99544 7ff78eabfecb 99545 7ff78eabff54 18 API calls 99544->99545 99546 7ff78eabfed6 99545->99546 99547 7ff78eabba10 _isindst LeaveCriticalSection 99546->99547 99548 7ff78eab4879 99547->99548 99548->99506 99548->99507 99560 7ff78eac0040 99549->99560 99552 7ff78eac035e 99552->99510 99554->99497 99555->99502 99556->99502 99557->99502 99561 7ff78eac007d try_get_function 99560->99561 99571 7ff78eac0211 99561->99571 99575 7ff78eaadb68 37 API calls 4 library calls 99561->99575 99563 7ff78eac02de 99579 7ff78eabb164 31 API calls _invalid_parameter_noinfo 99563->99579 99565 7ff78eac021a 99565->99552 99572 7ff78eac7738 99565->99572 99567 7ff78eac0277 99567->99571 99576 7ff78eaadb68 37 API calls 4 library calls 99567->99576 99569 7ff78eac029a 99569->99571 99577 7ff78eaadb68 37 API calls 4 library calls 99569->99577 99571->99565 99578 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 99571->99578 99580 7ff78eac6d04 99572->99580 99575->99567 99576->99569 99577->99571 99578->99563 99579->99565 99581 7ff78eac6d40 99580->99581 99582 7ff78eac6d28 99580->99582 99581->99582 99585 7ff78eac6d6d 99581->99585 99634 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 99582->99634 99584 7ff78eac6d2d 99635 7ff78eabb164 31 API calls _invalid_parameter_noinfo 99584->99635 99591 7ff78eac7348 99585->99591 99588 7ff78eac6d39 99588->99552 99637 7ff78eac7078 99591->99637 99594 7ff78eac73d3 99656 7ff78eabe418 99594->99656 99595 7ff78eac73bc 99668 7ff78eab55b4 15 API calls _invalid_parameter_noinfo 99595->99668 99598 7ff78eac73c1 99669 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 99598->99669 99600 7ff78eac73df 99670 7ff78eab55b4 15 API calls _invalid_parameter_noinfo 99600->99670 99601 7ff78eac73f7 CreateFileW 99602 7ff78eac7469 99601->99602 99603 7ff78eac74eb GetFileType 99601->99603 99607 7ff78eac74b8 GetLastError 99602->99607 99611 7ff78eac7478 CreateFileW 99602->99611 99608 7ff78eac7549 99603->99608 99609 7ff78eac74f8 GetLastError 99603->99609 99606 7ff78eac73e4 99671 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 99606->99671 99672 7ff78eab5564 15 API calls 2 library calls 99607->99672 99675 7ff78eabe334 16 API calls 2 library calls 99608->99675 99673 7ff78eab5564 15 API calls 2 library calls 99609->99673 99611->99603 99611->99607 99614 7ff78eac7507 CloseHandle 99614->99598 99616 7ff78eac7539 99614->99616 99674 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 99616->99674 99617 7ff78eac7568 99620 7ff78eac75b5 99617->99620 99676 7ff78eac7284 67 API calls 2 library calls 99617->99676 99619 7ff78eac753e 99619->99598 99624 7ff78eac75ec 99620->99624 99677 7ff78eac6de4 67 API calls 4 library calls 99620->99677 99623 7ff78eac75e8 99623->99624 99625 7ff78eac75fe 99623->99625 99678 7ff78eac04b8 99624->99678 99627 7ff78eac6d95 99625->99627 99628 7ff78eac7681 CloseHandle CreateFileW 99625->99628 99627->99588 99636 7ff78eabe3f4 LeaveCriticalSection 99627->99636 99629 7ff78eac76f9 99628->99629 99630 7ff78eac76cb GetLastError 99628->99630 99629->99627 99693 7ff78eab5564 15 API calls 2 library calls 99630->99693 99632 7ff78eac76d8 99694 7ff78eabe548 16 API calls 2 library calls 99632->99694 99634->99584 99635->99588 99638 7ff78eac70a4 99637->99638 99642 7ff78eac70be 99637->99642 99639 7ff78eab55d4 _get_daylight 15 API calls 99638->99639 99638->99642 99640 7ff78eac70b3 99639->99640 99641 7ff78eabb164 _invalid_parameter_noinfo 31 API calls 99640->99641 99641->99642 99644 7ff78eac713b 99642->99644 99648 7ff78eab55d4 _get_daylight 15 API calls 99642->99648 99643 7ff78eac718c 99645 7ff78eab2554 31 API calls 99643->99645 99654 7ff78eac71ec 99643->99654 99644->99643 99646 7ff78eab55d4 _get_daylight 15 API calls 99644->99646 99647 7ff78eac71e8 99645->99647 99649 7ff78eac7181 99646->99649 99652 7ff78eabb184 _isindst 16 API calls 99647->99652 99647->99654 99650 7ff78eac7130 99648->99650 99651 7ff78eabb164 _invalid_parameter_noinfo 31 API calls 99649->99651 99653 7ff78eabb164 _invalid_parameter_noinfo 31 API calls 99650->99653 99651->99643 99655 7ff78eac7280 99652->99655 99653->99644 99654->99594 99654->99595 99657 7ff78eabb9bc _isindst EnterCriticalSection 99656->99657 99664 7ff78eabe43b 99657->99664 99658 7ff78eabba10 _isindst LeaveCriticalSection 99660 7ff78eabe52a 99658->99660 99659 7ff78eabe464 99661 7ff78eabe170 16 API calls 99659->99661 99660->99600 99660->99601 99662 7ff78eabe469 99661->99662 99665 7ff78eabe310 wprintf EnterCriticalSection 99662->99665 99667 7ff78eabe487 99662->99667 99663 7ff78eabe4c2 EnterCriticalSection 99666 7ff78eabe4d1 LeaveCriticalSection 99663->99666 99663->99667 99664->99659 99664->99663 99664->99667 99665->99667 99666->99664 99667->99658 99668->99598 99669->99627 99670->99606 99671->99598 99672->99598 99673->99614 99674->99619 99675->99617 99676->99620 99677->99623 99679 7ff78eabe604 31 API calls 99678->99679 99682 7ff78eac04cc 99679->99682 99680 7ff78eac04d2 99681 7ff78eabe548 16 API calls 99680->99681 99684 7ff78eac0534 99681->99684 99682->99680 99685 7ff78eabe604 31 API calls 99682->99685 99692 7ff78eac050c 99682->99692 99683 7ff78eabe604 31 API calls 99686 7ff78eac0518 FindCloseChangeNotification 99683->99686 99690 7ff78eab5564 fread_s 15 API calls 99684->99690 99691 7ff78eac0560 99684->99691 99687 7ff78eac04ff 99685->99687 99686->99680 99689 7ff78eac0525 GetLastError 99686->99689 99688 7ff78eabe604 31 API calls 99687->99688 99688->99692 99689->99680 99690->99691 99691->99627 99692->99680 99692->99683 99693->99632 99694->99629 99696 7ff78ea86d2c LoadLibraryA 99695->99696 99697 7ff78ea86ce3 99695->99697 99696->99697 99698 7ff78ea86d41 GetProcAddress 99696->99698 99697->99515 99697->99518 99698->99697 99699->99529 99703 7ff78eab4c7c 99700->99703 99704 7ff78eab4ca6 99703->99704 99715 7ff78ea8680a 99703->99715 99705 7ff78eab4cb5 __scrt_fastfail 99704->99705 99706 7ff78eab4cd7 99704->99706 99704->99715 99716 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 99705->99716 99718 7ff78eaadf54 EnterCriticalSection 99706->99718 99710 7ff78eab4cca 99717 7ff78eabb164 31 API calls _invalid_parameter_noinfo 99710->99717 99715->99539 99716->99710 99717->99715 99722 7ff78eab47bc 99719->99722 99721 7ff78eb02210 99721->99541 99725 7ff78eab4724 99722->99725 99726 7ff78eab4732 99725->99726 99727 7ff78eab4746 99725->99727 99733 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 99726->99733 99729 7ff78eab4742 99727->99729 99735 7ff78eabbef8 6 API calls __vcrt_uninitialize_ptd 99727->99735 99729->99721 99730 7ff78eab4737 99734 7ff78eabb164 31 API calls _invalid_parameter_noinfo 99730->99734 99733->99730 99734->99729 99735->99729 99737 7ff78ea91c5f 99736->99737 99738 7ff78ea91a48 99736->99738 99737->99417 99742 7ff78ea91a90 99738->99742 99753 7ff78eaa5114 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 99738->99753 99742->99417 99748 7ff78ea8f1ce 99747->99748 99750 7ff78ea8f1d8 99747->99750 99749 7ff78ea91a30 45 API calls 99748->99749 99749->99750 99750->99427 99751->99425 99752->99421 99754->99441 99755->99445 99756->99440 99757->99446 99758->99449 99759->99457 99760->99460 99763 7ff78eb02bae 99761->99763 99762 7ff78ea867d8 45 API calls 99762->99763 99763->99762 99764 7ff78eb0240c 32 API calls 99763->99764 99765 7ff78eb029da 99763->99765 99764->99763 99765->99466 99765->99479 99767 7ff78eb01d71 99766->99767 99768 7ff78eb01d61 99766->99768 99770 7ff78eab48e0 89 API calls 99767->99770 99771 7ff78eb01dbf 99767->99771 99772 7ff78eb01d7a 99767->99772 99769 7ff78eab48e0 89 API calls 99768->99769 99769->99767 99773 7ff78eb01d9e 99770->99773 99793 7ff78eb02038 99771->99793 99772->99479 99773->99771 99775 7ff78eb01da7 99773->99775 99775->99772 99805 7ff78eab4970 99775->99805 99776 7ff78eb01df5 99777 7ff78eb01e1c 99776->99777 99778 7ff78eb01df9 99776->99778 99783 7ff78eb01e4a 99777->99783 99784 7ff78eb01e2a 99777->99784 99780 7ff78eb01e07 99778->99780 99781 7ff78eab4970 62 API calls 99778->99781 99780->99772 99782 7ff78eab4970 62 API calls 99780->99782 99781->99780 99782->99772 99797 7ff78eb01e88 99783->99797 99785 7ff78eb01e38 99784->99785 99787 7ff78eab4970 62 API calls 99784->99787 99785->99772 99788 7ff78eab4970 62 API calls 99785->99788 99787->99785 99788->99772 99789 7ff78eb01e52 99790 7ff78eb01e68 99789->99790 99791 7ff78eab4970 62 API calls 99789->99791 99790->99772 99792 7ff78eab4970 62 API calls 99790->99792 99791->99790 99792->99772 99794 7ff78eb02056 memcpy_s 99793->99794 99795 7ff78eb02069 99793->99795 99794->99776 99796 7ff78eab4c5c _fread_nolock 45 API calls 99795->99796 99796->99794 99798 7ff78eb01fb0 99797->99798 99803 7ff78eb01eaa 99797->99803 99801 7ff78eb01fd3 99798->99801 99819 7ff78eab2a04 99798->99819 99799 7ff78eb01bd0 45 API calls 99799->99803 99801->99789 99803->99798 99803->99799 99803->99801 99803->99803 99817 7ff78eb01c9c 45 API calls 99803->99817 99818 7ff78eb020cc 60 API calls 99803->99818 99806 7ff78eab49a3 99805->99806 99807 7ff78eab498e 99805->99807 99809 7ff78eab499e 99806->99809 99838 7ff78eaadf54 EnterCriticalSection 99806->99838 99839 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 99807->99839 99809->99772 99811 7ff78eab4993 99840 7ff78eabb164 31 API calls _invalid_parameter_noinfo 99811->99840 99812 7ff78eab49b9 99814 7ff78eab48ec 60 API calls 99812->99814 99815 7ff78eab49c2 99814->99815 99816 7ff78eaadf60 fflush LeaveCriticalSection 99815->99816 99816->99809 99817->99803 99818->99803 99820 7ff78eab2a24 99819->99820 99825 7ff78eab2a3e 99819->99825 99821 7ff78eab2a46 99820->99821 99822 7ff78eab2a2e 99820->99822 99820->99825 99828 7ff78eab27c4 99821->99828 99835 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 99822->99835 99825->99801 99826 7ff78eab2a33 99836 7ff78eabb164 31 API calls _invalid_parameter_noinfo 99826->99836 99837 7ff78eaadf54 EnterCriticalSection 99828->99837 99830 7ff78eab27e1 99831 7ff78eab2804 58 API calls 99830->99831 99832 7ff78eab27ea 99831->99832 99833 7ff78eaadf60 fflush LeaveCriticalSection 99832->99833 99834 7ff78eab27f5 99833->99834 99834->99825 99835->99826 99836->99825 99839->99811 99840->99809 99842 7ff78eac8f90 wcsftime 99841->99842 99843 7ff78ea83ec4 GetLongPathNameW 99842->99843 99844 7ff78ea87cf4 4 API calls 99843->99844 99845 7ff78ea83eed 99844->99845 99846 7ff78ea84074 99845->99846 99847 7ff78ea89640 4 API calls 99846->99847 99848 7ff78ea8408e 99847->99848 99849 7ff78ea856d4 5 API calls 99848->99849 99850 7ff78ea8409b 99849->99850 99851 7ff78ea840a7 99850->99851 99852 7ff78eacbada 99850->99852 99853 7ff78ea84680 4 API calls 99851->99853 99857 7ff78eacbb0f 99852->99857 99893 7ff78eaa1ad0 CompareStringW 99852->99893 99855 7ff78ea840b5 99853->99855 99889 7ff78ea840e8 99855->99889 99858 7ff78ea840cb Concurrency::wait 99858->99347 99860 7ff78ea86460 105 API calls 99859->99860 99861 7ff78ea863e5 99860->99861 99862 7ff78eacc656 99861->99862 99863 7ff78ea86460 105 API calls 99861->99863 99864 7ff78eb02948 90 API calls 99862->99864 99865 7ff78ea86400 99863->99865 99866 7ff78eacc66e 99864->99866 99865->99862 99867 7ff78ea86408 99865->99867 99868 7ff78eacc690 99866->99868 99869 7ff78eacc672 99866->99869 99871 7ff78eacc67b 99867->99871 99872 7ff78ea86414 99867->99872 99870 7ff78eaa4c68 4 API calls 99868->99870 99873 7ff78ea8652c 63 API calls 99869->99873 99888 7ff78eacc6dd Concurrency::wait 99870->99888 99910 7ff78eafc5c8 77 API calls wprintf 99871->99910 99909 7ff78ea8e774 143 API calls Concurrency::wait 99872->99909 99873->99871 99876 7ff78eacc68a 99876->99868 99877 7ff78ea86438 99877->99341 99878 7ff78eacc895 99879 7ff78ea8652c 63 API calls 99878->99879 99880 7ff78eacc8a9 99879->99880 99880->99878 99912 7ff78eaf76d8 77 API calls 3 library calls 99880->99912 99885 7ff78ea8ec00 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 99885->99888 99888->99878 99888->99880 99888->99885 99894 7ff78eaf7400 99888->99894 99897 7ff78eb00210 99888->99897 99901 7ff78ea8b26c 99888->99901 99905 7ff78ea89940 99888->99905 99911 7ff78eaf730c 39 API calls 99888->99911 99890 7ff78ea84107 99889->99890 99892 7ff78ea84130 memcpy_s 99889->99892 99891 7ff78eaa4c68 4 API calls 99890->99891 99891->99892 99892->99858 99893->99852 99895 7ff78eaa4c68 4 API calls 99894->99895 99896 7ff78eaf744e memcpy_s 99895->99896 99896->99888 99898 7ff78eb0022e 99897->99898 99899 7ff78ea8ec00 4 API calls 99898->99899 99900 7ff78eb00250 99899->99900 99900->99888 99902 7ff78ea8b323 99901->99902 99904 7ff78ea8b28f memcpy_s 99901->99904 99903 7ff78eaa4c68 4 API calls 99902->99903 99903->99904 99904->99888 99906 7ff78ea89967 99905->99906 99908 7ff78ea89999 99905->99908 99907 7ff78eaa4c68 4 API calls 99906->99907 99906->99908 99907->99908 99908->99888 99909->99877 99910->99876 99911->99888 99912->99880 99914 7ff78ea89762 99913->99914 99915 7ff78ea8988d 99913->99915 99914->99915 99916 7ff78eaa4c68 4 API calls 99914->99916 99915->99352 99917 7ff78ea89791 99916->99917 99918 7ff78eaa4c68 4 API calls 99917->99918 99922 7ff78ea8981c 99918->99922 99920 7ff78ea89940 4 API calls 99920->99922 99921 7ff78ea8b26c 4 API calls 99921->99922 99922->99915 99922->99920 99922->99921 99943 7ff78ea8abe0 81 API calls 2 library calls 99922->99943 99926 7ff78ea84dd5 99923->99926 99924 7ff78ea85165 99945 7ff78ea85540 77 API calls 99924->99945 99926->99924 99927 7ff78ea84ef9 99926->99927 99928 7ff78ea850d3 99926->99928 99944 7ff78ea85540 77 API calls 99926->99944 99946 7ff78eb034e4 77 API calls 3 library calls 99927->99946 99928->99354 99942 7ff78ea84b30 Concurrency::wait 99931->99942 99932 7ff78ea84c30 99969 7ff78ea85598 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 99932->99969 99934 7ff78ea84c3c Concurrency::wait 99934->99356 99935 7ff78eacbcbf 99971 7ff78eb034e4 77 API calls 3 library calls 99935->99971 99936 7ff78ea8ec00 4 API calls 99936->99942 99939 7ff78eacbc98 99970 7ff78eb034e4 77 API calls 3 library calls 99939->99970 99942->99932 99942->99934 99942->99935 99942->99936 99942->99939 99947 7ff78ea8f620 99942->99947 99954 7ff78ea84174 99942->99954 99943->99922 99944->99926 99945->99928 99946->99928 99950 7ff78ea8f64a 99947->99950 99953 7ff78ea8f6d4 Concurrency::wait 99947->99953 99948 7ff78ea8f6a6 memcpy_s 99949 7ff78ea8f6bb CharUpperBuffW 99948->99949 99949->99953 99950->99948 99951 7ff78eada9d6 99950->99951 99952 7ff78eaa4c68 4 API calls 99950->99952 99952->99948 99953->99942 99955 7ff78ea89640 4 API calls 99954->99955 99965 7ff78ea841a8 Concurrency::wait 99955->99965 99956 7ff78ea84347 99958 7ff78ea8435f 99956->99958 99968 7ff78ea8441a 99956->99968 99962 7ff78ea8e0a8 4 API calls 99958->99962 99959 7ff78eacbc0d 99959->99942 99960 7ff78ea84680 4 API calls 99960->99965 99963 7ff78ea843a8 99962->99963 99972 7ff78ea84744 99963->99972 99965->99956 99965->99960 99966 7ff78eacbb99 99965->99966 99965->99968 99981 7ff78eb034e4 77 API calls 3 library calls 99966->99981 99967 7ff78ea843da Concurrency::wait 99967->99942 99982 7ff78eb034e4 77 API calls 3 library calls 99968->99982 99969->99934 99970->99934 99971->99934 99973 7ff78ea84760 99972->99973 99980 7ff78ea847c0 99972->99980 99974 7ff78ea89640 4 API calls 99973->99974 99975 7ff78ea84775 99974->99975 99976 7ff78ea8e0a8 4 API calls 99975->99976 99977 7ff78ea84780 99976->99977 99978 7ff78ea8a7c0 4 API calls 99977->99978 99979 7ff78ea847a6 CharUpperBuffW 99978->99979 99979->99980 99980->99967 99981->99967 99982->99959 99983->99367 99985 7ff78eacba0e 99984->99985 99986 7ff78ea83b40 99984->99986 99989 7ff78ea89a64 99986->99989 99988 7ff78ea83b58 99988->99371 99990 7ff78ea89a69 99989->99990 99991 7ff78ea89a9e 99989->99991 99990->99991 99992 7ff78eabb3c0 15 API calls 99990->99992 99991->99988 99992->99990 99993 7ff78ea84974 99994 7ff78ea84993 99993->99994 99997 7ff78ea84a60 99994->99997 99996 7ff78ea849b8 100000 7ff78ea93c20 99997->100000 99999 7ff78ea84a8c 99999->99996 100019 7ff78ea93c80 100000->100019 100001 7ff78eae05be 100023 7ff78eb034e4 77 API calls 3 library calls 100001->100023 100003 7ff78ea94aa9 100007 7ff78ea94ac0 100003->100007 100008 7ff78ea8e0a8 4 API calls 100003->100008 100005 7ff78eae05d1 100005->99999 100006 7ff78ea94fe7 100009 7ff78ea8e0a8 4 API calls 100006->100009 100007->99999 100010 7ff78ea93dde 100008->100010 100009->100010 100010->99999 100011 7ff78eadfefe 100014 7ff78ea8e0a8 4 API calls 100011->100014 100012 7ff78ea8e0a8 4 API calls 100012->100019 100013 7ff78ea94a8f 100013->100003 100013->100007 100013->100011 100014->100007 100016 7ff78eaa5114 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 100016->100019 100017 7ff78ea89640 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 100017->100019 100018 7ff78eaa50b4 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent _Init_thread_footer 100018->100019 100019->100001 100019->100003 100019->100006 100019->100010 100019->100012 100019->100013 100019->100016 100019->100017 100019->100018 100020 7ff78eaa4f0c 34 API calls __scrt_initialize_thread_safe_statics 100019->100020 100021 7ff78ea95360 414 API calls Concurrency::wait 100019->100021 100022 7ff78eb034e4 77 API calls 3 library calls 100019->100022 100020->100019 100021->100019 100022->100019 100023->100005 100024 7ff78eab1d28 100025 7ff78eab1d49 100024->100025 100026 7ff78eab1d3a GetLastError ExitThread 100024->100026 100037 7ff78eabb778 GetLastError 100025->100037 100028 7ff78eab1d4e 100057 7ff78eabc2a0 100028->100057 100031 7ff78eab1d68 100062 7ff78eb0da70 100031->100062 100033 7ff78eab1d85 100093 7ff78eab2018 100033->100093 100038 7ff78eabb79a 100037->100038 100039 7ff78eabb795 100037->100039 100044 7ff78eabb7e3 100038->100044 100098 7ff78eabdda8 100038->100098 100097 7ff78eabbd6c 6 API calls __vcrt_uninitialize_ptd 100039->100097 100043 7ff78eabb7b9 100049 7ff78eabb3c0 __free_lconv_mon 15 API calls 100043->100049 100046 7ff78eabb7e8 SetLastError 100044->100046 100047 7ff78eabb7fe SetLastError 100044->100047 100046->100028 100109 7ff78eabb26c 35 API calls abort 100047->100109 100052 7ff78eabb7c0 100049->100052 100050 7ff78eabb7d0 100050->100043 100053 7ff78eabb7d7 100050->100053 100052->100047 100108 7ff78eabb528 15 API calls _mbstowcs_s_l 100053->100108 100055 7ff78eabb7dc 100056 7ff78eabb3c0 __free_lconv_mon 15 API calls 100055->100056 100056->100044 100058 7ff78eab1d5a 100057->100058 100059 7ff78eabc2be 100057->100059 100058->100031 100096 7ff78eabc1dc 5 API calls __vcrt_uninitialize_ptd 100058->100096 100112 7ff78eabba2c LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary GetProcAddress 100059->100112 100061 7ff78eabc2dd 100061->100058 100063 7ff78ea89640 4 API calls 100062->100063 100064 7ff78eb0da9b 100063->100064 100065 7ff78ea89640 4 API calls 100064->100065 100066 7ff78eb0daa5 100065->100066 100067 7ff78ea89640 4 API calls 100066->100067 100068 7ff78eb0daaf 100067->100068 100069 7ff78ea89640 4 API calls 100068->100069 100070 7ff78eb0dab8 100069->100070 100071 7ff78ea89640 4 API calls 100070->100071 100072 7ff78eb0dac1 100071->100072 100073 7ff78ea89640 4 API calls 100072->100073 100074 7ff78eb0daca 100073->100074 100075 7ff78ea89640 4 API calls 100074->100075 100076 7ff78eb0dad3 100075->100076 100113 7ff78eb0ec38 100076->100113 100078 7ff78eb0dae1 100079 7ff78eb0dae5 100078->100079 100133 7ff78eb0e708 100078->100133 100172 7ff78eb0eab8 100079->100172 100083 7ff78eb0db5a 100086 7ff78eb0e7e4 6 API calls 100083->100086 100084 7ff78eb0db2d 100084->100079 100085 7ff78eb0db39 100084->100085 100139 7ff78eb0e7e4 100085->100139 100089 7ff78eb0db66 100086->100089 100087 7ff78eb0db26 100087->100033 100177 7ff78eb0d7dc 107 API calls 100089->100177 100090 7ff78eb0db45 100147 7ff78eb0dbf0 InternetConnectW 100090->100147 100242 7ff78eab1da0 100093->100242 100096->100031 100097->100038 100099 7ff78eabddb9 100098->100099 100100 7ff78eabddc7 fread_s 100098->100100 100099->100100 100101 7ff78eabde0a 100099->100101 100100->100101 100102 7ff78eabddee HeapAlloc 100100->100102 100110 7ff78eaa925c EnterCriticalSection LeaveCriticalSection fread_s 100100->100110 100111 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 100101->100111 100102->100100 100103 7ff78eabde08 100102->100103 100105 7ff78eabb7b1 100103->100105 100105->100043 100107 7ff78eabbdc4 6 API calls __vcrt_uninitialize_ptd 100105->100107 100107->100050 100108->100055 100110->100100 100111->100105 100112->100061 100114 7ff78eb0ec6c __scrt_fastfail 100113->100114 100115 7ff78eb0ec99 InternetCrackUrlW 100114->100115 100116 7ff78eb0ed55 Concurrency::wait 100115->100116 100117 7ff78eb0ecb4 100115->100117 100116->100078 100178 7ff78ea8da0c RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 100117->100178 100119 7ff78eb0ecc7 100179 7ff78ea8da0c RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 100119->100179 100121 7ff78eb0ecdb 100180 7ff78ea8da0c RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 100121->100180 100123 7ff78eb0ecef 100181 7ff78ea8da0c RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 100123->100181 100125 7ff78eb0ed03 100182 7ff78ea8da0c RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 100125->100182 100127 7ff78eb0ed1d 100183 7ff78ea8da0c RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 100127->100183 100129 7ff78eb0ed37 100184 7ff78eaa364c RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 100129->100184 100131 7ff78eb0ed46 100132 7ff78ea8e0a8 4 API calls 100131->100132 100132->100116 100134 7ff78eb0e71e InternetOpenW 100133->100134 100136 7ff78eb0db0a 100134->100136 100137 7ff78eb0e781 100134->100137 100136->100079 100136->100083 100136->100084 100137->100136 100138 7ff78eb0e78a InternetSetOptionW 100137->100138 100138->100136 100140 7ff78eb0e85d 100139->100140 100141 7ff78eb0e802 100139->100141 100140->100090 100141->100140 100142 7ff78eb0e807 InternetQueryOptionW 100141->100142 100142->100140 100143 7ff78eb0e824 100142->100143 100144 7ff78eaa4c68 4 API calls 100143->100144 100145 7ff78eb0e82d __scrt_fastfail 100144->100145 100146 7ff78eb0e83f InternetQueryOptionW 100145->100146 100146->100140 100148 7ff78eb0dc6d 100147->100148 100149 7ff78eb0dc86 HttpOpenRequestW 100147->100149 100150 7ff78eb0eab8 2 API calls 100148->100150 100151 7ff78eb0dcb7 100149->100151 100152 7ff78eb0dcbf 100149->100152 100153 7ff78eb0dc81 100150->100153 100159 7ff78eb0eab8 2 API calls 100151->100159 100154 7ff78eb0dcd2 100152->100154 100210 7ff78eb0eb00 InternetSetOptionW InternetSetOptionW 100152->100210 100153->100087 100155 7ff78eb0dcd9 InternetQueryOptionW InternetSetOptionW 100154->100155 100156 7ff78eb0dd11 HttpSendRequestW 100154->100156 100155->100156 100156->100151 100158 7ff78eb0dd2b 100156->100158 100185 7ff78eb0dba0 HttpQueryInfoW 100158->100185 100171 7ff78eb0dd8c 100159->100171 100161 7ff78eb0dd33 100161->100151 100163 7ff78eb0dd3a HttpQueryInfoW 100161->100163 100162 7ff78eb0ddbd InternetCloseHandle 100162->100153 100186 7ff78eaaa838 100163->100186 100166 7ff78eb0dd7e 100167 7ff78eb0dd87 100166->100167 100168 7ff78eb0dd8e 100166->100168 100190 7ff78eb0e968 InternetQueryDataAvailable 100167->100190 100200 7ff78eb0e87c 100168->100200 100171->100153 100171->100162 100173 7ff78eb0eadd 100172->100173 100174 7ff78eb0ead4 GetLastError 100172->100174 100175 7ff78eb0eae9 SetEvent 100173->100175 100176 7ff78eb0eaef 100173->100176 100174->100173 100175->100176 100176->100087 100177->100087 100178->100119 100179->100121 100180->100123 100181->100125 100182->100127 100183->100129 100184->100131 100185->100161 100187 7ff78eaaa84c _snwprintf 100186->100187 100211 7ff78eaaa054 100187->100211 100191 7ff78eb0e9c1 100190->100191 100194 7ff78eb0ea6d 100190->100194 100199 7ff78eb0e9c6 100191->100199 100192 7ff78eb0e9d9 InternetReadFile 100195 7ff78eb0ea63 100192->100195 100192->100199 100193 7ff78eaa4c68 4 API calls 100193->100199 100196 7ff78eb0eab8 2 API calls 100194->100196 100195->100194 100197 7ff78eb0eaa5 100196->100197 100197->100171 100199->100191 100199->100192 100199->100193 100199->100194 100199->100195 100241 7ff78eb0ee98 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 100199->100241 100201 7ff78eab48e0 89 API calls 100200->100201 100203 7ff78eb0e8a9 100201->100203 100202 7ff78eb0e8c2 InternetReadFile 100202->100203 100204 7ff78eb0e8b1 100202->100204 100203->100202 100203->100204 100206 7ff78eab2a04 60 API calls 100203->100206 100205 7ff78eb0eab8 2 API calls 100204->100205 100207 7ff78eb0e93b 100205->100207 100206->100203 100208 7ff78eb0e94a 100207->100208 100209 7ff78eab4970 62 API calls 100207->100209 100208->100171 100209->100208 100210->100154 100212 7ff78eaaa084 100211->100212 100213 7ff78eaaa0aa 100211->100213 100232 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 100212->100232 100213->100212 100214 7ff78eaaa0b8 100213->100214 100234 7ff78eaa8d98 35 API calls _mbstowcs_s_l 100214->100234 100217 7ff78eaaa089 100233 7ff78eabb164 31 API calls _invalid_parameter_noinfo 100217->100233 100220 7ff78eaaa0c5 100221 7ff78eaaa0ff 100220->100221 100235 7ff78eabc39c GetStringTypeW 100220->100235 100222 7ff78eaaa416 100221->100222 100236 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 100221->100236 100227 7ff78eaaa706 100222->100227 100238 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 100222->100238 100225 7ff78eaaa45a 100237 7ff78eabb164 31 API calls _invalid_parameter_noinfo 100225->100237 100226 7ff78eaaa6fb 100239 7ff78eabb164 31 API calls _invalid_parameter_noinfo 100226->100239 100231 7ff78eaaa094 100227->100231 100240 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 100227->100240 100231->100151 100231->100166 100232->100217 100233->100231 100234->100220 100235->100220 100236->100225 100237->100222 100238->100226 100239->100227 100240->100231 100241->100199 100255 7ff78eabb80c GetLastError 100242->100255 100245 7ff78eab1dbf 100247 7ff78eab1dcb ExitThread 100245->100247 100249 7ff78eab1dd4 100245->100249 100246 7ff78eab1db6 ExitThread 100248 7ff78eab1ddf 100251 7ff78eab1df3 100248->100251 100252 7ff78eab1ded CloseHandle 100248->100252 100249->100248 100274 7ff78eabc228 5 API calls __vcrt_uninitialize_ptd 100249->100274 100253 7ff78eab1e01 FreeLibraryAndExitThread 100251->100253 100254 7ff78eab1e0a ExitThread 100251->100254 100252->100251 100253->100254 100256 7ff78eabb830 100255->100256 100259 7ff78eabb835 100255->100259 100275 7ff78eabbd6c 6 API calls __vcrt_uninitialize_ptd 100256->100275 100258 7ff78eabdda8 _mbstowcs_s_l 12 API calls 100260 7ff78eabb84c 100258->100260 100259->100258 100261 7ff78eabb87e 100259->100261 100262 7ff78eabb854 100260->100262 100276 7ff78eabbdc4 6 API calls __vcrt_uninitialize_ptd 100260->100276 100264 7ff78eabb883 SetLastError 100261->100264 100265 7ff78eabb88d SetLastError 100261->100265 100266 7ff78eabb3c0 __free_lconv_mon 12 API calls 100262->100266 100268 7ff78eab1db1 100264->100268 100265->100268 100269 7ff78eabb85b 100266->100269 100267 7ff78eabb86b 100267->100262 100270 7ff78eabb872 100267->100270 100268->100245 100268->100246 100269->100264 100277 7ff78eabb528 15 API calls _mbstowcs_s_l 100270->100277 100272 7ff78eabb877 100273 7ff78eabb3c0 __free_lconv_mon 12 API calls 100272->100273 100273->100261 100274->100248 100275->100259 100276->100267 100277->100272 100278 7ff78eaa8fac 100279 7ff78eaa8fd2 GetModuleHandleW 100278->100279 100280 7ff78eaa901c 100278->100280 100279->100280 100287 7ff78eaa8fdf 100279->100287 100295 7ff78eabb9bc EnterCriticalSection 100280->100295 100282 7ff78eaa90cb 100283 7ff78eabba10 _isindst LeaveCriticalSection 100282->100283 100284 7ff78eaa90f0 100283->100284 100286 7ff78eaa90fc 100284->100286 100290 7ff78eaa9118 11 API calls 100284->100290 100285 7ff78eaa90a0 100288 7ff78eaa90b8 100285->100288 100293 7ff78eabada4 75 API calls 100285->100293 100287->100280 100296 7ff78eaa9164 GetModuleHandleExW 100287->100296 100294 7ff78eabada4 75 API calls 100288->100294 100289 7ff78eaa9026 100289->100282 100289->100285 100291 7ff78eabaa8c 30 API calls 100289->100291 100290->100286 100291->100285 100293->100288 100294->100282 100297 7ff78eaa91b5 100296->100297 100298 7ff78eaa918e GetProcAddress 100296->100298 100299 7ff78eaa91bf FreeLibrary 100297->100299 100300 7ff78eaa91c5 100297->100300 100298->100297 100301 7ff78eaa91a8 100298->100301 100299->100300 100300->100280 100301->100297 100302 7ff78eade263 100303 7ff78eade271 100302->100303 100313 7ff78ea92680 100302->100313 100303->100303 100304 7ff78ea929c8 PeekMessageW 100304->100313 100305 7ff78ea926da GetInputState 100305->100304 100305->100313 100307 7ff78eadd181 TranslateAcceleratorW 100307->100313 100308 7ff78ea92a1f TranslateMessage DispatchMessageW 100309 7ff78ea92a33 PeekMessageW 100308->100309 100309->100313 100310 7ff78ea928b9 timeGetTime 100310->100313 100311 7ff78eadd2bb timeGetTime 100427 7ff78eaa2ac0 CharUpperBuffW RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 100311->100427 100313->100304 100313->100305 100313->100307 100313->100308 100313->100309 100313->100310 100313->100311 100318 7ff78ea92856 100313->100318 100319 7ff78ea93c20 414 API calls 100313->100319 100320 7ff78eb034e4 77 API calls 100313->100320 100322 7ff78ea92b70 100313->100322 100329 7ff78ea92e30 100313->100329 100385 7ff78ea966c0 100313->100385 100422 7ff78eaa2de8 100313->100422 100428 7ff78eb03a28 18 API calls 100313->100428 100429 7ff78eb1a320 414 API calls Concurrency::wait 100313->100429 100319->100313 100320->100313 100323 7ff78ea92b96 100322->100323 100324 7ff78ea92ba9 100322->100324 100430 7ff78ea92050 415 API calls memcpy_s 100323->100430 100431 7ff78eb034e4 77 API calls 3 library calls 100324->100431 100326 7ff78ea92b9e 100326->100313 100328 7ff78eade55c 100330 7ff78ea92e90 100329->100330 100331 7ff78ea93c20 414 API calls 100330->100331 100333 7ff78ea92ee6 100330->100333 100332 7ff78eade581 100331->100332 100332->100333 100437 7ff78eb034e4 77 API calls 3 library calls 100332->100437 100350 7ff78ea92f71 100333->100350 100438 7ff78eaa5114 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 100333->100438 100338 7ff78ea89640 4 API calls 100338->100350 100341 7ff78eaa4f0c __scrt_initialize_thread_safe_statics 34 API calls 100341->100350 100344 7ff78ea8eff8 46 API calls 100381 7ff78ea931e5 100344->100381 100348 7ff78eadf1d9 100351 7ff78eadf206 100348->100351 100358 7ff78eadf21b 100348->100358 100361 7ff78ea932f3 100348->100361 100450 7ff78eb008b4 48 API calls 100348->100450 100350->100338 100350->100341 100356 7ff78ea93169 100350->100356 100350->100381 100439 7ff78eaa5114 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 100350->100439 100440 7ff78eaa50b4 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 100350->100440 100451 7ff78ea9e65c 36 API calls 100351->100451 100352 7ff78eadf245 100353 7ff78ea93b37 100436 7ff78ea88444 414 API calls 100353->100436 100371 7ff78ea9318a 100356->100371 100356->100381 100441 7ff78eb034e4 77 API calls 3 library calls 100356->100441 100452 7ff78ea9e6bc 36 API calls 100358->100452 100360 7ff78eb034e4 77 API calls 100360->100381 100361->100313 100362 7ff78ea93c20 414 API calls 100362->100381 100363 7ff78eade926 100442 7ff78eb179d8 98 API calls Concurrency::wait 100363->100442 100365 7ff78ea93c20 414 API calls 100365->100371 100366 7ff78eade9ba 100445 7ff78eb034e4 77 API calls 3 library calls 100366->100445 100370 7ff78eade949 100370->100361 100443 7ff78eb034e4 77 API calls 3 library calls 100370->100443 100371->100361 100371->100363 100371->100365 100371->100366 100374 7ff78eadeb0c 100371->100374 100379 7ff78eadeb1c 100371->100379 100371->100381 100432 7ff78ea95700 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 100371->100432 100444 7ff78eb1a320 414 API calls Concurrency::wait 100371->100444 100446 7ff78eb034e4 77 API calls 3 library calls 100374->100446 100377 7ff78eadf095 100448 7ff78eb034e4 77 API calls 3 library calls 100377->100448 100379->100361 100447 7ff78eb034e4 77 API calls 3 library calls 100379->100447 100380 7ff78eadf197 100449 7ff78eb034e4 77 API calls 3 library calls 100380->100449 100381->100344 100381->100348 100381->100353 100381->100360 100381->100361 100381->100362 100381->100377 100381->100380 100383 7ff78ea939c1 100381->100383 100433 7ff78ea95700 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 100381->100433 100434 7ff78ea8fc30 36 API calls 100381->100434 100383->100361 100435 7ff78ea8f0ec RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 100383->100435 100396 7ff78ea9673b memcpy_s Concurrency::wait 100385->100396 100386 7ff78eae1fac 100573 7ff78eb1ab30 414 API calls Concurrency::wait 100386->100573 100389 7ff78eae1fbe 100389->100313 100390 7ff78ea8ec00 4 API calls 100390->100396 100391 7ff78ea96d40 9 API calls 100391->100396 100392 7ff78ea96c0f 100393 7ff78eae1fc9 100392->100393 100394 7ff78ea96c3d 100392->100394 100574 7ff78eb034e4 77 API calls 3 library calls 100393->100574 100570 7ff78ea8ee20 18 API calls Concurrency::wait 100394->100570 100396->100386 100396->100390 100396->100391 100396->100392 100396->100393 100399 7ff78ea96c4a 100396->100399 100402 7ff78eaa4c68 4 API calls 100396->100402 100403 7ff78eae20c1 100396->100403 100404 7ff78ea96c78 100396->100404 100407 7ff78ea93c20 414 API calls 100396->100407 100408 7ff78eae2032 100396->100408 100410 7ff78ea8e0a8 4 API calls 100396->100410 100411 7ff78ea96b15 100396->100411 100453 7ff78eb0df4c 100396->100453 100469 7ff78eb132bc 100396->100469 100489 7ff78eb132ac 100396->100489 100509 7ff78eaa4078 100396->100509 100514 7ff78eb132c8 100396->100514 100528 7ff78eb1e788 100396->100528 100533 7ff78eb0e450 100396->100533 100543 7ff78eb12554 100396->100543 100558 7ff78eb1f0ac 100396->100558 100561 7ff78eb0636c 100396->100561 100568 7ff78eaa5114 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 100396->100568 100569 7ff78eaa50b4 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 100396->100569 100576 7ff78eb18d98 49 API calls Concurrency::wait 100396->100576 100571 7ff78eaa1fcc 414 API calls 100399->100571 100402->100396 100403->100411 100577 7ff78eb034e4 77 API calls 3 library calls 100403->100577 100572 7ff78ea9e8f4 18 API calls 100404->100572 100407->100396 100575 7ff78eb034e4 77 API calls 3 library calls 100408->100575 100410->100396 100411->100313 100423 7ff78eaa2e0d 100422->100423 100424 7ff78eaa2e2a 100422->100424 100423->100313 100424->100423 100425 7ff78eaa2e5b IsDialogMessageW 100424->100425 100426 7ff78eae9d94 GetClassLongPtrW 100424->100426 100425->100423 100425->100424 100426->100424 100426->100425 100427->100313 100428->100313 100429->100313 100430->100326 100431->100328 100432->100371 100433->100381 100434->100381 100435->100361 100436->100361 100437->100333 100441->100371 100442->100370 100443->100361 100444->100371 100445->100361 100446->100379 100447->100361 100448->100380 100449->100348 100450->100351 100451->100358 100452->100352 100454 7ff78eb0df7f 100453->100454 100578 7ff78ea8d4cc 100454->100578 100457 7ff78ea8d4cc 48 API calls 100458 7ff78eb0dfd5 100457->100458 100597 7ff78eb0d3ac 100458->100597 100460 7ff78eb0e00a 100602 7ff78eb0d52c 100460->100602 100464 7ff78eb0e058 100465 7ff78eb0edbc 39 API calls 100464->100465 100467 7ff78eb0e066 100465->100467 100466 7ff78eb0e0e5 100466->100396 100467->100466 100468 7ff78eb0d794 CloseHandle InternetCloseHandle InternetCloseHandle WaitForSingleObject 100467->100468 100468->100466 100470 7ff78eb15168 100469->100470 100471 7ff78ea89640 4 API calls 100470->100471 100472 7ff78eb151ad 100471->100472 100473 7ff78eb151b9 DestroyWindow 100472->100473 100476 7ff78eb151c7 100472->100476 100473->100476 100474 7ff78eb15677 Concurrency::wait 100474->100396 100475 7ff78eb1524a 100477 7ff78ea8d4cc 48 API calls 100475->100477 100484 7ff78eb15276 100475->100484 100476->100474 100476->100475 100479 7ff78ea8d4cc 48 API calls 100476->100479 100478 7ff78eb15269 100477->100478 100480 7ff78ea8e0a8 4 API calls 100478->100480 100479->100476 100480->100484 100481 7ff78eb15305 SystemParametersInfoW 100482 7ff78eb15323 SetRect AdjustWindowRectEx 100481->100482 100485 7ff78ea8d4cc 48 API calls 100482->100485 100484->100481 100486 7ff78eb15380 CreateWindowExW GetClientRect 100485->100486 100487 7ff78ea8d4cc 48 API calls 100486->100487 100488 7ff78eb15401 16 API calls 100487->100488 100488->100474 100490 7ff78eb15168 100489->100490 100491 7ff78ea89640 4 API calls 100490->100491 100492 7ff78eb151ad 100491->100492 100493 7ff78eb151b9 DestroyWindow 100492->100493 100500 7ff78eb151c7 100492->100500 100493->100500 100494 7ff78eb15677 Concurrency::wait 100494->100396 100495 7ff78eb1524a 100496 7ff78ea8d4cc 48 API calls 100495->100496 100504 7ff78eb15276 100495->100504 100497 7ff78eb15269 100496->100497 100499 7ff78ea8e0a8 4 API calls 100497->100499 100498 7ff78ea8d4cc 48 API calls 100498->100500 100499->100504 100500->100494 100500->100495 100500->100498 100501 7ff78eb15305 SystemParametersInfoW 100502 7ff78eb15323 SetRect AdjustWindowRectEx 100501->100502 100505 7ff78ea8d4cc 48 API calls 100502->100505 100504->100501 100506 7ff78eb15380 CreateWindowExW GetClientRect 100505->100506 100507 7ff78ea8d4cc 48 API calls 100506->100507 100508 7ff78eb15401 16 API calls 100507->100508 100508->100494 100510 7ff78eaa4094 100509->100510 100511 7ff78eaea652 Sleep 100510->100511 100512 7ff78eaa409c timeGetTime 100510->100512 100513 7ff78eaa40b4 100512->100513 100513->100396 100515 7ff78eb133b5 100514->100515 100519 7ff78eb132f2 100514->100519 100515->100396 100516 7ff78eb13337 100516->100515 100517 7ff78ea8d4cc 48 API calls 100516->100517 100518 7ff78eb1334d 100517->100518 100520 7ff78eb13359 100518->100520 100521 7ff78eb13384 100518->100521 100519->100516 100522 7ff78eb1331f SendMessageW 100519->100522 100523 7ff78ea8d4cc 48 API calls 100520->100523 100521->100515 100524 7ff78eb1338a 100521->100524 100522->100516 100526 7ff78eb13369 SendMessageW 100523->100526 100525 7ff78ea8d4cc 48 API calls 100524->100525 100527 7ff78eb1339a SendMessageW 100525->100527 100526->100521 100527->100515 100529 7ff78ea8d4cc 48 API calls 100528->100529 100530 7ff78eb1e7b1 100529->100530 100622 7ff78eafbe00 CreateToolhelp32Snapshot Process32FirstW 100530->100622 100532 7ff78eb1e7c4 100532->100396 100534 7ff78eb0e478 100533->100534 100535 7ff78ea8d4cc 48 API calls 100534->100535 100536 7ff78eb0e49a 100535->100536 100537 7ff78eb0d3ac 4 API calls 100536->100537 100538 7ff78eb0e4d3 100537->100538 100539 7ff78eb0da70 119 API calls 100538->100539 100540 7ff78eb0e4df 100539->100540 100541 7ff78eb0d654 4 API calls 100540->100541 100542 7ff78eb0e53a 100541->100542 100542->100396 100544 7ff78ea8d4cc 48 API calls 100543->100544 100545 7ff78eb1258e 100544->100545 100546 7ff78ea8d4cc 48 API calls 100545->100546 100547 7ff78eb125c3 100546->100547 100548 7ff78eb12649 100547->100548 100549 7ff78ea8e0a8 4 API calls 100547->100549 100550 7ff78ea8dda4 4 API calls 100548->100550 100553 7ff78eb12664 100548->100553 100549->100548 100550->100553 100551 7ff78eb126d5 MessageBoxW 100557 7ff78eb126e7 Concurrency::wait 100551->100557 100552 7ff78eb1269c 100554 7ff78eb126af 100552->100554 100553->100551 100553->100552 100684 7ff78eafcf68 40 API calls 100554->100684 100556 7ff78eb126d3 100556->100557 100557->100396 100685 7ff78eb1f630 100558->100685 100562 7ff78ea8d4cc 48 API calls 100561->100562 100563 7ff78eb06390 100562->100563 100766 7ff78eafbc70 100563->100766 100565 7ff78eb06399 100566 7ff78eb0639d GetLastError 100565->100566 100567 7ff78eb063b7 100565->100567 100566->100567 100567->100396 100570->100399 100571->100404 100572->100404 100573->100389 100574->100411 100575->100411 100576->100396 100577->100411 100579 7ff78ea8d4f2 100578->100579 100580 7ff78ea8d50b 100578->100580 100579->100457 100581 7ff78ea8d513 100580->100581 100582 7ff78ea8d53e 100580->100582 100610 7ff78eaa956c 31 API calls 100581->100610 100584 7ff78ead9cc4 100582->100584 100587 7ff78ea8d550 100582->100587 100592 7ff78ead9bbc 100582->100592 100613 7ff78eaa9538 31 API calls 100584->100613 100586 7ff78ea8d522 100591 7ff78ea8ec00 4 API calls 100586->100591 100611 7ff78eaa4834 46 API calls 100587->100611 100588 7ff78ead9cdc 100591->100579 100593 7ff78eaa4c68 4 API calls 100592->100593 100596 7ff78ead9c3e Concurrency::wait wcscpy 100592->100596 100594 7ff78ead9c0a 100593->100594 100595 7ff78ea8ec00 4 API calls 100594->100595 100595->100596 100612 7ff78eaa4834 46 API calls 100596->100612 100598 7ff78ea8ec00 4 API calls 100597->100598 100599 7ff78eb0d3e7 100598->100599 100600 7ff78ea8ec00 4 API calls 100599->100600 100601 7ff78eb0d3f3 100600->100601 100601->100460 100603 7ff78eb0d550 100602->100603 100614 7ff78eb0d2b8 100603->100614 100605 7ff78eb0d55b 100606 7ff78eb0d654 100605->100606 100621 7ff78eb0ee30 InternetCloseHandle InternetCloseHandle WaitForSingleObject 100606->100621 100608 7ff78eb0d662 CloseHandle 100609 7ff78eb0d67b Concurrency::wait 100608->100609 100610->100586 100611->100586 100612->100584 100613->100588 100617 7ff78eb0d218 100614->100617 100616 7ff78eb0d349 100616->100605 100618 7ff78eb0d246 100617->100618 100620 7ff78eb0d267 100617->100620 100619 7ff78eaa4c68 4 API calls 100618->100619 100619->100620 100620->100616 100621->100608 100623 7ff78eafbe63 100622->100623 100624 7ff78eaaa838 36 API calls 100623->100624 100630 7ff78eafbe7f Concurrency::wait 100623->100630 100624->100630 100625 7ff78eafbf52 CloseHandle 100625->100532 100626 7ff78eafbe8f Process32NextW 100626->100625 100626->100630 100627 7ff78ea89640 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 100627->100630 100628 7ff78ea8ec00 4 API calls 100628->100630 100630->100625 100630->100626 100630->100627 100630->100628 100631 7ff78ea87c24 4 API calls 100630->100631 100633 7ff78ea874ac 100630->100633 100678 7ff78eaa1ad0 CompareStringW 100630->100678 100631->100630 100634 7ff78ea89640 4 API calls 100633->100634 100635 7ff78ea874e4 100634->100635 100636 7ff78ea89640 4 API calls 100635->100636 100637 7ff78ea874ed 100636->100637 100638 7ff78ea89640 4 API calls 100637->100638 100639 7ff78ea874f6 100638->100639 100640 7ff78ea89640 4 API calls 100639->100640 100642 7ff78ea874ff 100640->100642 100641 7ff78ea87571 100641->100630 100642->100641 100643 7ff78ea87587 100642->100643 100644 7ff78eacceae 100642->100644 100679 7ff78ea87da4 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 100643->100679 100646 7ff78ea8e0a8 4 API calls 100644->100646 100647 7ff78eacceb3 100646->100647 100650 7ff78ea8a854 4 API calls 100647->100650 100648 7ff78ea87593 100649 7ff78ea8dda4 4 API calls 100648->100649 100652 7ff78ea875a3 100649->100652 100651 7ff78ea875f2 100650->100651 100651->100630 100652->100651 100656 7ff78ea8761e 100652->100656 100680 7ff78ea87da4 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 100652->100680 100654 7ff78ea876b3 100659 7ff78ea8e0a8 4 API calls 100654->100659 100660 7ff78ea876bc 100654->100660 100655 7ff78ea8760f 100657 7ff78ea8dda4 4 API calls 100655->100657 100656->100654 100658 7ff78ea87644 100656->100658 100676 7ff78eaccee0 100656->100676 100657->100656 100658->100654 100661 7ff78ea89d84 4 API calls 100658->100661 100659->100660 100663 7ff78ea8e0a8 4 API calls 100660->100663 100677 7ff78ea876c9 Concurrency::wait 100660->100677 100662 7ff78ea87659 100661->100662 100662->100654 100681 7ff78ea87da4 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 100662->100681 100665 7ff78eacd03b 100663->100665 100666 7ff78ea87cf4 4 API calls 100674 7ff78eaccfc5 100666->100674 100667 7ff78ea8767b 100682 7ff78ea87da4 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 100667->100682 100669 7ff78ea87691 100670 7ff78ea876a2 100669->100670 100672 7ff78ea8e0a8 4 API calls 100669->100672 100670->100654 100673 7ff78ea8e0a8 4 API calls 100670->100673 100671 7ff78ea89d84 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 100671->100674 100672->100670 100673->100654 100674->100667 100674->100671 100683 7ff78ea8a714 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 100674->100683 100676->100666 100677->100630 100678->100630 100679->100648 100680->100655 100681->100667 100682->100669 100683->100674 100684->100556 100687 7ff78eb1f671 __scrt_fastfail 100685->100687 100686 7ff78ea8d4cc 48 API calls 100688 7ff78eb1f74d 100686->100688 100687->100686 100753 7ff78ea8e330 100688->100753 100690 7ff78eb1f759 100691 7ff78eb1f840 100690->100691 100692 7ff78eb1f762 100690->100692 100694 7ff78eb1f87d GetCurrentDirectoryW 100691->100694 100697 7ff78ea8d4cc 48 API calls 100691->100697 100693 7ff78ea8d4cc 48 API calls 100692->100693 100695 7ff78eb1f777 100693->100695 100696 7ff78eaa4c68 4 API calls 100694->100696 100698 7ff78ea8e330 4 API calls 100695->100698 100699 7ff78eb1f8a7 GetCurrentDirectoryW 100696->100699 100700 7ff78eb1f85c 100697->100700 100701 7ff78eb1f783 100698->100701 100702 7ff78eb1f8b5 100699->100702 100703 7ff78ea8e330 4 API calls 100700->100703 100704 7ff78ea8d4cc 48 API calls 100701->100704 100705 7ff78eb1f8f0 100702->100705 100757 7ff78ea9f688 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 100702->100757 100706 7ff78eb1f868 100703->100706 100707 7ff78eb1f798 100704->100707 100713 7ff78eb1f901 100705->100713 100714 7ff78eb1f905 100705->100714 100706->100694 100706->100705 100709 7ff78ea8e330 4 API calls 100707->100709 100711 7ff78eb1f7a4 100709->100711 100710 7ff78eb1f8d0 100758 7ff78ea9f688 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 100710->100758 100716 7ff78ea8d4cc 48 API calls 100711->100716 100719 7ff78eb1fa0f CreateProcessW 100713->100719 100720 7ff78eb1f972 100713->100720 100760 7ff78eaffddc 8 API calls 100714->100760 100721 7ff78eb1f7b9 100716->100721 100717 7ff78eb1f8e0 100759 7ff78ea9f688 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 100717->100759 100718 7ff78eb1f90e 100761 7ff78eaffca8 8 API calls 100718->100761 100732 7ff78eb1f9b4 100719->100732 100763 7ff78eaed1f8 99 API calls 100720->100763 100725 7ff78ea8e330 4 API calls 100721->100725 100727 7ff78eb1f7c5 100725->100727 100726 7ff78eb1f926 100762 7ff78eaffafc 8 API calls ~SyncLockT 100726->100762 100729 7ff78eb1f806 GetSystemDirectoryW 100727->100729 100733 7ff78ea8d4cc 48 API calls 100727->100733 100731 7ff78eaa4c68 4 API calls 100729->100731 100730 7ff78eb1f94f 100730->100713 100735 7ff78eb1f830 GetSystemDirectoryW 100731->100735 100737 7ff78eb1fabe CloseHandle 100732->100737 100738 7ff78eb1fa64 100732->100738 100734 7ff78eb1f7e1 100733->100734 100736 7ff78ea8e330 4 API calls 100734->100736 100735->100702 100743 7ff78eb1f7ed 100736->100743 100739 7ff78eb1facc 100737->100739 100741 7ff78eb1faf5 100737->100741 100745 7ff78eb1fa84 GetLastError 100738->100745 100764 7ff78eaff7dc CloseHandle ~SyncLockT 100739->100764 100742 7ff78eb1fafe 100741->100742 100746 7ff78eb1fb26 CloseHandle 100741->100746 100749 7ff78eb1faa3 100742->100749 100743->100702 100743->100729 100745->100749 100746->100749 100765 7ff78eaff51c CloseHandle ~SyncLockT 100749->100765 100750 7ff78eb1f0c2 100750->100396 100754 7ff78ea8e342 100753->100754 100755 7ff78eaa4c68 4 API calls 100754->100755 100756 7ff78ea8e361 wcscpy 100755->100756 100756->100690 100757->100710 100758->100717 100759->100705 100760->100718 100761->100726 100762->100730 100763->100732 100765->100750 100767 7ff78ea89640 4 API calls 100766->100767 100768 7ff78eafbca4 100767->100768 100769 7ff78ea89640 4 API calls 100768->100769 100770 7ff78eafbcae 100769->100770 100771 7ff78ea89640 4 API calls 100770->100771 100772 7ff78eafbcb8 100771->100772 100773 7ff78ea856d4 5 API calls 100772->100773 100774 7ff78eafbcc5 100773->100774 100790 7ff78eafced4 GetFileAttributesW 100774->100790 100777 7ff78eafbce4 100779 7ff78ea874ac 4 API calls 100777->100779 100778 7ff78ea871f8 4 API calls 100778->100777 100780 7ff78eafbd00 FindFirstFileW 100779->100780 100781 7ff78eafbd87 FindClose 100780->100781 100784 7ff78eafbd1b 100780->100784 100786 7ff78eafbd93 Concurrency::wait 100781->100786 100782 7ff78eafbd66 FindNextFileW 100782->100784 100783 7ff78ea8e0a8 4 API calls 100783->100784 100784->100781 100784->100782 100784->100783 100785 7ff78ea87c24 4 API calls 100784->100785 100787 7ff78ea871f8 4 API calls 100784->100787 100785->100784 100786->100565 100788 7ff78eafbd56 DeleteFileW 100787->100788 100788->100782 100789 7ff78eafbd7c FindClose 100788->100789 100789->100786 100791 7ff78eafbccf 100790->100791 100791->100777 100791->100778 100792 7ff78ea947e1 100793 7ff78ea94d57 100792->100793 100797 7ff78ea947f2 100792->100797 100823 7ff78ea8ee20 18 API calls Concurrency::wait 100793->100823 100795 7ff78ea94d66 100824 7ff78ea8ee20 18 API calls Concurrency::wait 100795->100824 100797->100795 100798 7ff78ea94862 100797->100798 100799 7ff78ea94df3 100797->100799 100801 7ff78ea966c0 414 API calls 100798->100801 100820 7ff78ea93c80 100798->100820 100825 7ff78eb00978 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 100799->100825 100801->100820 100802 7ff78ea93dde 100803 7ff78eae05be 100827 7ff78eb034e4 77 API calls 3 library calls 100803->100827 100805 7ff78ea94aa9 100809 7ff78ea94ac0 100805->100809 100810 7ff78ea8e0a8 4 API calls 100805->100810 100807 7ff78eae05d1 100808 7ff78ea94fe7 100811 7ff78ea8e0a8 4 API calls 100808->100811 100810->100802 100811->100802 100812 7ff78eadfefe 100815 7ff78ea8e0a8 4 API calls 100812->100815 100813 7ff78ea8e0a8 4 API calls 100813->100820 100814 7ff78ea94a8f 100814->100805 100814->100809 100814->100812 100815->100809 100817 7ff78eaa5114 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 100817->100820 100818 7ff78ea89640 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 100818->100820 100819 7ff78eaa4f0c 34 API calls __scrt_initialize_thread_safe_statics 100819->100820 100820->100802 100820->100803 100820->100805 100820->100808 100820->100813 100820->100814 100820->100817 100820->100818 100820->100819 100821 7ff78eaa50b4 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent _Init_thread_footer 100820->100821 100822 7ff78ea95360 414 API calls Concurrency::wait 100820->100822 100826 7ff78eb034e4 77 API calls 3 library calls 100820->100826 100821->100820 100822->100820 100823->100795 100824->100799 100825->100820 100826->100820 100827->100807 100828 7ff78eaba2c4 100829 7ff78eaba2dd 100828->100829 100836 7ff78eaba2d9 100828->100836 100838 7ff78eac3e9c GetEnvironmentStringsW 100829->100838 100832 7ff78eaba2ea 100834 7ff78eabb3c0 __free_lconv_mon 15 API calls 100832->100834 100834->100836 100835 7ff78eaba2f7 100837 7ff78eabb3c0 __free_lconv_mon 15 API calls 100835->100837 100837->100832 100839 7ff78eaba2e2 100838->100839 100840 7ff78eac3ec0 100838->100840 100839->100832 100845 7ff78eaba428 31 API calls 3 library calls 100839->100845 100840->100840 100846 7ff78eabc51c 100840->100846 100842 7ff78eac3ef2 memcpy_s 100843 7ff78eabb3c0 __free_lconv_mon 15 API calls 100842->100843 100844 7ff78eac3f12 FreeEnvironmentStringsW 100843->100844 100844->100839 100845->100835 100847 7ff78eabc567 100846->100847 100851 7ff78eabc52b fread_s 100846->100851 100854 7ff78eab55d4 15 API calls _invalid_parameter_noinfo 100847->100854 100849 7ff78eabc54e RtlAllocateHeap 100850 7ff78eabc565 100849->100850 100849->100851 100850->100842 100851->100847 100851->100849 100853 7ff78eaa925c EnterCriticalSection LeaveCriticalSection fread_s 100851->100853 100853->100851 100854->100850 100855 7ff78eadb221 100856 7ff78eadb22a 100855->100856 100863 7ff78ea90378 100855->100863 100878 7ff78eaf47bc RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 100856->100878 100858 7ff78eadb241 100879 7ff78eaf4708 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 100858->100879 100860 7ff78eadb264 100861 7ff78ea93c20 414 API calls 100860->100861 100862 7ff78eadb292 100861->100862 100870 7ff78ea90405 100862->100870 100880 7ff78eb18d98 49 API calls Concurrency::wait 100862->100880 100872 7ff78ea8f7b8 100863->100872 100866 7ff78eadb2d9 Concurrency::wait 100866->100863 100881 7ff78eaf47bc RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection memcpy_s 100866->100881 100868 7ff78ea9070a 100869 7ff78ea8e0a8 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 100869->100870 100870->100868 100870->100869 100882 7ff78ea8ee20 18 API calls Concurrency::wait 100870->100882 100873 7ff78ea8f7d5 100872->100873 100874 7ff78ea8f7de 100873->100874 100875 7ff78ea89640 4 API calls 100873->100875 100876 7ff78ea8e0a8 4 API calls 100873->100876 100877 7ff78ea8f7b8 4 API calls 100873->100877 100874->100870 100875->100873 100876->100873 100877->100873 100878->100858 100879->100860 100880->100866 100881->100866 100882->100870 100883 7ff78ea92c17 100886 7ff78ea914a0 100883->100886 100885 7ff78ea92c2a 100887 7ff78ea914d3 100886->100887 100888 7ff78eadbe31 100887->100888 100890 7ff78eadbdf2 100887->100890 100891 7ff78eadbdd1 100887->100891 100913 7ff78ea914fa __scrt_fastfail 100887->100913 100933 7ff78eb18f48 414 API calls 3 library calls 100888->100933 100894 7ff78eadbe19 100890->100894 100931 7ff78eb19a88 414 API calls 4 library calls 100890->100931 100893 7ff78eadbddb 100891->100893 100891->100913 100930 7ff78eb19514 414 API calls 100893->100930 100932 7ff78eb034e4 77 API calls 3 library calls 100894->100932 100895 7ff78ea91884 100922 7ff78eaa2130 45 API calls 100895->100922 100899 7ff78ea91815 100899->100885 100903 7ff78ea91799 100903->100899 100937 7ff78eb034e4 77 API calls 3 library calls 100903->100937 100904 7ff78ea91a30 45 API calls 100904->100913 100905 7ff78ea91898 100905->100885 100906 7ff78eaa4f0c __scrt_initialize_thread_safe_statics 34 API calls 100906->100913 100908 7ff78eaa2130 45 API calls 100908->100913 100913->100895 100913->100899 100913->100903 100913->100904 100913->100906 100913->100908 100914 7ff78eadbfe4 100913->100914 100916 7ff78ea93c20 414 API calls 100913->100916 100918 7ff78ea8e0a8 4 API calls 100913->100918 100921 7ff78ea8ef9c 46 API calls 100913->100921 100923 7ff78eaa20d0 45 API calls 100913->100923 100924 7ff78ea85af8 414 API calls 100913->100924 100925 7ff78eaa5114 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 100913->100925 100926 7ff78eaa35c8 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 100913->100926 100927 7ff78eaa50b4 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 100913->100927 100928 7ff78eaa36c4 77 API calls 100913->100928 100929 7ff78eaa37dc 414 API calls 100913->100929 100934 7ff78ea8ee20 18 API calls Concurrency::wait 100913->100934 100935 7ff78eaeac10 18 API calls 100913->100935 100936 7ff78eb193a4 77 API calls 100914->100936 100916->100913 100918->100913 100921->100913 100922->100905 100923->100913 100924->100913 100926->100913 100928->100913 100929->100913 100930->100899 100931->100894 100932->100888 100933->100913 100934->100913 100935->100913 100936->100903 100937->100903 100938 7ff78ea94f5b 100945 7ff78ea8e18c 100938->100945 100940 7ff78ea94f74 100951 7ff78ea9f3f4 100940->100951 100942 7ff78ea94fa1 100963 7ff78eb034e4 77 API calls 3 library calls 100942->100963 100944 7ff78eae0410 100946 7ff78ea8e1c2 100945->100946 100947 7ff78ea8e1a7 100945->100947 100950 7ff78ea8e1af 100946->100950 100965 7ff78ea8ee20 18 API calls Concurrency::wait 100946->100965 100964 7ff78ea8ee20 18 API calls Concurrency::wait 100947->100964 100950->100940 100952 7ff78ea898e8 4 API calls 100951->100952 100953 7ff78ea9f438 100952->100953 100954 7ff78ea8ec00 4 API calls 100953->100954 100956 7ff78ea9f477 Concurrency::wait 100953->100956 100955 7ff78eae2ae4 100954->100955 100957 7ff78ea87c24 4 API calls 100955->100957 100956->100942 100958 7ff78eae2af0 100957->100958 100966 7ff78eaa20d0 45 API calls 100958->100966 100960 7ff78eae2b0a 100962 7ff78eae2b0f Concurrency::wait 100960->100962 100967 7ff78ea8ee20 18 API calls Concurrency::wait 100960->100967 100962->100942 100963->100944 100964->100950 100965->100950 100966->100960 100967->100962 100968 7ff78eae2c97 100983 7ff78eb1b0d0 100968->100983 100974 7ff78eae2c33 Concurrency::wait 100975 7ff78eb1b008 100976 7ff78eb1b027 100975->100976 100977 7ff78eb1b030 100975->100977 100980 7ff78ea8ec00 4 API calls 100976->100980 100987 7ff78eb1b080 100977->100987 100979 7ff78eb1b03a 100991 7ff78eab9cbc 62 API calls wcsftime 100979->100991 100981 7ff78eae2c28 100980->100981 100986 7ff78ea87bb8 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 100981->100986 100984 7ff78eab47bc 32 API calls 100983->100984 100985 7ff78eae2c1b 100984->100985 100985->100975 100986->100974 100988 7ff78eb1b08e 100987->100988 100990 7ff78eb1b098 100987->100990 100992 7ff78eaeb71c RaiseException 100988->100992 100990->100979 100991->100976 100993 7ff78ea847e0 100994 7ff78ea84a60 414 API calls 100993->100994 100995 7ff78ea8483d 100994->100995 100996 7ff78eacbc2c 100995->100996 100998 7ff78ea848d0 100995->100998 100999 7ff78ea8485b 100995->100999 101002 7ff78eb034e4 77 API calls 3 library calls 100996->101002 100999->100998 101001 7ff78ea8548c 18 API calls 100999->101001 101001->100998 101002->100998

                                                Executed Functions

                                                Function 00007FF78EB132AC Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 327windowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 7ff78eb132ac-7ff78eb151b7 call 7ff78ea89640 4 7ff78eb151c7-7ff78eb151ca 0->4 5 7ff78eb151b9-7ff78eb151bf DestroyWindow 0->5 6 7ff78eb15677-7ff78eb1569c call 7ff78ea8a07c 4->6 7 7ff78eb151d0-7ff78eb151dd 4->7 5->4 9 7ff78eb151e0-7ff78eb151f3 call 7ff78eb018bc 7->9 13 7ff78eb1524a-7ff78eb1525b 9->13 14 7ff78eb151f5-7ff78eb1520a call 7ff78ea8d4cc 9->14 15 7ff78eb1525d-7ff78eb15280 call 7ff78ea8d4cc call 7ff78ea8e0a8 13->15 16 7ff78eb15283-7ff78eb15287 13->16 25 7ff78eb1522b-7ff78eb15238 14->25 26 7ff78eb1520c-7ff78eb15229 call 7ff78ea8d4cc 14->26 15->16 19 7ff78eb15289-7ff78eb1529c call 7ff78ea8ffbc 16->19 20 7ff78eb1529e 16->20 22 7ff78eb152a2-7ff78eb152a6 19->22 20->22 28 7ff78eb152a8-7ff78eb152b8 call 7ff78ea8ffbc 22->28 29 7ff78eb152ba 22->29 30 7ff78eb15241-7ff78eb15248 25->30 26->25 37 7ff78eb1523a 26->37 35 7ff78eb152be-7ff78eb152c2 28->35 29->35 30->9 39 7ff78eb152c4-7ff78eb152ff call 7ff78ea8ffbc * 3 35->39 40 7ff78eb15305-7ff78eb15321 SystemParametersInfoW 35->40 37->30 39->40 55 7ff78eb15301 39->55 42 7ff78eb15332-7ff78eb15336 40->42 43 7ff78eb15323-7ff78eb1532f 40->43 44 7ff78eb15338-7ff78eb15341 42->44 45 7ff78eb15344-7ff78eb15671 SetRect AdjustWindowRectEx call 7ff78ea8d4cc CreateWindowExW GetClientRect call 7ff78ea8d4cc CreateWindowExW CreateDCW GetStockObject SelectObject GetTextFaceW GetDeviceCaps DeleteDC CreateFontW SendMessageW CreateWindowExW SendMessageW * 2 CreateWindowExW GetStockObject SendMessageW ShowWindow 42->45 43->42 44->45 45->6 55->40
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                • String ID: A$AutoIt v3$DISPLAY$msctls_progress32$static
                                                • API String ID: 2910397461-2439800395
                                                • Opcode ID: 62736c611084135e4bd5d9204506b1bf2fce8630a56208639ab46777f586b44a
                                                • Instruction ID: f54fa858ee0d294e9a06129cc02690204555dc67848dbede6f5abe4c2e92789f
                                                • Opcode Fuzzy Hash: 62736c611084135e4bd5d9204506b1bf2fce8630a56208639ab46777f586b44a
                                                • Instruction Fuzzy Hash: D2E1847660978187E714EFA5E840A6EBBA1F788B94FA04135DE4E53B64CF7CE444CB10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAC2400 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 366timeCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 56 7ff78eac2400-7ff78eac2434 call 7ff78eac1bd8 call 7ff78eac1c40 61 7ff78eac243a-7ff78eac2445 call 7ff78eac1be0 56->61 62 7ff78eac2639-7ff78eac267a call 7ff78eabb184 call 7ff78eac1bd8 call 7ff78eac1c40 56->62 68 7ff78eac2624-7ff78eac2638 call 7ff78eabb184 61->68 69 7ff78eac244b-7ff78eac2455 61->69 86 7ff78eac2680-7ff78eac268b call 7ff78eac1be0 62->86 87 7ff78eac280f-7ff78eac287d call 7ff78eabb184 call 7ff78eac78f8 62->87 68->62 72 7ff78eac2457-7ff78eac245d 69->72 73 7ff78eac247d-7ff78eac2486 call 7ff78eabb3c0 69->73 74 7ff78eac2460-7ff78eac246b 72->74 83 7ff78eac2489-7ff78eac2490 73->83 78 7ff78eac2475-7ff78eac2477 74->78 79 7ff78eac246d-7ff78eac2473 74->79 78->73 82 7ff78eac25d4-7ff78eac25e4 78->82 79->74 79->78 83->83 85 7ff78eac2492-7ff78eac24b2 call 7ff78eabc51c call 7ff78eabb3c0 83->85 85->82 103 7ff78eac24b8-7ff78eac24bf 85->103 96 7ff78eac2691-7ff78eac269c call 7ff78eac1c10 86->96 97 7ff78eac27fa-7ff78eac280e call 7ff78eabb184 86->97 106 7ff78eac287f-7ff78eac2884 87->106 107 7ff78eac2886-7ff78eac2889 87->107 109 7ff78eac26a2-7ff78eac26c5 call 7ff78eabb3c0 GetTimeZoneInformation 96->109 110 7ff78eac27e5-7ff78eac27f9 call 7ff78eabb184 96->110 97->87 103->103 108 7ff78eac24c1-7ff78eac24cf call 7ff78eabb2c4 103->108 111 7ff78eac28d4-7ff78eac28e6 106->111 112 7ff78eac2890-7ff78eac28a0 call 7ff78eabc51c 107->112 113 7ff78eac288b-7ff78eac288e 107->113 123 7ff78eac260f-7ff78eac2623 call 7ff78eabb184 108->123 124 7ff78eac24d5-7ff78eac24ef call 7ff78eabe00c 108->124 125 7ff78eac27be-7ff78eac27e4 call 7ff78eac1bd0 call 7ff78eac1bc0 call 7ff78eac1bc8 109->125 126 7ff78eac26cb-7ff78eac26ed 109->126 110->97 118 7ff78eac28e8-7ff78eac28eb 111->118 119 7ff78eac28f7 call 7ff78eac2650 111->119 135 7ff78eac28a2 112->135 136 7ff78eac28ab-7ff78eac28c6 call 7ff78eac78f8 112->136 113->111 118->119 127 7ff78eac28ed-7ff78eac28f5 call 7ff78eac2400 118->127 137 7ff78eac28fc-7ff78eac2928 call 7ff78eabb3c0 call 7ff78eac8f50 119->137 123->68 149 7ff78eac24f5-7ff78eac24f8 124->149 150 7ff78eac25fa-7ff78eac260e call 7ff78eabb184 124->150 132 7ff78eac26ef-7ff78eac26f4 126->132 133 7ff78eac26f7-7ff78eac26fe 126->133 127->137 132->133 142 7ff78eac2700-7ff78eac2708 133->142 143 7ff78eac2718-7ff78eac271b 133->143 145 7ff78eac28a4-7ff78eac28a9 call 7ff78eabb3c0 135->145 163 7ff78eac28c8-7ff78eac28cb 136->163 164 7ff78eac28cd-7ff78eac28cf call 7ff78eabb3c0 136->164 142->143 151 7ff78eac270a-7ff78eac2716 142->151 154 7ff78eac271e-7ff78eac275a call 7ff78eac4758 WideCharToMultiByte 143->154 145->113 157 7ff78eac2503-7ff78eac250d 149->157 158 7ff78eac24fa-7ff78eac2501 149->158 150->123 151->154 174 7ff78eac276a-7ff78eac276d 154->174 175 7ff78eac275c-7ff78eac275f 154->175 166 7ff78eac2512-7ff78eac2520 call 7ff78eaaa864 157->166 167 7ff78eac250f 157->167 158->149 158->157 163->145 164->111 179 7ff78eac2523-7ff78eac2527 166->179 167->166 176 7ff78eac2770-7ff78eac27a6 WideCharToMultiByte 174->176 175->174 178 7ff78eac2761-7ff78eac2768 175->178 180 7ff78eac27a8-7ff78eac27ab 176->180 181 7ff78eac27b7-7ff78eac27bb 176->181 178->176 182 7ff78eac252f-7ff78eac2532 179->182 183 7ff78eac2529-7ff78eac252d 179->183 180->181 184 7ff78eac27ad-7ff78eac27b5 180->184 181->125 182->179 183->182 185 7ff78eac2534-7ff78eac2537 183->185 184->125 186 7ff78eac2585-7ff78eac2588 185->186 187 7ff78eac2539-7ff78eac254f call 7ff78eaaa864 185->187 188 7ff78eac258f-7ff78eac259d 186->188 189 7ff78eac258a-7ff78eac258c 186->189 194 7ff78eac2558-7ff78eac255c 187->194 192 7ff78eac259f-7ff78eac25b5 call 7ff78eabe00c 188->192 193 7ff78eac25b9-7ff78eac25bd 188->193 189->188 195 7ff78eac25c0-7ff78eac25d2 call 7ff78eac1bd0 call 7ff78eac1bc0 192->195 201 7ff78eac25b7-7ff78eac25f9 call 7ff78eabb184 192->201 193->195 198 7ff78eac2551-7ff78eac2553 194->198 199 7ff78eac255e-7ff78eac2561 194->199 195->82 198->199 202 7ff78eac2555 198->202 199->186 203 7ff78eac2563-7ff78eac2576 call 7ff78eaaa864 199->203 201->150 202->194 211 7ff78eac257f-7ff78eac2583 203->211 211->186 213 7ff78eac2578-7ff78eac257a 211->213 213->186 214 7ff78eac257c 213->214 214->211
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _get_daylight$ByteCharMultiWide_invalid_parameter_noinfo$InformationTimeZone
                                                • String ID: -$:$:$?$W. Europe Standard Time$W. Europe Summer Time
                                                • API String ID: 3440502458-293611612
                                                • Opcode ID: 2484a17d68417765dfea95e8ed30be907b8393143ee9075556b7ff4147a9153c
                                                • Instruction ID: 0d5c68d91229d471494beb3640050a400fd81665c215b82e48b84864481fb127
                                                • Opcode Fuzzy Hash: 2484a17d68417765dfea95e8ed30be907b8393143ee9075556b7ff4147a9153c
                                                • Instruction Fuzzy Hash: 44E1F832A0868286F724AFB59850DBAAB90FF84B94FE45135EA4D43B95DF3CD481C731
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA837B0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 145windowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 215 7ff78ea837b0-7ff78ea8380f call 7ff78eac8f90 call 7ff78ea89640 GetCurrentDirectoryW call 7ff78ea857a0 IsDebuggerPresent 222 7ff78eacb872-7ff78eacb88e MessageBoxA 215->222 223 7ff78ea83815-7ff78ea8381d 215->223 224 7ff78eacb894 222->224 223->224 225 7ff78ea83823-7ff78ea83833 223->225 226 7ff78eacb8a0-7ff78eacb8b9 call 7ff78ea8e278 224->226 225->226 227 7ff78ea83839-7ff78ea8385a call 7ff78ea83f04 225->227 232 7ff78eacb8c4 226->232 227->232 233 7ff78ea83860-7ff78ea838c1 GetFullPathNameW call 7ff78ea87cf4 call 7ff78ea83f9c 227->233 235 7ff78eacb8d0-7ff78eacb8e7 call 7ff78ea839e4 SetCurrentDirectoryW 232->235 233->235 241 7ff78ea838c7-7ff78ea838ca 233->241 242 7ff78eacb8f3-7ff78eacb8fa call 7ff78eaed540 235->242 241->242 243 7ff78ea838d0-7ff78ea838e1 call 7ff78ea83b84 call 7ff78ea83cbc 241->243 242->243 248 7ff78eacb900-7ff78eacb906 242->248 253 7ff78ea838e3-7ff78ea838ea call 7ff78ea86258 243->253 254 7ff78ea838ef-7ff78ea838f9 call 7ff78ea925f0 243->254 248->243 251 7ff78eacb90c-7ff78eacb92e call 7ff78ea85680 call 7ff78ea8ec00 248->251 263 7ff78eacb930-7ff78eacb959 call 7ff78ea871f8 call 7ff78ea87c24 251->263 264 7ff78eacb95b 251->264 253->254 259 7ff78ea838fe-7ff78ea83905 254->259 261 7ff78ea83907-7ff78ea8390e call 7ff78ea85d88 259->261 262 7ff78ea83913-7ff78ea8391a call 7ff78ea839e4 259->262 261->262 269 7ff78ea8391f-7ff78ea83941 SetCurrentDirectoryW call 7ff78ea8a07c 262->269 268 7ff78eacb95e-7ff78eacb9a0 call 7ff78ea871f8 GetForegroundWindow ShellExecuteW call 7ff78ea8a07c 263->268 264->268 268->262
                                                APIs
                                                • GetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF78EA83785), ref: 00007FF78EA837F2
                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00007FF78EA83785), ref: 00007FF78EA83807
                                                • GetFullPathNameW.KERNEL32(?,?,?,?,?,00007FF78EA83785), ref: 00007FF78EA8388D
                                                  • Part of subcall function 00007FF78EA83F9C: GetFullPathNameW.KERNEL32(D000000000000000,00007FF78EA838BF,?,?,?,?,?,00007FF78EA83785), ref: 00007FF78EA83FFD
                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF78EA83785), ref: 00007FF78EA83924
                                                • MessageBoxA.USER32 ref: 00007FF78EACB888
                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF78EA83785), ref: 00007FF78EACB8E1
                                                • GetForegroundWindow.USER32(?,?,?,?,?,00007FF78EA83785), ref: 00007FF78EACB968
                                                • ShellExecuteW.SHELL32 ref: 00007FF78EACB98F
                                                  • Part of subcall function 00007FF78EA83B84: GetSysColorBrush.USER32 ref: 00007FF78EA83B9E
                                                  • Part of subcall function 00007FF78EA83B84: LoadCursorW.USER32 ref: 00007FF78EA83BAE
                                                  • Part of subcall function 00007FF78EA83B84: LoadIconW.USER32 ref: 00007FF78EA83BC3
                                                  • Part of subcall function 00007FF78EA83B84: LoadIconW.USER32 ref: 00007FF78EA83BDC
                                                  • Part of subcall function 00007FF78EA83B84: LoadIconW.USER32 ref: 00007FF78EA83BF5
                                                  • Part of subcall function 00007FF78EA83B84: LoadImageW.USER32 ref: 00007FF78EA83C21
                                                  • Part of subcall function 00007FF78EA83B84: RegisterClassExW.USER32 ref: 00007FF78EA83C85
                                                  • Part of subcall function 00007FF78EA83CBC: CreateWindowExW.USER32 ref: 00007FF78EA83D0C
                                                  • Part of subcall function 00007FF78EA83CBC: CreateWindowExW.USER32 ref: 00007FF78EA83D5F
                                                  • Part of subcall function 00007FF78EA83CBC: ShowWindow.USER32 ref: 00007FF78EA83D75
                                                  • Part of subcall function 00007FF78EA86258: Shell_NotifyIconW.SHELL32 ref: 00007FF78EA86350
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Load$IconWindow$CurrentDirectory$CreateFullNamePath$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell_Show
                                                • String ID: This is a third-party compiled AutoIt script.$runas
                                                • API String ID: 1593035822-3287110873
                                                • Opcode ID: 14502464df88b26587198eb55456a84b4b8cf595b5aa313ecbe0d8dbfcbc0cc2
                                                • Instruction ID: 7f8390da730490c778504165d003e01f0fc604eba2bb4e2d1cbaa100ec3db0db
                                                • Opcode Fuzzy Hash: 14502464df88b26587198eb55456a84b4b8cf595b5aa313ecbe0d8dbfcbc0cc2
                                                • Instruction Fuzzy Hash: 1771906191C58396EA20BBE4E840DF9EB60BF45B54FE00132D54D46AA6DF7CEA49C331
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAC2650 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155timeCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 346 7ff78eac2650-7ff78eac267a call 7ff78eac1bd8 call 7ff78eac1c40 351 7ff78eac2680-7ff78eac268b call 7ff78eac1be0 346->351 352 7ff78eac280f-7ff78eac287d call 7ff78eabb184 call 7ff78eac78f8 346->352 358 7ff78eac2691-7ff78eac269c call 7ff78eac1c10 351->358 359 7ff78eac27fa-7ff78eac280e call 7ff78eabb184 351->359 366 7ff78eac287f-7ff78eac2884 352->366 367 7ff78eac2886-7ff78eac2889 352->367 368 7ff78eac26a2-7ff78eac26c5 call 7ff78eabb3c0 GetTimeZoneInformation 358->368 369 7ff78eac27e5-7ff78eac27f9 call 7ff78eabb184 358->369 359->352 370 7ff78eac28d4-7ff78eac28e6 366->370 371 7ff78eac2890-7ff78eac28a0 call 7ff78eabc51c 367->371 372 7ff78eac288b-7ff78eac288e 367->372 380 7ff78eac27be-7ff78eac27e4 call 7ff78eac1bd0 call 7ff78eac1bc0 call 7ff78eac1bc8 368->380 381 7ff78eac26cb-7ff78eac26ed 368->381 369->359 376 7ff78eac28e8-7ff78eac28eb 370->376 377 7ff78eac28f7 call 7ff78eac2650 370->377 388 7ff78eac28a2 371->388 389 7ff78eac28ab-7ff78eac28c6 call 7ff78eac78f8 371->389 372->370 376->377 382 7ff78eac28ed-7ff78eac28f5 call 7ff78eac2400 376->382 390 7ff78eac28fc-7ff78eac2928 call 7ff78eabb3c0 call 7ff78eac8f50 377->390 385 7ff78eac26ef-7ff78eac26f4 381->385 386 7ff78eac26f7-7ff78eac26fe 381->386 382->390 385->386 393 7ff78eac2700-7ff78eac2708 386->393 394 7ff78eac2718-7ff78eac271b 386->394 396 7ff78eac28a4-7ff78eac28a9 call 7ff78eabb3c0 388->396 409 7ff78eac28c8-7ff78eac28cb 389->409 410 7ff78eac28cd-7ff78eac28cf call 7ff78eabb3c0 389->410 393->394 400 7ff78eac270a-7ff78eac2716 393->400 403 7ff78eac271e-7ff78eac275a call 7ff78eac4758 WideCharToMultiByte 394->403 396->372 400->403 416 7ff78eac276a-7ff78eac276d 403->416 417 7ff78eac275c-7ff78eac275f 403->417 409->396 410->370 418 7ff78eac2770-7ff78eac27a6 WideCharToMultiByte 416->418 417->416 419 7ff78eac2761-7ff78eac2768 417->419 420 7ff78eac27a8-7ff78eac27ab 418->420 421 7ff78eac27b7-7ff78eac27bb 418->421 419->418 420->421 422 7ff78eac27ad-7ff78eac27b5 420->422 421->380 422->380
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _get_daylight_invalid_parameter_noinfo$ByteCharMultiWide$ErrorInformationLanguagesLastPreferredRestoreThreadTimeZone
                                                • String ID: ?$W. Europe Standard Time$W. Europe Summer Time
                                                • API String ID: 2482340769-2360834014
                                                • Opcode ID: 94c2f1c66049ff4599948a3e12081019eb49e95131d575ab39d1df6a0a8379ea
                                                • Instruction ID: 597cce4ca0a231c6d613e14a65acc668bd46146c48dbd8926c9fca790046a83a
                                                • Opcode Fuzzy Hash: 94c2f1c66049ff4599948a3e12081019eb49e95131d575ab39d1df6a0a8379ea
                                                • Instruction Fuzzy Hash: 92617232A0CA4286E750EFA1D8809B9B7A4FF44BA4FE41135EA4D467A4DF3CE481C771
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA86580 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 208COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 644 7ff78ea86580-7ff78ea865fc call 7ff78eaa4c68 call 7ff78ea86c98 call 7ff78eaa5d00 651 7ff78ea86737-7ff78ea8673a 644->651 652 7ff78ea86602-7ff78ea86606 644->652 653 7ff78eacc9f5-7ff78eacc9fd call 7ff78eb02e00 651->653 654 7ff78ea86740-7ff78ea86753 CreateStreamOnHGlobal 651->654 655 7ff78eacca03-7ff78eacca1e 652->655 656 7ff78ea8660c-7ff78ea86617 call 7ff78eab5514 652->656 653->655 654->652 658 7ff78ea86759-7ff78ea86777 FindResourceExW 654->658 667 7ff78eacca27-7ff78eacca60 call 7ff78ea86810 call 7ff78ea867d8 655->667 664 7ff78ea8661b-7ff78ea8664e call 7ff78ea867d8 656->664 658->652 662 7ff78ea8677d 658->662 665 7ff78eacc97e-7ff78eacc991 LoadResource 662->665 672 7ff78ea866e8 664->672 673 7ff78ea86654-7ff78ea8665f 664->673 665->652 668 7ff78eacc997-7ff78eacc9a8 SizeofResource 665->668 676 7ff78ea866ee 667->676 689 7ff78eacca66 667->689 668->652 671 7ff78eacc9ae-7ff78eacc9ba LockResource 668->671 671->652 675 7ff78eacc9c0-7ff78eacc9f0 671->675 672->676 677 7ff78ea866ae-7ff78ea866b2 673->677 678 7ff78ea86661-7ff78ea8666f 673->678 675->652 680 7ff78ea866f1-7ff78ea86715 676->680 677->672 682 7ff78ea866b4-7ff78ea866cf call 7ff78ea86810 677->682 681 7ff78ea86670-7ff78ea8667d 678->681 685 7ff78ea86729-7ff78ea86736 680->685 686 7ff78ea86717-7ff78ea86724 call 7ff78eaa4c24 * 2 680->686 687 7ff78ea86680-7ff78ea8668f 681->687 682->664 686->685 691 7ff78ea866d4-7ff78ea866dd 687->691 692 7ff78ea86691-7ff78ea86695 687->692 689->680 697 7ff78ea866e3-7ff78ea866e6 691->697 698 7ff78ea86782-7ff78ea8678c 691->698 692->667 696 7ff78ea8669b-7ff78ea866a8 692->696 696->681 700 7ff78ea866aa 696->700 697->692 701 7ff78ea8678e 698->701 702 7ff78ea86797-7ff78ea867a1 698->702 700->677 701->702 703 7ff78ea867ce 702->703 704 7ff78ea867a3-7ff78ea867ad 702->704 703->665 705 7ff78ea867c6 704->705 706 7ff78ea867af-7ff78ea867bb 704->706 705->703 706->687 707 7ff78ea867c1 706->707 707->705
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                • String ID: AU3!$EA06$SCRIPT
                                                • API String ID: 3051347437-2925976212
                                                • Opcode ID: 8165953c8bb736b98abf10147c833f44bebc3c15c283c8a92a542f8889041f48
                                                • Instruction ID: 6d51bbce247435b3bd17e8da56140a2d3e11b12a9d86d63121c9086657a69b61
                                                • Opcode Fuzzy Hash: 8165953c8bb736b98abf10147c833f44bebc3c15c283c8a92a542f8889041f48
                                                • Instruction Fuzzy Hash: 4F91F6B2B0969185F710EBA1D444E7CABA9BB85F84FA14135DE6D47785DF3CE404C321
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAA1D80 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 251COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 774 7ff78eaa1d80-7ff78eaa1e17 call 7ff78ea89640 GetVersionExW call 7ff78ea87cf4 779 7ff78eae9450 774->779 780 7ff78eaa1e1d 774->780 781 7ff78eae9457-7ff78eae945d 779->781 782 7ff78eaa1e20-7ff78eaa1e46 call 7ff78ea8dda4 780->782 784 7ff78eae9463-7ff78eae9480 781->784 787 7ff78eaa1fc1 782->787 788 7ff78eaa1e4c 782->788 784->784 786 7ff78eae9482-7ff78eae9485 784->786 786->782 789 7ff78eae948b-7ff78eae9491 786->789 787->779 790 7ff78eaa1e53-7ff78eaa1e59 788->790 789->781 791 7ff78eae9493 789->791 792 7ff78eaa1e5f-7ff78eaa1e7c 790->792 794 7ff78eae9498-7ff78eae94a1 791->794 792->792 793 7ff78eaa1e7e-7ff78eaa1e81 792->793 793->794 795 7ff78eaa1e87-7ff78eaa1ed6 call 7ff78ea8dda4 793->795 794->790 796 7ff78eae94a7 794->796 799 7ff78eae9645-7ff78eae964d 795->799 800 7ff78eaa1edc-7ff78eaa1ede 795->800 796->787 801 7ff78eae964f-7ff78eae9658 799->801 802 7ff78eae965a-7ff78eae965d 799->802 803 7ff78eaa1ee4-7ff78eaa1efa 800->803 804 7ff78eae94ac-7ff78eae94af 800->804 807 7ff78eae9686-7ff78eae9692 801->807 802->807 808 7ff78eae965f-7ff78eae9674 802->808 809 7ff78eaa1f00-7ff78eaa1f02 803->809 810 7ff78eae9572-7ff78eae9579 803->810 805 7ff78eae94b5-7ff78eae9501 804->805 806 7ff78eaa1f3c-7ff78eaa1f80 GetCurrentProcess IsWow64Process call 7ff78eaa6240 804->806 805->806 812 7ff78eae9507-7ff78eae950e 805->812 822 7ff78eae969d-7ff78eae96b3 call 7ff78eaf32f4 806->822 827 7ff78eaa1f86-7ff78eaa1f8b GetSystemInfo 806->827 807->822 813 7ff78eae9676-7ff78eae967d 808->813 814 7ff78eae967f 808->814 817 7ff78eaa1f08-7ff78eaa1f0b 809->817 818 7ff78eae959e-7ff78eae95b3 809->818 815 7ff78eae957b-7ff78eae9584 810->815 816 7ff78eae9589-7ff78eae9599 810->816 820 7ff78eae9534-7ff78eae953c 812->820 821 7ff78eae9510-7ff78eae9518 812->821 813->807 814->807 815->806 816->806 823 7ff78eaa1f11-7ff78eaa1f2d 817->823 824 7ff78eae95ed-7ff78eae95f0 817->824 825 7ff78eae95b5-7ff78eae95be 818->825 826 7ff78eae95c3-7ff78eae95d3 818->826 831 7ff78eae953e-7ff78eae9547 820->831 832 7ff78eae954c-7ff78eae9554 820->832 829 7ff78eae9526-7ff78eae952f 821->829 830 7ff78eae951a-7ff78eae9521 821->830 842 7ff78eae96b5-7ff78eae96d5 call 7ff78eaf32f4 822->842 843 7ff78eae96d7-7ff78eae96dc GetSystemInfo 822->843 834 7ff78eaa1f33 823->834 835 7ff78eae95d8-7ff78eae95e8 823->835 824->806 828 7ff78eae95f6-7ff78eae9620 824->828 825->806 826->806 836 7ff78eaa1f91-7ff78eaa1fc0 827->836 837 7ff78eae9622-7ff78eae962b 828->837 838 7ff78eae9630-7ff78eae9640 828->838 829->806 830->806 831->806 839 7ff78eae9556-7ff78eae955f 832->839 840 7ff78eae9564-7ff78eae956d 832->840 834->806 835->806 837->806 838->806 839->806 840->806 845 7ff78eae96e2-7ff78eae96ea 842->845 843->845 845->836 847 7ff78eae96f0-7ff78eae96f7 FreeLibrary 845->847 847->836
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Process$CurrentInfoSystemVersionWow64
                                                • String ID: |O
                                                • API String ID: 1568231622-607156228
                                                • Opcode ID: ce19e78e8b613063c291fba3ed7269d4c53d8962987fa44a2d43366d5ba53db5
                                                • Instruction ID: 2a3562ca024e6f9f91f36f4fd71b66481c4c2ebc1c78570c0bcfac70709d2170
                                                • Opcode Fuzzy Hash: ce19e78e8b613063c291fba3ed7269d4c53d8962987fa44a2d43366d5ba53db5
                                                • Instruction Fuzzy Hash: 27D17161A1D3C286E620ABD9AC10975FFA0BF52B84FE00077D54E42A75DF7CA984C772
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB1F630 Relevance: 12.4, APIs: 8, Instructions: 350processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1011 7ff78eb1f630-7ff78eb1f69e call 7ff78eaa6240 1014 7ff78eb1f6a0-7ff78eb1f6b8 call 7ff78ea8ffbc 1011->1014 1015 7ff78eb1f6d4-7ff78eb1f6d9 1011->1015 1025 7ff78eb1f708-7ff78eb1f70d 1014->1025 1026 7ff78eb1f6ba-7ff78eb1f6d2 call 7ff78ea8ffbc 1014->1026 1017 7ff78eb1f6db-7ff78eb1f6ef call 7ff78ea8ffbc 1015->1017 1018 7ff78eb1f71e-7ff78eb1f723 1015->1018 1028 7ff78eb1f6f3-7ff78eb1f706 call 7ff78ea8ffbc 1017->1028 1019 7ff78eb1f736-7ff78eb1f75c call 7ff78ea8d4cc call 7ff78ea8e330 1018->1019 1020 7ff78eb1f725-7ff78eb1f729 1018->1020 1040 7ff78eb1f840-7ff78eb1f84a 1019->1040 1041 7ff78eb1f762-7ff78eb1f7cf call 7ff78ea8d4cc call 7ff78ea8e330 call 7ff78ea8d4cc call 7ff78ea8e330 call 7ff78ea8d4cc call 7ff78ea8e330 1019->1041 1024 7ff78eb1f72d-7ff78eb1f732 call 7ff78ea8ffbc 1020->1024 1024->1019 1029 7ff78eb1f719-7ff78eb1f71c 1025->1029 1030 7ff78eb1f70f-7ff78eb1f717 1025->1030 1026->1028 1028->1018 1028->1025 1029->1018 1029->1019 1030->1024 1043 7ff78eb1f84c-7ff78eb1f86e call 7ff78ea8d4cc call 7ff78ea8e330 1040->1043 1044 7ff78eb1f87d-7ff78eb1f8af GetCurrentDirectoryW call 7ff78eaa4c68 GetCurrentDirectoryW 1040->1044 1091 7ff78eb1f7d1-7ff78eb1f7f3 call 7ff78ea8d4cc call 7ff78ea8e330 1041->1091 1092 7ff78eb1f806-7ff78eb1f83e GetSystemDirectoryW call 7ff78eaa4c68 GetSystemDirectoryW 1041->1092 1043->1044 1061 7ff78eb1f870-7ff78eb1f87b call 7ff78eaa8d58 1043->1061 1052 7ff78eb1f8b5-7ff78eb1f8b8 1044->1052 1055 7ff78eb1f8ba-7ff78eb1f8eb call 7ff78ea9f688 * 3 1052->1055 1056 7ff78eb1f8f0-7ff78eb1f8ff call 7ff78eaff464 1052->1056 1055->1056 1069 7ff78eb1f901-7ff78eb1f903 1056->1069 1070 7ff78eb1f905-7ff78eb1f95d call 7ff78eaffddc call 7ff78eaffca8 call 7ff78eaffafc 1056->1070 1061->1044 1061->1056 1071 7ff78eb1f964-7ff78eb1f96c 1069->1071 1070->1071 1099 7ff78eb1f95f 1070->1099 1076 7ff78eb1fa0f-7ff78eb1fa4b CreateProcessW 1071->1076 1077 7ff78eb1f972-7ff78eb1fa0d call 7ff78eaed1f8 call 7ff78eaa8d58 * 3 call 7ff78eaa4c24 * 3 1071->1077 1081 7ff78eb1fa4f-7ff78eb1fa62 call 7ff78eaa4c24 * 2 1076->1081 1077->1081 1104 7ff78eb1fabe-7ff78eb1faca CloseHandle 1081->1104 1105 7ff78eb1fa64-7ff78eb1fabc call 7ff78ea84afc * 2 GetLastError call 7ff78ea9f214 call 7ff78ea913e0 1081->1105 1091->1092 1114 7ff78eb1f7f5-7ff78eb1f800 call 7ff78eaa8d58 1091->1114 1092->1052 1099->1071 1109 7ff78eb1facc-7ff78eb1faf0 call 7ff78eaff7dc call 7ff78eb00088 call 7ff78eb1fb68 1104->1109 1110 7ff78eb1faf5-7ff78eb1fafc 1104->1110 1118 7ff78eb1fb3b-7ff78eb1fb65 call 7ff78eaff51c 1105->1118 1109->1110 1116 7ff78eb1fb0c-7ff78eb1fb35 call 7ff78ea913e0 CloseHandle 1110->1116 1117 7ff78eb1fafe-7ff78eb1fb0a 1110->1117 1114->1052 1114->1092 1116->1118 1117->1118
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Directory$Handle$CloseCurrentLockSyncSystem$CreateErrorLastProcess
                                                • String ID:
                                                • API String ID: 1787492119-0
                                                • Opcode ID: 1ce3422013303b7ac0e33f6d912a76cffe4fe9a0a4393aa5d1c63ebf26532612
                                                • Instruction ID: 1ec0807c5478a01359f9af06540e54cb2fa13fc73d23de7d845254fbc5de113c
                                                • Opcode Fuzzy Hash: 1ce3422013303b7ac0e33f6d912a76cffe4fe9a0a4393aa5d1c63ebf26532612
                                                • Instruction Fuzzy Hash: 8DE18D36A08B4186EB10EFA6D450ABDA7A1FF84F94FA04536EE5D477A9CF38E401C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAFBC70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                • String ID: \*.*
                                                • API String ID: 2649000838-1173974218
                                                • Opcode ID: 65b22f8f6f40401823f604efd864ff88ac9ae8d29210313d1744c135a26120fc
                                                • Instruction ID: a1808dfb62a5aa106d0d5d23f04d7471ac7c5b4cb7ecfacb60e7ea0a805f9f75
                                                • Opcode Fuzzy Hash: 65b22f8f6f40401823f604efd864ff88ac9ae8d29210313d1744c135a26120fc
                                                • Instruction Fuzzy Hash: 76418331A28A5292EB50EB90E8419FDE760FF84F90FE01132EA5E43695DF7CD505C721
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA92E30 Relevance: 6.5, APIs: 2, Strings: 1, Instructions: 1264COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Init_thread_footer
                                                • String ID: Variable must be of type 'Object'.
                                                • API String ID: 1385522511-109567571
                                                • Opcode ID: b22152d1cd641690e5c71f1f8f88b83bffb6f65988bdb427d038ce28bb34abe3
                                                • Instruction ID: ae2655a5ae2cd34dc7eb49a66cf65cbf0cdd31f9be4347a3b05b5c0027e6b6ae
                                                • Opcode Fuzzy Hash: b22152d1cd641690e5c71f1f8f88b83bffb6f65988bdb427d038ce28bb34abe3
                                                • Instruction Fuzzy Hash: 4BC29236B0864286EB60BFA5D884AB9B7B1FB44F84FA44031DA5E477A4DF3CE845C351
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAFBE00 Relevance: 6.1, APIs: 4, Instructions: 101processCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
                                                • String ID:
                                                • API String ID: 1083639309-0
                                                • Opcode ID: 2e6c0ba0aef56f721f48a3edffe834369a8de41df8fcd4dd852d566d586f9da8
                                                • Instruction ID: b29cea4ae162bfe4df83c1823bc7a57854b8f9fcc76502578d23dd1e0a21de69
                                                • Opcode Fuzzy Hash: 2e6c0ba0aef56f721f48a3edffe834369a8de41df8fcd4dd852d566d586f9da8
                                                • Instruction Fuzzy Hash: 0C417F32A18A9295E710FFA1E4409BEE7B0FB84B84FA44032EE4E03695DF7CD545C751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB0E87C Relevance: 1.6, APIs: 1, Instructions: 62filenetworkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: FileInternetRead_invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 101623796-0
                                                • Opcode ID: 4898aa4117a3bcd4a2f49389d4353a76d5c79d7e1af12f6b7b0d6724009e8fee
                                                • Instruction ID: cb0cfd2c9a0b0592140b94be523acb217f74a934536cf44a9b12972d6acbcd4d
                                                • Opcode Fuzzy Hash: 4898aa4117a3bcd4a2f49389d4353a76d5c79d7e1af12f6b7b0d6724009e8fee
                                                • Instruction Fuzzy Hash: 3721A432B0868246FB74EA51A010FB9A790FB85B84FE45135DA8C47B85DF3CF502CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA87920 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 178registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: NameQueryValuewcscat$CloseFileFullModuleOpenPath
                                                • String ID: Include$Software\AutoIt v3\AutoIt$\Include\
                                                • API String ID: 2667193904-1575078665
                                                • Opcode ID: 4d5fca5580ffbc517e33814b88da922e5904d1bccaefb304550cd9c135ac3897
                                                • Instruction ID: f403b98be597ee5070db7f499685a1762b5646c3b21e53a0fd03c4b5a93b6fef
                                                • Opcode Fuzzy Hash: 4d5fca5580ffbc517e33814b88da922e5904d1bccaefb304550cd9c135ac3897
                                                • Instruction Fuzzy Hash: A1917F62A18A5385EB20FFA4EC408B9E7A4FF84B54FE00136E94D43AA5DF7CD145C761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA85DEC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 143windowtimeregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 423 7ff78ea85dec-7ff78ea85e21 425 7ff78ea85e23-7ff78ea85e26 423->425 426 7ff78ea85e91-7ff78ea85e94 423->426 427 7ff78ea85e98 425->427 428 7ff78ea85e28-7ff78ea85e2f 425->428 426->425 429 7ff78ea85e96 426->429 433 7ff78ea85e9e-7ff78ea85ea3 427->433 434 7ff78eacc229-7ff78eacc261 call 7ff78ea9ede4 call 7ff78eaa2c44 427->434 430 7ff78ea85e35-7ff78ea85e3a 428->430 431 7ff78ea85f21-7ff78ea85f29 PostQuitMessage 428->431 432 7ff78ea85e6b-7ff78ea85e76 DefWindowProcW 429->432 435 7ff78eacc2af-7ff78eacc2c5 call 7ff78eafa40c 430->435 436 7ff78ea85e40-7ff78ea85e43 430->436 439 7ff78ea85ec8-7ff78ea85eca 431->439 438 7ff78ea85e7c-7ff78ea85e90 432->438 440 7ff78ea85ecc-7ff78ea85efa SetTimer RegisterWindowMessageW 433->440 441 7ff78ea85ea5-7ff78ea85ea8 433->441 470 7ff78eacc267-7ff78eacc26e 434->470 435->439 463 7ff78eacc2cb 435->463 444 7ff78ea85f2b-7ff78ea85f35 call 7ff78eaa4610 436->444 445 7ff78ea85e49-7ff78ea85e4e 436->445 439->438 440->439 446 7ff78ea85efc-7ff78ea85f09 CreatePopupMenu 440->446 442 7ff78ea85eae-7ff78ea85ebe KillTimer call 7ff78ea85d88 441->442 443 7ff78eacc1b8-7ff78eacc1bb 441->443 459 7ff78ea85ec3 call 7ff78ea87098 442->459 455 7ff78eacc1bd-7ff78eacc1c0 443->455 456 7ff78eacc1f7-7ff78eacc224 MoveWindow 443->456 465 7ff78ea85f3a 444->465 450 7ff78eacc292-7ff78eacc299 445->450 451 7ff78ea85e54-7ff78ea85e59 445->451 446->439 450->432 460 7ff78eacc29f-7ff78eacc2aa call 7ff78eaec54c 450->460 461 7ff78ea85f0b-7ff78ea85f1f call 7ff78ea85f3c 451->461 462 7ff78ea85e5f-7ff78ea85e65 451->462 457 7ff78eacc1e4-7ff78eacc1f2 SetFocus 455->457 458 7ff78eacc1c2-7ff78eacc1c5 455->458 456->439 457->439 458->462 466 7ff78eacc1cb-7ff78eacc1df call 7ff78ea9ede4 458->466 459->439 460->432 461->439 462->432 462->470 463->432 465->439 466->439 470->432 474 7ff78eacc274-7ff78eacc28d call 7ff78ea85d88 call 7ff78ea86258 470->474 474->432
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                • String ID: TaskbarCreated
                                                • API String ID: 129472671-2362178303
                                                • Opcode ID: 72f25fe2909dc216fe8e5bf23ccffbdf7394ac074e80fb2f1d04dd01aa152451
                                                • Instruction ID: 129b76a190be24e7448cd0624d658579a07572a1b592240895bd96b7bd79e8e7
                                                • Opcode Fuzzy Hash: 72f25fe2909dc216fe8e5bf23ccffbdf7394ac074e80fb2f1d04dd01aa152451
                                                • Instruction Fuzzy Hash: 58513A31D1C66282F620BB98ED44979AA90BF46F80FF40536D84D82AA5DF7DE944C322
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA83D90 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 57windowregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                • String ID: AutoIt v3 GUI$TaskbarCreated
                                                • API String ID: 2914291525-2659433951
                                                • Opcode ID: 474949a99bec8184bed6bacf9f27c592b422b8b82249946e56584e62d8b9113a
                                                • Instruction ID: 6a6b798c1b3ab662940974db656954d4b28f2841cf721d3bc41eb41fd1cf32ea
                                                • Opcode Fuzzy Hash: 474949a99bec8184bed6bacf9f27c592b422b8b82249946e56584e62d8b9113a
                                                • Instruction Fuzzy Hash: BB312932A08B018AE700DFA1E845BA97BB4FB45758FA0013ACA5D57B64DF7C9159CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA9E958 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 304comCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 481 7ff78ea9e958-7ff78ea9e9ae 482 7ff78eae27e4-7ff78eae27ea DestroyWindow 481->482 483 7ff78ea9e9b4-7ff78ea9e9d3 mciSendStringW 481->483 486 7ff78eae27f0-7ff78eae2801 482->486 484 7ff78ea9e9d9-7ff78ea9e9e3 483->484 485 7ff78ea9ecbd-7ff78ea9ecce 483->485 484->486 487 7ff78ea9e9e9 484->487 488 7ff78ea9ecd0-7ff78ea9ecf0 UnregisterHotKey 485->488 489 7ff78ea9ecf7-7ff78ea9ed01 485->489 491 7ff78eae2803-7ff78eae2806 486->491 492 7ff78eae2835-7ff78eae283f 486->492 490 7ff78ea9e9f0-7ff78ea9e9f3 487->490 488->489 493 7ff78ea9ecf2 call 7ff78ea9f270 488->493 489->484 494 7ff78ea9ed07 489->494 496 7ff78ea9ecb0-7ff78ea9ecb8 call 7ff78ea85410 490->496 497 7ff78ea9e9f9-7ff78ea9ea08 call 7ff78ea83aa8 490->497 498 7ff78eae2813-7ff78eae2817 FindClose 491->498 499 7ff78eae2808-7ff78eae2811 call 7ff78ea88314 491->499 492->486 495 7ff78eae2841 492->495 493->489 494->485 505 7ff78eae2846-7ff78eae284f call 7ff78eb18c00 495->505 496->490 511 7ff78ea9ea0f-7ff78ea9ea12 497->511 504 7ff78eae281d-7ff78eae282e 498->504 499->504 504->492 509 7ff78eae2830 call 7ff78eb03180 504->509 505->511 509->492 511->505 514 7ff78ea9ea18 511->514 515 7ff78ea9ea1f-7ff78ea9ea22 514->515 516 7ff78eae2854-7ff78eae285d call 7ff78eaf46cc 515->516 517 7ff78ea9ea28-7ff78ea9ea32 515->517 516->515 519 7ff78eae2862-7ff78eae2873 517->519 520 7ff78ea9ea38-7ff78ea9ea42 517->520 522 7ff78eae2875 FreeLibrary 519->522 523 7ff78eae287b-7ff78eae2885 519->523 524 7ff78eae288c-7ff78eae289d 520->524 525 7ff78ea9ea48-7ff78ea9ea76 call 7ff78ea913e0 520->525 522->523 523->519 527 7ff78eae2887 523->527 528 7ff78eae289f-7ff78eae28c2 VirtualFree 524->528 529 7ff78eae28c9-7ff78eae28d3 524->529 534 7ff78ea9eabf-7ff78ea9eacc OleUninitialize 525->534 535 7ff78ea9ea78 525->535 527->524 528->529 530 7ff78eae28c4 call 7ff78eb0321c 528->530 529->524 532 7ff78eae28d5 529->532 530->529 537 7ff78eae28da-7ff78eae28de 532->537 534->537 538 7ff78ea9ead2-7ff78ea9ead9 534->538 536 7ff78ea9ea7d-7ff78ea9eabd call 7ff78ea9f1c4 call 7ff78ea9f13c 535->536 536->534 537->538 540 7ff78eae28e4-7ff78eae28ef 537->540 541 7ff78eae28f4-7ff78eae2903 call 7ff78eb031d4 538->541 542 7ff78ea9eadf-7ff78ea9eaea 538->542 540->538 553 7ff78eae2905 541->553 545 7ff78ea9eaf0-7ff78ea9eb22 call 7ff78ea8a07c call 7ff78ea9f08c call 7ff78ea839bc 542->545 546 7ff78ea9ed09-7ff78ea9ed18 call 7ff78eaa42a0 542->546 565 7ff78ea9eb24-7ff78ea9eb29 call 7ff78eaa4c24 545->565 566 7ff78ea9eb2e-7ff78ea9ebc4 call 7ff78ea839bc call 7ff78ea8a07c call 7ff78ea845c8 * 2 call 7ff78ea8a07c * 3 call 7ff78ea913e0 call 7ff78ea9ee68 call 7ff78ea9ee2c * 3 545->566 546->545 556 7ff78ea9ed1e 546->556 558 7ff78eae290a-7ff78eae2919 call 7ff78eaf3a78 553->558 556->546 564 7ff78eae291b 558->564 569 7ff78eae2920-7ff78eae292f call 7ff78ea9e4e4 564->569 565->566 566->558 608 7ff78ea9ebca-7ff78ea9ebdc call 7ff78ea839bc 566->608 575 7ff78eae2931 569->575 578 7ff78eae2936-7ff78eae2945 call 7ff78eb03078 575->578 584 7ff78eae2947 578->584 588 7ff78eae294c-7ff78eae295b call 7ff78eb031a8 584->588 593 7ff78eae295d 588->593 596 7ff78eae2962-7ff78eae2971 call 7ff78eb031a8 593->596 602 7ff78eae2973 596->602 602->602 608->569 611 7ff78ea9ebe2-7ff78ea9ebec 608->611 611->578 612 7ff78ea9ebf2-7ff78ea9ec08 call 7ff78ea8a07c 611->612 615 7ff78ea9ed20-7ff78ea9ed25 call 7ff78eaa4c24 612->615 616 7ff78ea9ec0e-7ff78ea9ec18 612->616 615->482 618 7ff78ea9ec8a-7ff78ea9ec91 call 7ff78ea8a07c 616->618 619 7ff78ea9ec1a-7ff78ea9ec24 616->619 623 7ff78ea9ec96-7ff78ea9eca9 call 7ff78eaa4c24 618->623 619->588 621 7ff78ea9ec2a-7ff78ea9ec3b 619->621 621->596 624 7ff78ea9ec41-7ff78ea9ed71 call 7ff78ea8a07c * 3 call 7ff78ea9ee10 call 7ff78ea9ed8c 621->624 623->618 629 7ff78ea9ecab 623->629 639 7ff78ea9ed77-7ff78ea9ed88 624->639 640 7ff78eae2978-7ff78eae2987 call 7ff78eb0d794 624->640 629->619 643 7ff78eae2989 640->643 643->643
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: DestroySendStringUninitializeUnregisterWindow
                                                • String ID: close all
                                                • API String ID: 1992507300-3243417748
                                                • Opcode ID: 8ed0905b7fef2205e2fa8d5cc5defc2438150b4613d09d69a615d9a0c11cd739
                                                • Instruction ID: 25387818029aed71e3712cbe27e818992c094f4c96f5c1c4851886f1360e5aa7
                                                • Opcode Fuzzy Hash: 8ed0905b7fef2205e2fa8d5cc5defc2438150b4613d09d69a615d9a0c11cd739
                                                • Instruction Fuzzy Hash: 2CE13022B09A0281EE58FF96C550A7CB360BF84F45FA44475DB1E57292DF3CE862C762
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA83B84 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60windowregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                • String ID: AutoIt v3
                                                • API String ID: 423443420-1704141276
                                                • Opcode ID: b93c51c6ba6201518573a4e6f5cf88ec382112454fc31c9e44e1a0e1eb884e3c
                                                • Instruction ID: e3e26c8b76084eb40132d2c21e8a947754f30079ebeda195ec834e996d74aa44
                                                • Opcode Fuzzy Hash: b93c51c6ba6201518573a4e6f5cf88ec382112454fc31c9e44e1a0e1eb884e3c
                                                • Instruction Fuzzy Hash: A5314A36A08B028AE700EB91F844BA8BBB4FB49B44FA0043ACD4D53B64DF7CE055C720
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAC7348 Relevance: 13.8, APIs: 9, Instructions: 272fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 711 7ff78eac7348-7ff78eac73ba call 7ff78eac7078 714 7ff78eac73d3-7ff78eac73dd call 7ff78eabe418 711->714 715 7ff78eac73bc-7ff78eac73c4 call 7ff78eab55b4 711->715 721 7ff78eac73df-7ff78eac73f5 call 7ff78eab55b4 call 7ff78eab55d4 714->721 722 7ff78eac73f7-7ff78eac7463 CreateFileW 714->722 720 7ff78eac73c7-7ff78eac73ce call 7ff78eab55d4 715->720 738 7ff78eac771a-7ff78eac7736 720->738 721->720 723 7ff78eac7469-7ff78eac7470 722->723 724 7ff78eac74eb-7ff78eac74f6 GetFileType 722->724 728 7ff78eac7472-7ff78eac7476 723->728 729 7ff78eac74b8-7ff78eac74e6 GetLastError call 7ff78eab5564 723->729 731 7ff78eac7549-7ff78eac754f 724->731 732 7ff78eac74f8-7ff78eac7533 GetLastError call 7ff78eab5564 CloseHandle 724->732 728->729 736 7ff78eac7478-7ff78eac74b6 CreateFileW 728->736 729->720 734 7ff78eac7551-7ff78eac7554 731->734 735 7ff78eac7556-7ff78eac7559 731->735 732->720 746 7ff78eac7539-7ff78eac7544 call 7ff78eab55d4 732->746 741 7ff78eac755e-7ff78eac75ac call 7ff78eabe334 734->741 735->741 742 7ff78eac755b 735->742 736->724 736->729 750 7ff78eac75c0-7ff78eac75ea call 7ff78eac6de4 741->750 751 7ff78eac75ae-7ff78eac75ba call 7ff78eac7284 741->751 742->741 746->720 758 7ff78eac75fe-7ff78eac7643 750->758 759 7ff78eac75ec 750->759 756 7ff78eac75ef-7ff78eac75f9 call 7ff78eac04b8 751->756 757 7ff78eac75bc 751->757 756->738 757->750 761 7ff78eac7665-7ff78eac7671 758->761 762 7ff78eac7645-7ff78eac7649 758->762 759->756 765 7ff78eac7718 761->765 766 7ff78eac7677-7ff78eac767b 761->766 762->761 764 7ff78eac764b-7ff78eac7660 762->764 764->761 765->738 766->765 767 7ff78eac7681-7ff78eac76c9 CloseHandle CreateFileW 766->767 768 7ff78eac76fe-7ff78eac7713 767->768 769 7ff78eac76cb-7ff78eac76f9 GetLastError call 7ff78eab5564 call 7ff78eabe548 767->769 768->765 769->768
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                • String ID:
                                                • API String ID: 1617910340-0
                                                • Opcode ID: bd4a1088ede243f3322a3f1c9bbf7769167306ab08ad22946a7c562bc07e9b3d
                                                • Instruction ID: f8c5e7978030ddcde63ea628b98dba714e7213f5ee28f74180e358dfc0acb5ec
                                                • Opcode Fuzzy Hash: bd4a1088ede243f3322a3f1c9bbf7769167306ab08ad22946a7c562bc07e9b3d
                                                • Instruction Fuzzy Hash: 70C1CD32B18A458AEB50AFB4D441BBC77A1FB48BA8F601235DE2E5B795DF38E051C311
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA925BC Relevance: 12.4, APIs: 8, Instructions: 442windowtimeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 849 7ff78ea925bc-7ff78ea9263d 853 7ff78ea92643-7ff78ea9267c 849->853 854 7ff78ea9287e-7ff78ea928af 849->854 856 7ff78ea92680-7ff78ea92687 853->856 857 7ff78ea92856-7ff78ea92876 856->857 858 7ff78ea9268d-7ff78ea926a1 856->858 857->854 860 7ff78ea926a7-7ff78ea926bc 858->860 861 7ff78eadd148-7ff78eadd14f 858->861 864 7ff78ea926c2-7ff78ea926c9 860->864 865 7ff78ea929c8-7ff78ea929eb PeekMessageW 860->865 862 7ff78ea92702-7ff78ea92723 861->862 863 7ff78eadd155 861->863 878 7ff78ea92725-7ff78ea9272c 862->878 879 7ff78ea9276e-7ff78ea927d2 862->879 874 7ff78eadd15a-7ff78eadd160 863->874 864->865 866 7ff78ea926cf-7ff78ea926d4 864->866 868 7ff78ea929f1-7ff78ea929f5 865->868 869 7ff78ea926e8-7ff78ea926ef 865->869 866->865 870 7ff78ea926da-7ff78ea926e2 GetInputState 866->870 875 7ff78ea929fb-7ff78ea92a05 868->875 876 7ff78eadd1aa-7ff78eadd1bb 868->876 871 7ff78eade285-7ff78eade293 869->871 872 7ff78ea926f5-7ff78ea926fc 869->872 870->865 870->869 877 7ff78eade29d-7ff78eade2b5 call 7ff78ea9f1c4 871->877 872->862 872->877 880 7ff78eadd162-7ff78eadd176 874->880 881 7ff78eadd19b 874->881 875->874 882 7ff78ea92a0b-7ff78ea92a1d call 7ff78eaa2de8 875->882 876->869 877->857 878->879 883 7ff78ea9272e-7ff78ea92738 878->883 920 7ff78eade276 879->920 921 7ff78ea927d8-7ff78ea927da 879->921 880->881 884 7ff78eadd178-7ff78eadd17f 880->884 881->876 897 7ff78ea92a1f-7ff78ea92a2d TranslateMessage DispatchMessageW 882->897 898 7ff78ea92a33-7ff78ea92a4f PeekMessageW 882->898 888 7ff78ea9273f-7ff78ea92742 883->888 884->881 889 7ff78eadd181-7ff78eadd190 TranslateAcceleratorW 884->889 893 7ff78ea928b0-7ff78ea928b7 888->893 894 7ff78ea92748 888->894 889->882 895 7ff78eadd196 889->895 901 7ff78ea928b9-7ff78ea928cc timeGetTime 893->901 902 7ff78ea928eb-7ff78ea928ef 893->902 899 7ff78ea9274f-7ff78ea92752 894->899 895->898 897->898 898->869 903 7ff78ea92a55 898->903 904 7ff78ea928f4-7ff78ea928fb 899->904 905 7ff78ea92758-7ff78ea92761 899->905 907 7ff78ea928d2-7ff78ea928d7 901->907 908 7ff78eadd2ab-7ff78eadd2b0 901->908 902->888 903->868 909 7ff78ea92901-7ff78ea92905 904->909 910 7ff78eadd2f8-7ff78eadd303 904->910 911 7ff78ea92767 905->911 912 7ff78eadd4c7-7ff78eadd4ce 905->912 914 7ff78ea928d9 907->914 915 7ff78ea928dc-7ff78ea928e5 907->915 908->915 916 7ff78eadd2b6 908->916 909->899 918 7ff78eadd305 910->918 919 7ff78eadd309-7ff78eadd30c 910->919 911->879 914->915 915->902 917 7ff78eadd2bb-7ff78eadd2f3 timeGetTime call 7ff78eaa2ac0 call 7ff78eb03a28 915->917 916->917 917->902 918->919 923 7ff78eadd312-7ff78eadd319 919->923 924 7ff78eadd30e 919->924 920->871 921->920 925 7ff78ea927e0-7ff78ea927ee 921->925 928 7ff78eadd322-7ff78eadd329 923->928 929 7ff78eadd31b 923->929 924->923 925->920 926 7ff78ea927f4-7ff78ea92819 925->926 930 7ff78ea9281f-7ff78ea92829 call 7ff78ea92b70 926->930 931 7ff78ea9290a-7ff78ea9290d 926->931 933 7ff78eadd332-7ff78eadd33d call 7ff78eaa42a0 928->933 934 7ff78eadd32b 928->934 929->928 941 7ff78ea9282e-7ff78ea92836 930->941 936 7ff78ea9290f-7ff78ea92915 call 7ff78ea92e30 931->936 937 7ff78ea92931-7ff78ea92933 931->937 933->894 933->912 934->933 947 7ff78ea9291a 936->947 943 7ff78ea92971-7ff78ea92974 937->943 944 7ff78ea92935-7ff78ea92949 call 7ff78ea966c0 937->944 945 7ff78ea9283c 941->945 946 7ff78ea9299e-7ff78ea929ab 941->946 949 7ff78eaddfbe-7ff78eaddfc0 943->949 950 7ff78ea9297a-7ff78ea92997 call 7ff78ea901a0 943->950 957 7ff78ea9294e-7ff78ea92950 944->957 956 7ff78ea92840-7ff78ea92843 945->956 952 7ff78ea929b1-7ff78ea929be call 7ff78eaa4c24 946->952 953 7ff78eade181-7ff78eade197 call 7ff78eaa4c24 * 2 946->953 947->941 954 7ff78eaddfc2-7ff78eaddfc5 949->954 955 7ff78eaddfed-7ff78eaddff6 949->955 958 7ff78ea9299c 950->958 952->865 953->920 954->956 961 7ff78eaddfcb-7ff78eaddfe7 call 7ff78ea93c20 954->961 964 7ff78eade005-7ff78eade00c 955->964 965 7ff78eaddff8-7ff78eade003 955->965 962 7ff78ea92b17-7ff78ea92b1d 956->962 963 7ff78ea92849-7ff78ea92850 956->963 957->941 966 7ff78ea92956-7ff78ea92966 957->966 958->957 961->955 962->963 967 7ff78ea92b23-7ff78ea92b2d 962->967 963->856 963->857 971 7ff78eade00f-7ff78eade016 call 7ff78eb18b98 964->971 965->971 966->941 972 7ff78ea9296c 966->972 967->861 981 7ff78eade01c-7ff78eade036 call 7ff78eb034e4 971->981 982 7ff78eade0d7-7ff78eade0d9 971->982 976 7ff78eade0f4-7ff78eade10e call 7ff78eb034e4 972->976 983 7ff78eade110-7ff78eade11d 976->983 984 7ff78eade147-7ff78eade14e 976->984 995 7ff78eade06f-7ff78eade076 981->995 996 7ff78eade038-7ff78eade045 981->996 985 7ff78eade0df-7ff78eade0ee call 7ff78eb1a320 982->985 986 7ff78eade0db 982->986 990 7ff78eade135-7ff78eade142 call 7ff78eaa4c24 983->990 991 7ff78eade11f-7ff78eade130 call 7ff78eaa4c24 * 2 983->991 984->963 992 7ff78eade154-7ff78eade15a 984->992 985->976 986->985 990->984 991->990 992->963 993 7ff78eade160-7ff78eade169 992->993 993->953 995->963 1002 7ff78eade07c-7ff78eade082 995->1002 999 7ff78eade05d-7ff78eade06a call 7ff78eaa4c24 996->999 1000 7ff78eade047-7ff78eade058 call 7ff78eaa4c24 * 2 996->1000 999->995 1000->999 1002->963 1007 7ff78eade088-7ff78eade091 1002->1007 1007->982
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Message$Peek$DispatchInputStateTimeTranslatetime
                                                • String ID:
                                                • API String ID: 3249950245-0
                                                • Opcode ID: debac6e36d0bcbce5df70d5d1c7e316091b7ffbb6cc9afe421cf6e766bb887b4
                                                • Instruction ID: b1536fd6d40cb7df3058e201ea3f7655299dbf5b145d00cd532849930ad37969
                                                • Opcode Fuzzy Hash: debac6e36d0bcbce5df70d5d1c7e316091b7ffbb6cc9afe421cf6e766bb887b4
                                                • Instruction Fuzzy Hash: 0D22B232A0C68286FB64BBA4E844BB9F7A0FB45F44FA44136DA5D43695CF3CE441C762
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB0DBF0 Relevance: 10.6, APIs: 7, Instructions: 137networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Internet$CloseConnectErrorEventHandleHttpLastOpenRequest
                                                • String ID:
                                                • API String ID: 3401586794-0
                                                • Opcode ID: 37be9930858cfe08900dee1a106cf1c77c63f4148adc203acd435acb12a00bc6
                                                • Instruction ID: a23eb590b2a3abb19cc57a688daf79953464d14d58af59066ac999771d5f9720
                                                • Opcode Fuzzy Hash: 37be9930858cfe08900dee1a106cf1c77c63f4148adc203acd435acb12a00bc6
                                                • Instruction Fuzzy Hash: AA51E53660878287FB14EF61A840EAEBBA0FB48B88FA44131DE0D13B44DF39E455C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA83CBC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Window$Create$Show
                                                • String ID: AutoIt v3$d$edit
                                                • API String ID: 2813641753-2600919596
                                                • Opcode ID: 412c1a8e669cd880a5e6e492a58c687317b7b955f6e005d5c76c80bfee5a5580
                                                • Instruction ID: 1a2c5176b27c6d698586270cda43b537edf5065f31e6245ebb88dc728048e205
                                                • Opcode Fuzzy Hash: 412c1a8e669cd880a5e6e492a58c687317b7b955f6e005d5c76c80bfee5a5580
                                                • Instruction Fuzzy Hash: 3D21AE72A2CB4187E710DB54F849B29BBF0F789799FA14239E68D46A64CF7DC044CB10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAB1E74 Relevance: 9.1, APIs: 6, Instructions: 56threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Thread$CloseCreateErrorFreeHandleLastLibraryResume_invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 2082702847-0
                                                • Opcode ID: a458dfd9bfd9b277759dc90733565293cd25b8068806620b860b1285bf48ee5e
                                                • Instruction ID: 85bd58d894468bb10f8c2c69850f195c8cf1434e784536d50f3b9f8dde9dacc3
                                                • Opcode Fuzzy Hash: a458dfd9bfd9b277759dc90733565293cd25b8068806620b860b1285bf48ee5e
                                                • Instruction Fuzzy Hash: 9B216D21A0AB4281EE14BBE0A404A79E2D1BF94FB4FB40735DAAD467D4DF3CE414C662
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EABED08 Relevance: 7.7, APIs: 5, Instructions: 203COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 3215553584-0
                                                • Opcode ID: f29f2ab1c13e66daf1f8c2b4a146e68bdfc50a5cc3b930cf9745f903616afb6d
                                                • Instruction ID: d961e9d5341d533b4e0b3e225517dadf204de02154bcf88a9dea9745bc5a261f
                                                • Opcode Fuzzy Hash: f29f2ab1c13e66daf1f8c2b4a146e68bdfc50a5cc3b930cf9745f903616afb6d
                                                • Instruction Fuzzy Hash: 4081D322A2865695F720BFA59440ABDABE1BF84F44FA08135DD8E577D1CF3CE441C722
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAA5244 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Initialize__scrt_fastfail__scrt_initialize_default_local_stdio_options__scrt_initialize_onexit_tables_invalid_parameter_noinfo_onexit_set_fmode
                                                • String ID:
                                                • API String ID: 2117695475-0
                                                • Opcode ID: c5af1a2945e0b28d35ed004d247bbfb317608e89d5a488d8119e5cdd6fee6e2c
                                                • Instruction ID: 4f37197920981fc10f99e6686a66b790406613961271f8497ca1f2a06f6bebd4
                                                • Opcode Fuzzy Hash: c5af1a2945e0b28d35ed004d247bbfb317608e89d5a488d8119e5cdd6fee6e2c
                                                • Instruction Fuzzy Hash: E9115D11E0834345FA5476F26456ABC92827F85F01FF40438E55D5A2C3EF3EA859C6BB
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAB1DA0 Relevance: 7.5, APIs: 5, Instructions: 31threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ErrorExitLastThread
                                                • String ID:
                                                • API String ID: 1611280651-0
                                                • Opcode ID: 99fd53b48de60ad2b3b37300d72bcddb8f2580f530d7a1e219e10e2618182fab
                                                • Instruction ID: 7d5477bb052b5f7c327c0ded959f44caea08d9f66b9cbd53b7a7859a23dd8c0b
                                                • Opcode Fuzzy Hash: 99fd53b48de60ad2b3b37300d72bcddb8f2580f530d7a1e219e10e2618182fab
                                                • Instruction Fuzzy Hash: EF012C21B19642D2EA047BA09445A7CA7A1FF90B75FE01735C6BE02AD5DF3CE858C361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA87EC0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185comCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FF78EAA2D5C: MapVirtualKeyW.USER32(?,?,?,00007FF78EA87FA5), ref: 00007FF78EAA2D8E
                                                  • Part of subcall function 00007FF78EAA2D5C: MapVirtualKeyW.USER32(?,?,?,00007FF78EA87FA5), ref: 00007FF78EAA2D9C
                                                  • Part of subcall function 00007FF78EAA2D5C: MapVirtualKeyW.USER32(?,?,?,00007FF78EA87FA5), ref: 00007FF78EAA2DAC
                                                  • Part of subcall function 00007FF78EAA2D5C: MapVirtualKeyW.USER32(?,?,?,00007FF78EA87FA5), ref: 00007FF78EAA2DBC
                                                  • Part of subcall function 00007FF78EAA2D5C: MapVirtualKeyW.USER32(?,?,?,00007FF78EA87FA5), ref: 00007FF78EAA2DCA
                                                  • Part of subcall function 00007FF78EAA2D5C: MapVirtualKeyW.USER32(?,?,?,00007FF78EA87FA5), ref: 00007FF78EAA2DD8
                                                  • Part of subcall function 00007FF78EA9EEC8: RegisterWindowMessageW.USER32 ref: 00007FF78EA9EF76
                                                • GetStdHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF78EA8106D), ref: 00007FF78EA88209
                                                • OleInitializeWOW.OLE32 ref: 00007FF78EA8828F
                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF78EA8106D), ref: 00007FF78EACD36A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                • String ID: AutoIt
                                                • API String ID: 1986988660-2515660138
                                                • Opcode ID: 4244e21068e8c91e310eca5dc6ae699cb2811c2f9282692ac0fed3969635a3a6
                                                • Instruction ID: 194a4a9fedf10668caa6810bd4c7ae7acebfab788d8efb3c2adbd5da49f247b7
                                                • Opcode Fuzzy Hash: 4244e21068e8c91e310eca5dc6ae699cb2811c2f9282692ac0fed3969635a3a6
                                                • Instruction Fuzzy Hash: 06C1D771D19B4286E740FBA8AC91874FBA4BF96740FB0023BD55D82A61EF7CA151C7A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA872C8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: IconLoadNotifyShell_Stringwcscpy
                                                • String ID: Line:
                                                • API String ID: 3135491444-1585850449
                                                • Opcode ID: 1bf3ee93fc45a1699e44ee0231c4e24a40c79c0c321c71349712c6b358204ebc
                                                • Instruction ID: 609473080301a90ff19e41d15f347eae9bc1ac450cee9adeb9d67ad170598ff2
                                                • Opcode Fuzzy Hash: 1bf3ee93fc45a1699e44ee0231c4e24a40c79c0c321c71349712c6b358204ebc
                                                • Instruction Fuzzy Hash: FB419872A0C64296E720FBA4D840AF9A771FB55748FE44032EA4C43A9ADF7CD944C761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA83F04 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetOpenFileNameW.COMDLG32 ref: 00007FF78EACBAA2
                                                  • Part of subcall function 00007FF78EA856D4: GetFullPathNameW.KERNEL32(?,00007FF78EA856C1,?,00007FF78EA87A0C,?,?,?,00007FF78EA8109E), ref: 00007FF78EA856FF
                                                  • Part of subcall function 00007FF78EA83EB4: GetLongPathNameW.KERNEL32 ref: 00007FF78EA83ED8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Name$Path$FileFullLongOpen
                                                • String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$au3
                                                • API String ID: 779396738-2360590182
                                                • Opcode ID: 3d3fc2c380e417bd563531e27a10fb74c95a399e56ca3ea23b17778c650accb1
                                                • Instruction ID: 813d2236c1610e38ae511ed1dc2cd3cd756bc18bd4f745818986456e8c67ed4f
                                                • Opcode Fuzzy Hash: 3d3fc2c380e417bd563531e27a10fb74c95a399e56ca3ea23b17778c650accb1
                                                • Instruction Fuzzy Hash: DB31AD32608B8289E710EB61E8405BDBBA8FB49B84FA84135DE8C47B55CF3CD545CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB0E708 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Internet$OpenOption
                                                • String ID: <local>
                                                • API String ID: 942729171-4266983199
                                                • Opcode ID: 8fc137a1ef2bd80f32763a254e30885bf035247cf28a45f4fd96fdfcbffecfa0
                                                • Instruction ID: 52fdfa7d4292c4f0a3ef6767dacc8d9727bbadd38de519e84270e09feb64a037
                                                • Opcode Fuzzy Hash: 8fc137a1ef2bd80f32763a254e30885bf035247cf28a45f4fd96fdfcbffecfa0
                                                • Instruction Fuzzy Hash: E0119836A1964187EB619B55E100FFDB6A1F780B48FF44035DB8D06A94DF3DE886C710
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAA4610 Relevance: 4.6, APIs: 3, Instructions: 67timewindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: IconNotifyShell_Timer$Killwcscpy
                                                • String ID:
                                                • API String ID: 3812282468-0
                                                • Opcode ID: 1dc440ecac87e2ff0ffd0982a4a0d0d2f1018b32bcde9ffe5d1424b8b2f1a591
                                                • Instruction ID: 72afb871dea341e81f48d8f576ade733c6e01a39c6479f0554b6fca170880cb2
                                                • Opcode Fuzzy Hash: 1dc440ecac87e2ff0ffd0982a4a0d0d2f1018b32bcde9ffe5d1424b8b2f1a591
                                                • Instruction Fuzzy Hash: A131D322A0DBC287EB219B51A1406B9BBA9F745F84FA84036DE4C07749CF3CD644C761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB132C8 Relevance: 4.6, APIs: 3, Instructions: 67windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: da67b6e4ee0ccb07d4ddc733fe182bcf3cb944a282399a4954123a4e53963194
                                                • Instruction ID: 26ebb8d09c41ca527c8d38a9b709a78f4dcfb9699d6500de621ad4f70a1d74b2
                                                • Opcode Fuzzy Hash: da67b6e4ee0ccb07d4ddc733fe182bcf3cb944a282399a4954123a4e53963194
                                                • Instruction Fuzzy Hash: AD314336A08A8281D700EF96E54186DF760FB89F94BA59432DF4D57B55CF38E890C350
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA86F60 Relevance: 4.6, APIs: 3, Instructions: 57registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.KERNEL32(?,?,?,?,?,?,?,00007FF78EA86F52,?,?,?,?,?,?,00007FF78EA8782C), ref: 00007FF78EA86FA5
                                                • RegQueryValueExW.KERNEL32(?,?,?,?,?,?,?,00007FF78EA86F52,?,?,?,?,?,?,00007FF78EA8782C), ref: 00007FF78EA86FD3
                                                • RegCloseKey.KERNEL32(?,?,?,?,?,?,?,00007FF78EA86F52,?,?,?,?,?,?,00007FF78EA8782C), ref: 00007FF78EA86FFA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID:
                                                • API String ID: 3677997916-0
                                                • Opcode ID: f9d145549c06eb65d00f5eb7279f160a7e02f1bbdde725fe5b236e37f00bb809
                                                • Instruction ID: f6db2eb6bf0bb360f5550b820749a31d5de785e2fa5f93b0cf793adb05512b43
                                                • Opcode Fuzzy Hash: f9d145549c06eb65d00f5eb7279f160a7e02f1bbdde725fe5b236e37f00bb809
                                                • Instruction Fuzzy Hash: 0D219D33A28B5187D7109F65E44096EB3F4FB88B84BA51131EB9D83B14DF39E814CB14
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAA9118 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Process$CurrentExitTerminate
                                                • String ID:
                                                • API String ID: 1703294689-0
                                                • Opcode ID: 898675fe9218c456e9635897f2d1d868c629d4b8853c74df44181d0bc5e5716e
                                                • Instruction ID: 5d7f3e81b4d492c4541371541b617aa9a364c774d9d794a94d48216bfccb4bf2
                                                • Opcode Fuzzy Hash: 898675fe9218c456e9635897f2d1d868c629d4b8853c74df44181d0bc5e5716e
                                                • Instruction Fuzzy Hash: 5CE01220B0574582FB447BE15C85A759752BF84F41FA05438C94F02392CF3DE408C261
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA966C0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 466COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Init_thread_footer
                                                • String ID: CALL
                                                • API String ID: 1385522511-4196123274
                                                • Opcode ID: 672e0359144240262c2c24c6d85faf9a77711ff5f87969df384104f8d95a6f95
                                                • Instruction ID: eb662a417c5e118c59ef053bf6fda2036025402abe8f53e6fb9f6d677faf9111
                                                • Opcode Fuzzy Hash: 672e0359144240262c2c24c6d85faf9a77711ff5f87969df384104f8d95a6f95
                                                • Instruction Fuzzy Hash: 56229F72B086428AEB10EFA5D440ABCB7B5FB84F88FA04136DA2D57795DF38E445C361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA86460 Relevance: 3.1, APIs: 2, Instructions: 91libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Library$Load$AddressFreeProc
                                                • String ID:
                                                • API String ID: 2632591731-0
                                                • Opcode ID: 1a82a74e2b3ab26fd3f782dcd3763a100b44bdead9b975d120a4eadf26d1e08e
                                                • Instruction ID: df1289d901e2a0126167b2370a814b02fe8c62f3e456f67e5efb272e3e4efa66
                                                • Opcode Fuzzy Hash: 1a82a74e2b3ab26fd3f782dcd3763a100b44bdead9b975d120a4eadf26d1e08e
                                                • Instruction Fuzzy Hash: 53419132B04A1286FB10EFA5D4517FCA3A4FB84B88F944131EA5D47A9ADF3CD444C761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA86258 Relevance: 3.1, APIs: 2, Instructions: 72windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: IconNotifyShell_
                                                • String ID:
                                                • API String ID: 1144537725-0
                                                • Opcode ID: 32275c29c25acc732941c8e4684a790687827c850461c861846bda9725fb2c55
                                                • Instruction ID: 041c4c219579c1d568c37a282795eb108083e2df7d2b6a205d1877dab7d24394
                                                • Opcode Fuzzy Hash: 32275c29c25acc732941c8e4684a790687827c850461c861846bda9725fb2c55
                                                • Instruction Fuzzy Hash: F241CC32908B4582E751AF54E4407B8B7A8FB48F88FA40135DE5C07798CF7CD580C760
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAC04B8 Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ChangeCloseErrorFindLastNotification
                                                • String ID:
                                                • API String ID: 1687624791-0
                                                • Opcode ID: 002ee005d6ec78c53f39e4c0500c246461289f80a8623e937adbc3f867fac835
                                                • Instruction ID: 9106d34263aac87f47204fb5911cdb0853aa6c933b8a30cf0c9593567929e241
                                                • Opcode Fuzzy Hash: 002ee005d6ec78c53f39e4c0500c246461289f80a8623e937adbc3f867fac835
                                                • Instruction Fuzzy Hash: 4F11B420B0C24641EEA477E4A5D4A7991C17F95F74FB44274DA2E063D2CF7CA880C223
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA83F9C Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: FullNamePathwcscat
                                                • String ID:
                                                • API String ID: 2785955394-0
                                                • Opcode ID: 61d7f396efac4d7c8dcca00735e7da44ea5546610d5c1063c020ec5f06465761
                                                • Instruction ID: 2cd624967b838cf038568262d64a8defbd477feb40605e906440d0db73844f21
                                                • Opcode Fuzzy Hash: 61d7f396efac4d7c8dcca00735e7da44ea5546610d5c1063c020ec5f06465761
                                                • Instruction Fuzzy Hash: E021A131A0C69781E620FB94E4409BAE760FF84F84FE14132E98C43A96DF7CE645C761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB0E7E4 Relevance: 3.0, APIs: 2, Instructions: 46networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: InternetOptionQuery
                                                • String ID:
                                                • API String ID: 2202126096-0
                                                • Opcode ID: 15af93d59ef8ffc7f975a0016be29c74e93e00474df01bcf486ce6a56acfa817
                                                • Instruction ID: cb61cc3bc82490306688793edfbb90102ae3c843bb0f750a82337f43e6f9affb
                                                • Opcode Fuzzy Hash: 15af93d59ef8ffc7f975a0016be29c74e93e00474df01bcf486ce6a56acfa817
                                                • Instruction Fuzzy Hash: 5911A932A1478183D614EF92E05587DF7A1FB88F80BA5903AEA4E03B54CF3CE440CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAC3E9C Relevance: 3.0, APIs: 2, Instructions: 44COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetEnvironmentStringsW.KERNEL32(?,?,00000000,00007FF78EABA2E2), ref: 00007FF78EAC3EB0
                                                • FreeEnvironmentStringsW.KERNEL32(?,?,00000000,00007FF78EABA2E2), ref: 00007FF78EAC3F15
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: EnvironmentStrings$Free
                                                • String ID:
                                                • API String ID: 3328510275-0
                                                • Opcode ID: 7a2552942933b56ccb1f3da2e42ebda5c79027b354ecde1dfe545767dcb9d8c9
                                                • Instruction ID: 13b56cc03c625f760d39e1a917683c82974e1a7cf46174a8a4cf2ac9b5b5b146
                                                • Opcode Fuzzy Hash: 7a2552942933b56ccb1f3da2e42ebda5c79027b354ecde1dfe545767dcb9d8c9
                                                • Instruction Fuzzy Hash: AC016121A09B4185DE10BB96640147EA6A0FF88FE0BE80235DA9E077D5DF3CE485C351
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAB1D28 Relevance: 3.0, APIs: 2, Instructions: 35threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ErrorExitLastThread
                                                • String ID:
                                                • API String ID: 1611280651-0
                                                • Opcode ID: 9fa5a87bb94733646178d1bac7777d12b76a8cc09730e0683fb8d1386efd9485
                                                • Instruction ID: b7f2e6a7d50851ae977184666b973284d1926c649727e60c0cfac93b09ba57bc
                                                • Opcode Fuzzy Hash: 9fa5a87bb94733646178d1bac7777d12b76a8cc09730e0683fb8d1386efd9485
                                                • Instruction Fuzzy Hash: 2FF04421A1974285EB087BF1A5519BD9750BF85F90FA81434EA8A17297CF3CD444C321
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB0EDBC Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: CloseCreateEventHandle
                                                • String ID:
                                                • API String ID: 3369476804-0
                                                • Opcode ID: dc2a3152bce0372cd7696dcfe9dea8a7d253f9a0843508d3f5c82eb9e32e4830
                                                • Instruction ID: 4a1c9f445241c32478d2b763fba46fabbee9dd9218e3b3e04d18e6d7ebf5a6a7
                                                • Opcode Fuzzy Hash: dc2a3152bce0372cd7696dcfe9dea8a7d253f9a0843508d3f5c82eb9e32e4830
                                                • Instruction Fuzzy Hash: A9F0C232E0924286FB65ABE1A056FF4AAA0BF48B04FA84134CB0D09590CF3C2085C720
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAA4078 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: InputSleepStateTimetime
                                                • String ID:
                                                • API String ID: 4149333218-0
                                                • Opcode ID: 8bcfbedc1fce9704412f760671249398a062c7d03cdb34a5aaa933979ff729f8
                                                • Instruction ID: b6501e8067e0d29557e5f2e5c6e4d49f153fdf13766576f6dfce4c5fdfeaddea
                                                • Opcode Fuzzy Hash: 8bcfbedc1fce9704412f760671249398a062c7d03cdb34a5aaa933979ff729f8
                                                • Instruction Fuzzy Hash: 0BF0FF32A08A4685E744AFA6E84557DE2A4FB48F84FA88435DE4DC7355DF3CD884C621
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA83730 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                Download Yara Rule
                                                APIs
                                                • IsThemeActive.UXTHEME ref: 00007FF78EA83756
                                                  • Part of subcall function 00007FF78EAA9334: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78EAA9348
                                                  • Part of subcall function 00007FF78EA836E8: SystemParametersInfoW.USER32 ref: 00007FF78EA83705
                                                  • Part of subcall function 00007FF78EA836E8: SystemParametersInfoW.USER32 ref: 00007FF78EA83725
                                                  • Part of subcall function 00007FF78EA837B0: GetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF78EA83785), ref: 00007FF78EA837F2
                                                  • Part of subcall function 00007FF78EA837B0: IsDebuggerPresent.KERNEL32(?,?,?,?,?,00007FF78EA83785), ref: 00007FF78EA83807
                                                  • Part of subcall function 00007FF78EA837B0: GetFullPathNameW.KERNEL32(?,?,?,?,?,00007FF78EA83785), ref: 00007FF78EA8388D
                                                  • Part of subcall function 00007FF78EA837B0: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF78EA83785), ref: 00007FF78EA83924
                                                • SystemParametersInfoW.USER32 ref: 00007FF78EA83797
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme_invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 4207566314-0
                                                • Opcode ID: 125559b38fbd26b10a906e66ef6d00d9a995a301863d6166c855ae18de5db764
                                                • Instruction ID: 753cb4351aa7ff3d9e99ffbc63d384b5a78fd0b8b894d59c21864618180aeabc
                                                • Opcode Fuzzy Hash: 125559b38fbd26b10a906e66ef6d00d9a995a301863d6166c855ae18de5db764
                                                • Instruction Fuzzy Hash: 87012CB0D0C2428BF700BBE9AC01D75AAA1BF09B00FE50036D44C866A2CF3CA488C721
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EABB3C0 Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ErrorLanguagesLastPreferredRestoreThread
                                                • String ID:
                                                • API String ID: 588628887-0
                                                • Opcode ID: 3a3ca9d619edea9c8d6b14ea3b5be24cbdeed60e72e2f20e181f770ec40af026
                                                • Instruction ID: 55210f610148f6c033bc11dcab84523573d5c7f5f0e89c4e70f9a59a6d42a091
                                                • Opcode Fuzzy Hash: 3a3ca9d619edea9c8d6b14ea3b5be24cbdeed60e72e2f20e181f770ec40af026
                                                • Instruction Fuzzy Hash: CAE08650E0950382FF147BF3580587996D27F84F41FE44030C84D46651DF3CE485C621
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA91475 Relevance: 2.0, APIs: 1, Instructions: 533COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Init_thread_footer
                                                • String ID:
                                                • API String ID: 1385522511-0
                                                • Opcode ID: d876e59f2124bdaf53ff04f9243ff1602a2028ac0c3cc9d4efc4eadfbaa73c41
                                                • Instruction ID: 98ce01cac59996751a77a72673cc78f3ccd18a0859763df7cc08e2714860974d
                                                • Opcode Fuzzy Hash: d876e59f2124bdaf53ff04f9243ff1602a2028ac0c3cc9d4efc4eadfbaa73c41
                                                • Instruction Fuzzy Hash: ED32F222A0C68286EB60FB95D844BB9E7A1FB94F84FE54131DA1D07B95DF3CE441C722
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB12554 Relevance: 1.6, APIs: 1, Instructions: 134windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Message
                                                • String ID:
                                                • API String ID: 2030045667-0
                                                • Opcode ID: 5514f33b6170b66333be5fa0d5b22f8af53f52cbb1839318c342b12bdd2b7cbf
                                                • Instruction ID: f14c2ccf088d6946f6233028472016086af0fcd26bab4dc6538c5eccf902f98f
                                                • Opcode Fuzzy Hash: 5514f33b6170b66333be5fa0d5b22f8af53f52cbb1839318c342b12bdd2b7cbf
                                                • Instruction Fuzzy Hash: F5515B32A04B55C6EB04EBA6D88086CB7B1FB48FE4BA04536DE2D47795DF38D491C311
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAB2868 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 3215553584-0
                                                • Opcode ID: dd4133bde21de890b5bbedec510097a64f5f9819fecfb9588d4762bde154bc8e
                                                • Instruction ID: 2565a781fb4c6517ebb8bc0d536a413ecd2164eb43faef1c874f1a0f5dbfdb6a
                                                • Opcode Fuzzy Hash: dd4133bde21de890b5bbedec510097a64f5f9819fecfb9588d4762bde154bc8e
                                                • Instruction Fuzzy Hash: 9B41E721B0824146EA64ADE65504A39E281BF85FE0FE84A35EEED477C5DF3CE441C232
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAE20D6 Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ClearVariant
                                                • String ID:
                                                • API String ID: 1473721057-0
                                                • Opcode ID: e4be371c5d4381fa2aee947fc978330a46ed3a381e9b0a6def4662969b34fbf2
                                                • Instruction ID: ea011b50070a03266d58a556fb88b5264ca52dd51556240b60e32e2cd41d8b82
                                                • Opcode Fuzzy Hash: e4be371c5d4381fa2aee947fc978330a46ed3a381e9b0a6def4662969b34fbf2
                                                • Instruction Fuzzy Hash: D6416B32B08A4286EB10BFA1D480BBCA7A0FB84F88FA44535CE1D17795CF78E445C362
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAA8FAC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: HandleModule$AddressFreeLibraryProc
                                                • String ID:
                                                • API String ID: 3947729631-0
                                                • Opcode ID: 867c7b1033e3f760706abf2d2d8e8ea2ff197c00114f18769501bed1359dd07f
                                                • Instruction ID: 86ee9f6b1cbf7fc83bc7ddb2ec5d26c60aba18417b36f49a7dcb0aa3f4ff517c
                                                • Opcode Fuzzy Hash: 867c7b1033e3f760706abf2d2d8e8ea2ff197c00114f18769501bed1359dd07f
                                                • Instruction Fuzzy Hash: C6419421E0C75282EB64FB96E451974E6A1BF80B80FB65035DA0D176E5DF3DE881C3A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB0EC38 Relevance: 1.6, APIs: 1, Instructions: 94networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: CrackInternet
                                                • String ID:
                                                • API String ID: 1381609488-0
                                                • Opcode ID: f4fc41b07c9f87b1cedcd1274125a479920f16397c88d8c0f661824f1724f0ca
                                                • Instruction ID: 8708580d37d20fabb4d393669e058dd2524a21e5f21d8fc9e263a050c3dd6908
                                                • Opcode Fuzzy Hash: f4fc41b07c9f87b1cedcd1274125a479920f16397c88d8c0f661824f1724f0ca
                                                • Instruction Fuzzy Hash: 16415876B046918AEB24EFA5D040AEDB765FB48BC8F905021DE0E27B49CF38E505CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EABEC1C Relevance: 1.6, APIs: 1, Instructions: 68COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f0b2f3784b3fac25882735789eea1302c5ad37269996976f08b02ad831047971
                                                • Instruction ID: 1cc22ac1210442974d283c80cc62278d3190209e9723f04f73aa16aab8a63394
                                                • Opcode Fuzzy Hash: f0b2f3784b3fac25882735789eea1302c5ad37269996976f08b02ad831047971
                                                • Instruction Fuzzy Hash: 3721E532A1825A81E7517F919841A39AA52BFC1F61FA58234E99E073D2CF7DF440C762
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAC6D04 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 3215553584-0
                                                • Opcode ID: ecb6d4795bd6ab7db71324e13dbdbe24fc2c4762c378ad1b5bb23dbd8960ecc0
                                                • Instruction ID: 4229029df87c30541542f823bf520691f6eccd05e6a7485d55ef2dbd9f242ee0
                                                • Opcode Fuzzy Hash: ecb6d4795bd6ab7db71324e13dbdbe24fc2c4762c378ad1b5bb23dbd8960ecc0
                                                • Instruction Fuzzy Hash: 2821F732618A4287DB66AF64E440B79B6A4FFC0F64F644234DA6D8A7D5DF3CD840CB11
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAB48E0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 3215553584-0
                                                • Opcode ID: 3afeb395a215f3ec17922b2632f819625b98a9037f1372fc9655ff2c7b0df073
                                                • Instruction ID: 166440c12bff413305c5d89998dc0654d7f1808e64658ffd106a005c2932d105
                                                • Opcode Fuzzy Hash: 3afeb395a215f3ec17922b2632f819625b98a9037f1372fc9655ff2c7b0df073
                                                • Instruction Fuzzy Hash: D3218621A0C68281EA51BFD1940197EE2A1BFC5F84FA44030EACC57B86EF7DE851C762
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB132BC Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: DestroyInfoParametersSystemWindow
                                                • String ID:
                                                • API String ID: 3173480332-0
                                                • Opcode ID: 47de30f4b9d52453d668af94e40fee48ee4b52636491aca13ad0f8b260d566bb
                                                • Instruction ID: 462cb1f47b39d0e436d624330896dd6752751be840dc8dcab9d15b3e19449a14
                                                • Opcode Fuzzy Hash: 47de30f4b9d52453d668af94e40fee48ee4b52636491aca13ad0f8b260d566bb
                                                • Instruction Fuzzy Hash: 7B219D32A0578285E760AFA6D840FADBB61FB48B98FA49035CE0E47B91CF78E450C711
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA84744 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: BuffCharUpper
                                                • String ID:
                                                • API String ID: 3964851224-0
                                                • Opcode ID: 5309bfef947dbbc2485cd5b84eef9eafd5f1c09b42b757a886982e528bb26483
                                                • Instruction ID: b523fc6b1dc4453f35e2cf556042f24341361d8a6f0a2d12fc2516624f6e9aa9
                                                • Opcode Fuzzy Hash: 5309bfef947dbbc2485cd5b84eef9eafd5f1c09b42b757a886982e528bb26483
                                                • Instruction Fuzzy Hash: 53114932A1965087DB64EF62E090B29B7B0F748F84F644139DB8E47B89CF38E491CB54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAC0414 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9b30da4845d5eceae66a2d6d402695b56ede85308cac44f88c52346f0b0ebdab
                                                • Instruction ID: 47b1b16ded9c20a0a2e7716a7dcfc13fd57809ae42f3aadb21f12e0ce1ece475
                                                • Opcode Fuzzy Hash: 9b30da4845d5eceae66a2d6d402695b56ede85308cac44f88c52346f0b0ebdab
                                                • Instruction Fuzzy Hash: C811606290C64686DA05BF90D5806BEB761BB81B61FE04232D68D063E5CF7CE440CB22
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAB48EC Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 3215553584-0
                                                • Opcode ID: 73416388f96d1fa1c933956d37c8472db6949d640467d067d8483f105d076b8d
                                                • Instruction ID: ad40cf99f360e1b85a783cc7b33e9dadb40de96ad52606885ed4d94848698bf1
                                                • Opcode Fuzzy Hash: 73416388f96d1fa1c933956d37c8472db6949d640467d067d8483f105d076b8d
                                                • Instruction Fuzzy Hash: 9F017C21A0820745FE28BAE5A851B7991507FD5F64FB40731E9AE8A2C2DF3CE841C232
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAB2A04 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 3215553584-0
                                                • Opcode ID: 13582692803e5bef34bcbed5350d45246e8339d83c915d4457afee6828f5fba2
                                                • Instruction ID: bb6a3d568199948e9d44e38ff6518250ecaffb85494d65202eac23071925b95d
                                                • Opcode Fuzzy Hash: 13582692803e5bef34bcbed5350d45246e8339d83c915d4457afee6828f5fba2
                                                • Instruction Fuzzy Hash: 10012172A00B1598EB11EFE0D4418EC77B8FB54B58BA4413ADA8C13754EF34D5A5C3A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAB4970 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 3215553584-0
                                                • Opcode ID: 2d4bb694f3344be1704f8fb2f3e9680fc63ca215821e8b9c9dcb21430b87e8c8
                                                • Instruction ID: ff69b45163f83a1beafda57ff786d2a09fb84676c1f4f827adbdf06c7b8da068
                                                • Opcode Fuzzy Hash: 2d4bb694f3344be1704f8fb2f3e9680fc63ca215821e8b9c9dcb21430b87e8c8
                                                • Instruction Fuzzy Hash: 5FF09021A0C24342E92476E9A40197EA280BF80F54FB41530E9DE862C6DF3CE451C623
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB1B008 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: wcsftime
                                                • String ID:
                                                • API String ID: 2902305603-0
                                                • Opcode ID: a22c1b3fabe6fe8149e860aeabbe93296e0200a8b389bc1be08adc04fb026441
                                                • Instruction ID: e996ee67665ee89d42b2288089d874b9df69b0917df00443fbbf25ac48c053b7
                                                • Opcode Fuzzy Hash: a22c1b3fabe6fe8149e860aeabbe93296e0200a8b389bc1be08adc04fb026441
                                                • Instruction Fuzzy Hash: 95F0A962A18B85D1DA20DB81E4447A9E769FF887D0FE48035EE5C03B59DF7CD504C720
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EABC51C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: d6cab95e1f74feff6e8dd6f9a30a9cf55c0df8872244003ab96fdfaeeafef6ec
                                                • Instruction ID: a901b147f0c7309722539791abf66b2ec263d5e57cef49497f0fd8ffdd520e2d
                                                • Opcode Fuzzy Hash: d6cab95e1f74feff6e8dd6f9a30a9cf55c0df8872244003ab96fdfaeeafef6ec
                                                • Instruction Fuzzy Hash: 9EF03A40A8924655FE24B6E25801E7AE1847FC4FA0FA84B30D86E852C6DF7CE440C632
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA8652C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FF78EAB4970: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78EAB4999
                                                • FreeLibrary.KERNEL32(?,?,?,00007FF78EACC8FE), ref: 00007FF78EA8656F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: FreeLibrary_invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 3938577545-0
                                                • Opcode ID: da6da5ce6b5fed19cebdf43eb4da99447be33f66cfe2f3ce8874e42a4e2a27a3
                                                • Instruction ID: 1cb9b997b23d3952271edabc0e4d9deb6ff8b7993206be82b40e2ca6e5cb31e0
                                                • Opcode Fuzzy Hash: da6da5ce6b5fed19cebdf43eb4da99447be33f66cfe2f3ce8874e42a4e2a27a3
                                                • Instruction Fuzzy Hash: A6F05472A0560582FF1DEFB5C0557385364BB94F08F640531C93E0A149CF3CD454C352
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAA4C68 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF78EAA4C5C
                                                  • Part of subcall function 00007FF78EAA5600: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF78EAA5609
                                                  • Part of subcall function 00007FF78EAA5600: _CxxThrowException.LIBVCRUNTIME ref: 00007FF78EAA561A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Concurrency::cancel_current_taskExceptionThrowstd::bad_alloc::bad_alloc
                                                • String ID:
                                                • API String ID: 1680350287-0
                                                • Opcode ID: fcccb4986ec6b07b19f565cd1119bb6721087df1cc262ad93f02db05b15ececb
                                                • Instruction ID: 14999f646549a20386e1cd8f8f00f70a5921d28860f04f6dacc0756eee3be675
                                                • Opcode Fuzzy Hash: fcccb4986ec6b07b19f565cd1119bb6721087df1cc262ad93f02db05b15ececb
                                                • Instruction Fuzzy Hash: D3E09240E1930745F96879E31545879C5402F98F71EF81B34E93E452C2FF3CA455C1B6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA83EB4 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: LongNamePath
                                                • String ID:
                                                • API String ID: 82841172-0
                                                • Opcode ID: 637964e6b351f452a28879436c201a5e99f96031ec26c8877a7972d1003a59f1
                                                • Instruction ID: cd9e5bdf3eadddf770bc09b14adac7b0f396a86c60974ea6ca297c0568eadbe6
                                                • Opcode Fuzzy Hash: 637964e6b351f452a28879436c201a5e99f96031ec26c8877a7972d1003a59f1
                                                • Instruction Fuzzy Hash: 17E0D822B0874181D721A765E1457A8E3A1FB8CBC4F544031FE8C43B5ACE7CC5C4CB10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA85D88 Relevance: 1.5, APIs: 1, Instructions: 19windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: IconNotifyShell_
                                                • String ID:
                                                • API String ID: 1144537725-0
                                                • Opcode ID: 8549ef6000eb42c958f03a95ba6a5408167db34924d740ad0d6437c30ec5f920
                                                • Instruction ID: 3263869796be63ac0ff26af32bbdacac327b5b139f72fff25100c6ad96f8b37b
                                                • Opcode Fuzzy Hash: 8549ef6000eb42c958f03a95ba6a5408167db34924d740ad0d6437c30ec5f920
                                                • Instruction Fuzzy Hash: DBF0823191978187E361AB99E804765BAA5F789708FE40135D58D06795CF3CD305CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA81080 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Open_onexit
                                                • String ID:
                                                • API String ID: 3030063568-0
                                                • Opcode ID: b140cdc24b49e8f2daa3c32c26d085363ec4fbb544eeb351244c2f0ff3a01b4f
                                                • Instruction ID: 6fd0b816358cc71bf3f694e46d3466f63bef30205925eaeb2948c6882ac47b12
                                                • Opcode Fuzzy Hash: b140cdc24b49e8f2daa3c32c26d085363ec4fbb544eeb351244c2f0ff3a01b4f
                                                • Instruction Fuzzy Hash: DFE08C50F2A64BC1EA04B7EAD8C587896A07F92B06FF05536D01CC2351EF3CD292C321
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA810E8 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Process$CurrentVersionWow64_onexit
                                                • String ID:
                                                • API String ID: 2932345936-0
                                                • Opcode ID: 03ad02108163b1b9c24d53c6048626981572e85475d5139af19f078af1ef234b
                                                • Instruction ID: 6a8f46e3510109709d9837556352c6b523ed0a40691c11f2ed1396800d049965
                                                • Opcode Fuzzy Hash: 03ad02108163b1b9c24d53c6048626981572e85475d5139af19f078af1ef234b
                                                • Instruction Fuzzy Hash: E0C01200E6914BC0F61877F788868F841A06FE5F00FF00136D10D81282DF2C51E68773
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA81048 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _onexit
                                                • String ID:
                                                • API String ID: 572287377-0
                                                • Opcode ID: 773ed23fe7bc1dd7e8b75972c2a26041a0abafe16c5f42d1a8e6024edf34d541
                                                • Instruction ID: 4a8af31b438ec613e8a4e94c186adc1c0d492567c7f3b897d7409189219d1ba0
                                                • Opcode Fuzzy Hash: 773ed23fe7bc1dd7e8b75972c2a26041a0abafe16c5f42d1a8e6024edf34d541
                                                • Instruction Fuzzy Hash: 39C0C900E5954BC0A51873F688868B841902FA9F10FE00535E00DC1282DE2C51E68762
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA81064 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _onexit
                                                • String ID:
                                                • API String ID: 572287377-0
                                                • Opcode ID: 5447c473e94d7294484c99fc93f4d38cb7bf7a8a438e953c913b8a13f1fa59d2
                                                • Instruction ID: 5c24f5938efda8f9405f069e457e68a7f716f133ecaebbe1e28c1b7184cfa869
                                                • Opcode Fuzzy Hash: 5447c473e94d7294484c99fc93f4d38cb7bf7a8a438e953c913b8a13f1fa59d2
                                                • Instruction Fuzzy Hash: E4C0C901E6A14BC0A51873FA88868B841902FE5F00FE00235E00D81282DE2C51E68622
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAFCED4 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: bac09a3189ccebf1c98b8807f566a5e7d1195259a38ec772a626d8fd4a22b2c7
                                                • Instruction ID: 945b4048df3539f72d8ba8b57306eb2f491ec94307eeeff51de8d125d43ddf5e
                                                • Opcode Fuzzy Hash: bac09a3189ccebf1c98b8807f566a5e7d1195259a38ec772a626d8fd4a22b2c7
                                                • Instruction Fuzzy Hash: F0C01230E0950290E568779A4895474D2507F02750FF10631D02A811E0CB3C2457D63A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB0636C Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                • String ID:
                                                • API String ID: 2191629493-0
                                                • Opcode ID: 5f35c2de6374da573506e97e4f75869a29f74c360ce096ae7f9d2beb91559d16
                                                • Instruction ID: 081a61db969d1eb9205aadd7b4eba8179b538f6791caba24a701536ada43d997
                                                • Opcode Fuzzy Hash: 5f35c2de6374da573506e97e4f75869a29f74c360ce096ae7f9d2beb91559d16
                                                • Instruction Fuzzy Hash: FFF08132B0868182EB00EB55E580639A760FB89FC4F649430EA5D43B46CF38D452C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 00007FF78EB317C0 Relevance: 70.6, APIs: 38, Strings: 2, Instructions: 587windowkeyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: MessageSend$ClientScreen$LongStateWindow$CursorMenuPopupTrack$ParentProc
                                                • String ID: @GUI_DRAGID$F
                                                • API String ID: 1993697042-4164748364
                                                • Opcode ID: 3ff90e006b483cd32b52f8b202347da56c14ceba00f8a4b8b2e43484e8e82e80
                                                • Instruction ID: 6bc11c258094c634d9c7d624bdb1f7baa9dfbc5e09a58c143bbd016d6583d054
                                                • Opcode Fuzzy Hash: 3ff90e006b483cd32b52f8b202347da56c14ceba00f8a4b8b2e43484e8e82e80
                                                • Instruction Fuzzy Hash: 06527332A19A4682EB50AFA5D445EB9ABA1FF84B84FA04136DB4D43FA5CF3CE450C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2CE8C Relevance: 69.5, APIs: 46, Instructions: 540windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: DeleteDestroyIconImageLoadLongMessageObjectSendWindow
                                                • String ID:
                                                • API String ID: 3481653762-0
                                                • Opcode ID: 0009db8de3ffea259ba8a46f35c7ba5ff9efa5b40b0df71df5247db5c8e89bc7
                                                • Instruction ID: d8fe0433a1b50564e6e5b078cee2038213c46ab41b58046f9349ae8e7a7633ec
                                                • Opcode Fuzzy Hash: 0009db8de3ffea259ba8a46f35c7ba5ff9efa5b40b0df71df5247db5c8e89bc7
                                                • Instruction Fuzzy Hash: 97329036A09AC186EB50EFA5D444AB9BBA1FF84B84FA04135DE4E43BA4CF7CE545C710
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2BA0C Relevance: 54.8, APIs: 30, Strings: 1, Instructions: 500windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$LongMenuText$CharInfoItemNextwsprintf
                                                • String ID: %d/%02d/%02d
                                                • API String ID: 1218376639-328681919
                                                • Opcode ID: dc4bbc0974ac4667326bad8888421589749c92fab70b3f4fd50d837d0e1f6096
                                                • Instruction ID: c60b0bd9e0a8acba5fdaef53667b16776af349d73d84ea11aa6a711a9db6448c
                                                • Opcode Fuzzy Hash: dc4bbc0974ac4667326bad8888421589749c92fab70b3f4fd50d837d0e1f6096
                                                • Instruction Fuzzy Hash: 4712E432A0968282F750AFA59895EBDABA0FF85B94FA04135DE5D47BD4CF3CD441CB10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2DB18 Relevance: 51.2, APIs: 28, Strings: 1, Instructions: 462windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Window$MessageSend$Menu$Item$EnableInfoMove$DefaultShow$DrawFocusLongRect
                                                • String ID: P
                                                • API String ID: 1208186926-3110715001
                                                • Opcode ID: 0e3e078a853430a05022e0f772db04c3cd8d70c986a797c2cebe1c7d1304ed73
                                                • Instruction ID: f1a98353d89e78085cde2d5891ac084cafa38d9f93505b93a8e1e214215ce6eb
                                                • Opcode Fuzzy Hash: 0e3e078a853430a05022e0f772db04c3cd8d70c986a797c2cebe1c7d1304ed73
                                                • Instruction Fuzzy Hash: BD123672A086C286E724ABA5D454FBDABA0FF85788FA00535DE4E47E94CF7CE441CB10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAA4514 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 122threadkeyboardwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                • String ID: Shell_TrayWnd
                                                • API String ID: 3778422247-2988720461
                                                • Opcode ID: cd6974c24a3c73bdd9695786a971f02835d0cd3b561fa91e9f0f548f8bdf6fbe
                                                • Instruction ID: 98593d3d026199046188f1c3eea5de0ffd2e76765539bfd88c19b2254f82df0c
                                                • Opcode Fuzzy Hash: cd6974c24a3c73bdd9695786a971f02835d0cd3b561fa91e9f0f548f8bdf6fbe
                                                • Instruction Fuzzy Hash: C4417331B0961283F7146FAAA815E3AA6D1BF88F85FE44031C90A47F54EF3DA84AC350
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAECE68 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 227processCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Process$StationWindow$CloseCurrentHandleUser$CreateDuplicate$BlockDesktopEnvironmentHeapOpenProfileToken$AdjustAllocDestroyErrorLastLoadLogonLookupPrivilegePrivilegesThreadUnloadValuewcscpy
                                                • String ID: default$winsta0$winsta0\default
                                                • API String ID: 3202303201-1423368268
                                                • Opcode ID: 19fa60696548a8d0e1a2dc45f77bb3d3c3f3a9dde0f0076f85872541770c923c
                                                • Instruction ID: 63c1f52239e994a3fd3ba682f363ad12a6c12791bd1a88ed86ce407f09b8be64
                                                • Opcode Fuzzy Hash: 19fa60696548a8d0e1a2dc45f77bb3d3c3f3a9dde0f0076f85872541770c923c
                                                • Instruction Fuzzy Hash: 05A16232B09B4286E710EFA6E440AB9B7A1FB85B94F940135DE5D47B98CF3CE405C751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA82AE0 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                • String ID: AutoIt v3 GUI
                                                • API String ID: 1458621304-248962490
                                                • Opcode ID: 26d3b03eb1ec0295eb0d9995ecf287e14171f67f9b57e050428d4d20fdccdb5d
                                                • Instruction ID: 6e6faf1bf769e83a6f7746f45f669ab810f85352ad8f3e2cc6ea75f6c1773371
                                                • Opcode Fuzzy Hash: 26d3b03eb1ec0295eb0d9995ecf287e14171f67f9b57e050428d4d20fdccdb5d
                                                • Instruction Fuzzy Hash: 41D14D32A14A528BE714EFB9D854BBD7BA1FB44B58FA00135DA0E53BA4DF38E444C760
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB10A6C Relevance: 30.2, APIs: 20, Instructions: 169clipboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                • String ID:
                                                • API String ID: 3222323430-0
                                                • Opcode ID: 5e3e1e7d7e0fd8e693f3b1b98b8cd09f95ce49b5b3e06d415371d4ee9fd0d329
                                                • Instruction ID: aab657c301fcfd575331f63857c1f9456b3b66fcc94eea09d019eab0a061092b
                                                • Opcode Fuzzy Hash: 5e3e1e7d7e0fd8e693f3b1b98b8cd09f95ce49b5b3e06d415371d4ee9fd0d329
                                                • Instruction Fuzzy Hash: D971BF31B0A65382EA10BB95D455A7CABA2FF85F84FE04035DA0E47BA1DF3CE506C721
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2C6D4 Relevance: 28.9, APIs: 19, Instructions: 396windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: MessageSend$Menu$InfoItemTextWindow$CharDrawInvalidateNextRect
                                                • String ID:
                                                • API String ID: 1015379403-0
                                                • Opcode ID: 48b1a1b098f20d8d6637e58e142fe5064dcb3bbb0445ab3a9841590c8a134aa7
                                                • Instruction ID: 5b7a281d00cbb35fbfc6e2bd4aa67353b81aab72f23f9f1f8913c42f2bcf24ca
                                                • Opcode Fuzzy Hash: 48b1a1b098f20d8d6637e58e142fe5064dcb3bbb0445ab3a9841590c8a134aa7
                                                • Instruction Fuzzy Hash: B002F831A096C296EB20AFA1D404AB9ABA1FF84794FA44231DA5D17BD4CF3CE945CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB1206C Relevance: 27.1, APIs: 18, Instructions: 125COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Cursor$Load$ErrorInfoLast
                                                • String ID:
                                                • API String ID: 3215588206-0
                                                • Opcode ID: 486734a10a8987c1c87853d7cfea6df4eeb43b8f453fb3bc83844081bd685034
                                                • Instruction ID: 9caa27d3e81fdadcc6c4281f6740a0b0f69217111e4f52034a4ca41560215906
                                                • Opcode Fuzzy Hash: 486734a10a8987c1c87853d7cfea6df4eeb43b8f453fb3bc83844081bd685034
                                                • Instruction Fuzzy Hash: D8515B32A0DB128AEB44ABA4F45957D67E1FB48B44F60443ADA0E83B84DF7CE456C354
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB20AEC Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 388registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: CloseValue$ConnectCreateRegistry
                                                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                • API String ID: 3314541760-966354055
                                                • Opcode ID: c2661cbcf60f50b911ca365fc450a5397cab0d2fa8d36ea4ca4b93b3b050d5a4
                                                • Instruction ID: 3a24b0f155987e47612817c5ec3b7b1437301d36b4849290e6e8189236351547
                                                • Opcode Fuzzy Hash: c2661cbcf60f50b911ca365fc450a5397cab0d2fa8d36ea4ca4b93b3b050d5a4
                                                • Instruction Fuzzy Hash: 3A027F22B08A9285EB10FFA6D491ABDB764FF89F84B955032DE0D47756DF38E441C350
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA85F3C Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 223COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: P
                                                • API String ID: 0-3110715001
                                                • Opcode ID: 505bc1ac260f627f388b9ce0ef0303fb06d7118b1057d91edc122da117b259b5
                                                • Instruction ID: 77593c3f9c4517c16dc8430dca3fc113449420a00082bc1ec26c45bc7b009fd6
                                                • Opcode Fuzzy Hash: 505bc1ac260f627f388b9ce0ef0303fb06d7118b1057d91edc122da117b259b5
                                                • Instruction Fuzzy Hash: EFA1C532A0864196F724EFA5E404AB9F7A0FF84B94FA08136DA5E43B94CF7CE945C711
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB08BF4 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: CurrentDirectoryTime$File$Localwcscat$Systemwcscpy
                                                • String ID: *.*
                                                • API String ID: 1111067124-438819550
                                                • Opcode ID: 44a7a2dc7d77b47c1bd132d9622fe18c2c0abd02877e1c7c981d395a4e0f69b9
                                                • Instruction ID: 89c8dfdbce269dd686075583e62d9d609c3fee3a6a709fdf5382eded64c7d04e
                                                • Opcode Fuzzy Hash: 44a7a2dc7d77b47c1bd132d9622fe18c2c0abd02877e1c7c981d395a4e0f69b9
                                                • Instruction Fuzzy Hash: C571A032618B8691DB60EF52E8409FEB7A1FB84B88FA01031DA4D47B66DF3DE645C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB0A350 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 112fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                • String ID: *.*
                                                • API String ID: 1409584000-438819550
                                                • Opcode ID: 8f313655dcbdbe42a35da08493f07892190d387efc47daab254f64e3a089ff94
                                                • Instruction ID: 802ecedeb2031de9d194ebe1da3dcb7e64cb15ff59a06af562bdfcf7ff2f4d18
                                                • Opcode Fuzzy Hash: 8f313655dcbdbe42a35da08493f07892190d387efc47daab254f64e3a089ff94
                                                • Instruction Fuzzy Hash: BD41A135A0964244EB00EBA5E945EB9EBA0FF44BA4FE04531DD6E476E4DF3CE40AC320
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB0A4F8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 104fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                • String ID: *.*
                                                • API String ID: 2640511053-438819550
                                                • Opcode ID: d607f8cd377dc7cb12783564cfab50aac2a1e28959c9b0777418728c286e0dff
                                                • Instruction ID: e2932f287ca8a9bf8121d699a3d28c6f7a98ccb6b1be3d791815d09413b21db0
                                                • Opcode Fuzzy Hash: d607f8cd377dc7cb12783564cfab50aac2a1e28959c9b0777418728c286e0dff
                                                • Instruction Fuzzy Hash: 90417231A0CA4250EA50BB95A845EBAEB90FF45BE4FE04531DD6E476E5EF3CE409C720
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2055C Relevance: 16.9, APIs: 11, Instructions: 371registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: QueryValue$Close$BuffCharConnectOpenRegistryUpper
                                                • String ID:
                                                • API String ID: 3218304859-0
                                                • Opcode ID: 8460fcd14c2d5af8b8448452fe1ceaeb79385f0ae3ec0649039ae0ff740bb763
                                                • Instruction ID: 608333cd9d052ef1b251a8d777cfd80a8125026b0f03499ee9cf35246cf543bb
                                                • Opcode Fuzzy Hash: 8460fcd14c2d5af8b8448452fe1ceaeb79385f0ae3ec0649039ae0ff740bb763
                                                • Instruction Fuzzy Hash: 6EF17032B05A9286EB10EFA5D490ABCB7B0FF85B98BA18131DE4D47B95DF38E001C754
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB083D4 Relevance: 16.8, APIs: 11, Instructions: 255comCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                • String ID:
                                                • API String ID: 2762341140-0
                                                • Opcode ID: 88abb8603447e432c7220777c94e58854007cc25b7963db554ba3f1bca1083b8
                                                • Instruction ID: dfdc9e9c5d0750d0c3a5c6a32a02cfc97ec79b98ba26c42b13fd99514a681d22
                                                • Opcode Fuzzy Hash: 88abb8603447e432c7220777c94e58854007cc25b7963db554ba3f1bca1083b8
                                                • Instruction Fuzzy Hash: 00C16D36B04B9585EB10EFA6E8849ADBBA0FB88F94F954036DE4E47B25CF38D545C310
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAEC858 Relevance: 16.7, APIs: 11, Instructions: 166COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                • String ID:
                                                • API String ID: 1255039815-0
                                                • Opcode ID: ea7a7ac653921025fbba948ebd31ca7d5268814b13a9ba19b0931f3d2795027d
                                                • Instruction ID: d321d30018169981e202a6042b1fcf8b3bbf7ece91d9908b4b6d2eec3dc66a53
                                                • Opcode Fuzzy Hash: ea7a7ac653921025fbba948ebd31ca7d5268814b13a9ba19b0931f3d2795027d
                                                • Instruction Fuzzy Hash: 0161D132B0469296EB00EFA1D8459BC77B5FB44F88BA44035DE1E63B94DF39D845C360
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB059D8 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 96COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Error$Mode$DiskFreeLastSpace
                                                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                • API String ID: 4194297153-14809454
                                                • Opcode ID: e1a572a878ac439d4873769eb739623b4178df3d2e0a7b9e1def14c61bfa5fa1
                                                • Instruction ID: 377d4b274aa25c6b27c1e858a733d9472c5fd2731d0175cef4287e69f4ece111
                                                • Opcode Fuzzy Hash: e1a572a878ac439d4873769eb739623b4178df3d2e0a7b9e1def14c61bfa5fa1
                                                • Instruction Fuzzy Hash: 0B41A332A09A4285EB10FBA5D8809BCBB71FB88B94FA44532CA0D43B55DF38E585C361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB16C34 Relevance: 15.3, APIs: 10, Instructions: 296fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                • String ID:
                                                • API String ID: 2395222682-0
                                                • Opcode ID: 4e444a159b624f06c49a7fffbacf28af46fc882add65112d2ade75d2d1f27c36
                                                • Instruction ID: 1af6ddd2b93ad30ce83e191c77ffbd0e585dc116a3fd700a94642f7f401e1f72
                                                • Opcode Fuzzy Hash: 4e444a159b624f06c49a7fffbacf28af46fc882add65112d2ade75d2d1f27c36
                                                • Instruction Fuzzy Hash: 70D17F37B08B5686EB11AFA5D4409ACB7B2FB88B98BA04036CE5D57B58DF38D445C350
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2A59C Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: MessageSend$LongWindow
                                                • String ID:
                                                • API String ID: 312131281-0
                                                • Opcode ID: b613241afe3ad8578923ea3e9f1846ed3b3a73b4f0a87d0067d7f4c10d8347cf
                                                • Instruction ID: 285f586dbdb93169f05b84e265a08ce4551ca593a3624f596b622e5e9b600ec5
                                                • Opcode Fuzzy Hash: b613241afe3ad8578923ea3e9f1846ed3b3a73b4f0a87d0067d7f4c10d8347cf
                                                • Instruction Fuzzy Hash: 4371A136605A8186E720EFA5D844AED7BA0FF89B94FA04036DE4D57BA4DF3CD146C710
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB10D24 Relevance: 15.1, APIs: 10, Instructions: 86clipboardmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                • String ID:
                                                • API String ID: 1737998785-0
                                                • Opcode ID: d2932478822d6cf8368c376b04bf61354339a6436dc2c20ea892730455b54822
                                                • Instruction ID: 001a3ddad572cf7fac8a465ffba69a250958e5a29d799d7b5dfeba31d103b6c9
                                                • Opcode Fuzzy Hash: d2932478822d6cf8368c376b04bf61354339a6436dc2c20ea892730455b54822
                                                • Instruction Fuzzy Hash: E7418E72A0964282EB04BB96E494B3CBBA1FF95F85F954435CA4E07762CF7CE041C761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAFB7C0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 171fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: File$Find$Delete$AttributesCloseCopyFirstFullMoveNameNextPath
                                                • String ID: \*.*
                                                • API String ID: 4047182710-1173974218
                                                • Opcode ID: f6059cfb6574efd7025c4e587f7997dd81838d68aa52f37f227bdedddfd44906
                                                • Instruction ID: 7717f5cae77e3536c8d8bf6ddc6262b25b49dae12cb29461a74784aa3743982a
                                                • Opcode Fuzzy Hash: f6059cfb6574efd7025c4e587f7997dd81838d68aa52f37f227bdedddfd44906
                                                • Instruction Fuzzy Hash: 98814422A0864295EB50FBA1D4419FDAB70FF84B94FE41032EE4E479A9DF3CD549C721
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB13940 Relevance: 12.1, APIs: 8, Instructions: 116networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ErrorLast$closesocket$bindlistensocket
                                                • String ID:
                                                • API String ID: 540024437-0
                                                • Opcode ID: f24216cf85a9cfc84ec9f45b81836fed2d974ebfd3edccbe64e1b0b478a4ea6b
                                                • Instruction ID: beec2c0f5dfd3e64937b495b8261267623999c6c671f84aa28b570aec795a781
                                                • Opcode Fuzzy Hash: f24216cf85a9cfc84ec9f45b81836fed2d974ebfd3edccbe64e1b0b478a4ea6b
                                                • Instruction Fuzzy Hash: 0741C072A0869282EB10FF96948167CFBA0FB84FA0FA54530DAAE47792DF3CD041C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB18360 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 331COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: NULL Pointer assignment$Not an Object type
                                                • API String ID: 0-572801152
                                                • Opcode ID: dd79965d0ba62ff07d44b0d9f29dc193ba1526b0ffc83c6dd9deb206d130f64b
                                                • Instruction ID: b58c52723d450e52a6077a21521893f6fa32eb0f473d32d7b20ae69afc74b169
                                                • Opcode Fuzzy Hash: dd79965d0ba62ff07d44b0d9f29dc193ba1526b0ffc83c6dd9deb206d130f64b
                                                • Instruction Fuzzy Hash: 6AE1B636A08B8286EB10DFA5E4406ADBBA1FB84BA8FA04136DF4D57B94DF3CD545C710
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAF9034 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: MessagePost$KeyboardState$Parent
                                                • String ID:
                                                • API String ID: 87235514-0
                                                • Opcode ID: f9339e9b515e9b8f23d28b48758f4b43b45cdaeeceea552a0e587170ddb5bff8
                                                • Instruction ID: 39553a8290fdb18a86d320e37d016c99c022591232b6621d8a6a2cc5cb11058e
                                                • Opcode Fuzzy Hash: f9339e9b515e9b8f23d28b48758f4b43b45cdaeeceea552a0e587170ddb5bff8
                                                • Instruction Fuzzy Hash: FF519022A0D2D155FB61ABF15100E7DAF91FB46FC4FA98076DA8927B46CF38E454C322
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB14C58 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Window$PerformanceQuery$CounterRectmouse_event$CursorDesktopForegroundFrequencySleep
                                                • String ID:
                                                • API String ID: 383626216-0
                                                • Opcode ID: d42387b76471bac3b8932b653f89b44f129081ac0d9aa200aab0c7b58dfd8027
                                                • Instruction ID: 14845fe3b69145bed6c149cae43469dbe4aad548e021d3cdd60bebdfb8676bce
                                                • Opcode Fuzzy Hash: d42387b76471bac3b8932b653f89b44f129081ac0d9aa200aab0c7b58dfd8027
                                                • Instruction Fuzzy Hash: A431B533B056528BE314DFA1D440BAC77A1FB88758FA00235EE4A57A84DF3CE949C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EABAF58 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                • String ID:
                                                • API String ID: 1239891234-0
                                                • Opcode ID: a012b73838b214995184a74d390d22d5d4f2798e6d2ee27280782cebe5dad480
                                                • Instruction ID: 555f4838bc5b373472957932bbf6ac2b21f118ab4b7f93fdae41d3473165f3c2
                                                • Opcode Fuzzy Hash: a012b73838b214995184a74d390d22d5d4f2798e6d2ee27280782cebe5dad480
                                                • Instruction Fuzzy Hash: CD316336608B8185DB60DF65E8406BEB7A4FB88754FA00135EA9D43B99DF3CD545CB10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB0A874 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118filesleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState
                                                • String ID: *.*
                                                • API String ID: 1927845040-438819550
                                                • Opcode ID: 4d38b2b1321f3398985d2e0ff211804d84f207fa15f0d091574ab64b32faadfc
                                                • Instruction ID: a0cf0917172b9db2d662e845f5cff98cf25432189a2fbbfa4a674e514d28b706
                                                • Opcode Fuzzy Hash: 4d38b2b1321f3398985d2e0ff211804d84f207fa15f0d091574ab64b32faadfc
                                                • Instruction Fuzzy Hash: F151A632608B8695EB10EB95E840ABDABB0FB45794FA00531DE5D437A9DF3CE545C710
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA8BE70 Relevance: 8.6, Strings: 6, Instructions: 1141COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ERCP$PCRE$VUUU$VUUU$VUUU$VUUU
                                                • API String ID: 0-2187161917
                                                • Opcode ID: 52bbb01250ada343afc02eebb5c988e0963da5400e9343603d667423943af628
                                                • Instruction ID: 37f5245cd378693b19a44a382bf0b3221af9d0d74f5a44da8f6d17905563d799
                                                • Opcode Fuzzy Hash: 52bbb01250ada343afc02eebb5c988e0963da5400e9343603d667423943af628
                                                • Instruction Fuzzy Hash: E1B2C676E0C6918AEB649FA49400ABCB7E1FB44B58FA04035DE4D57B84DF3CE981CB12
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB14074 Relevance: 7.6, APIs: 5, Instructions: 148networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ErrorLastinet_addrsocket
                                                • String ID:
                                                • API String ID: 4170576061-0
                                                • Opcode ID: ea9322bb4ddc6559c8a09ac09f5cb3baf94142c17e0f244aa1b03abeb354fc5a
                                                • Instruction ID: 027e1a0f42d38abbdc5db045a6e0ff2f9467f1fcde2891883444d97e426497ea
                                                • Opcode Fuzzy Hash: ea9322bb4ddc6559c8a09ac09f5cb3baf94142c17e0f244aa1b03abeb354fc5a
                                                • Instruction Fuzzy Hash: 9551C131B0866281DB00FBA69845A7DAB90BB89FE0FA44531DE5E47796CF3CD500C7A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB06D04 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 308comCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: CreateInitializeInstanceUninitialize
                                                • String ID: .lnk
                                                • API String ID: 948891078-24824748
                                                • Opcode ID: b4bdf16b1d6e250789257ed7582273ea4c4491f63d6a2b21af47a83611e6fa4b
                                                • Instruction ID: 16db4050c46b4cffee530264c9b7bb2b893dfca69d1206976e08b95d22551a22
                                                • Opcode Fuzzy Hash: b4bdf16b1d6e250789257ed7582273ea4c4491f63d6a2b21af47a83611e6fa4b
                                                • Instruction Fuzzy Hash: C9D1A172B18B5681EB40FBA5D490ABEAB60FB90B84F905031EE4E47B69DF3CE544C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAB793C Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 262COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _handle_error
                                                • String ID: !$VUUU$fmod
                                                • API String ID: 1757819995-2579133210
                                                • Opcode ID: 891804033c6d9bcc01b81d75b861d81fbb0e9180f173dbd42278a229c0b4683c
                                                • Instruction ID: 3870992b6aaf0c72911d977652834804e1996ad938a989f0ee49b8aa533d2dae
                                                • Opcode Fuzzy Hash: 891804033c6d9bcc01b81d75b861d81fbb0e9180f173dbd42278a229c0b4683c
                                                • Instruction Fuzzy Hash: 00B10821A2CFC444D6A38A3494117B6F259BFEA790F60C336ED9E35AA0DF3C9582C701
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAC2D20 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 169COMMON
                                                Download Yara Rule
                                                APIs
                                                • _invalid_parameter_noinfo.LIBCMT ref: 00007FF78EAC2D60
                                                  • Part of subcall function 00007FF78EABB184: GetCurrentProcess.KERNEL32(00007FF78EABB21D), ref: 00007FF78EABB1B1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: CurrentProcess_invalid_parameter_noinfo
                                                • String ID: *$.$.
                                                • API String ID: 2518042432-2112782162
                                                • Opcode ID: 10686662bc6c287608bb1927b489f0d8a7225314f89d29ff6f04aab4d96db585
                                                • Instruction ID: f0ebd66147fa7127370f499230e64a58caa54519fd10a6ca0b8f71005fc8496f
                                                • Opcode Fuzzy Hash: 10686662bc6c287608bb1927b489f0d8a7225314f89d29ff6f04aab4d96db585
                                                • Instruction Fuzzy Hash: AB51CF62B14B5584FB10EBE698009BDA7A4BF88FD8FA44535CE4D27B85DF38D082C321
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAB84C0 Relevance: 7.1, APIs: 4, Instructions: 1071COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _get_daylight$_invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 1286766494-0
                                                • Opcode ID: 09e4e907ae870b3820667c0232f28915d6dd8b336669930dd8abe80671f645cd
                                                • Instruction ID: b4ac9024fa7db5d1c2a35e0bb821a9d53b5095d3061e8fa12672539e95641f2a
                                                • Opcode Fuzzy Hash: 09e4e907ae870b3820667c0232f28915d6dd8b336669930dd8abe80671f645cd
                                                • Instruction Fuzzy Hash: 79A2C132A0864287EB249FA8D4509BDB7A5FB84F88FA44135DB8D07B98DF3DE511C721
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAA5BC0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF78EAA5C43
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: DebugDebuggerErrorLastOutputPresentString
                                                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                • API String ID: 389471666-631824599
                                                • Opcode ID: a6f712f19902253ba7949c04243615cc0ab49cc8bc5c14b6f720c4296af9f677
                                                • Instruction ID: 742709397e8e71a647201a37792f3f9855c145af11f4d266c3598f2f08e5c1c7
                                                • Opcode Fuzzy Hash: a6f712f19902253ba7949c04243615cc0ab49cc8bc5c14b6f720c4296af9f677
                                                • Instruction Fuzzy Hash: 5811E032A14B4297F704ABA2D6417B8B7E5FF44745FA04138C60D82A94EF3CE0B8CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB1AF20 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF78EAE2DD1), ref: 00007FF78EB1AF37
                                                • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF78EAE2DD1), ref: 00007FF78EB1AF4F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                • API String ID: 2574300362-1816364905
                                                • Opcode ID: b553b98cf413c0522d0a8d0790f0dad2998fa959ac13788e6be9999dd8a5b612
                                                • Instruction ID: f6265e39767cd92f989eec7ef88fe8e35890775866597e1e70be089908107daa
                                                • Opcode Fuzzy Hash: b553b98cf413c0522d0a8d0790f0dad2998fa959ac13788e6be9999dd8a5b612
                                                • Instruction Fuzzy Hash: 50F03071A06B0581EF08EF90E445778A7E4FB08B19FE40435C95D82364EF7CE958C360
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB16320 Relevance: 6.3, APIs: 4, Instructions: 255COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Variant$ClearInit$CopyCreateInitializeInstanceUninitialize
                                                • String ID:
                                                • API String ID: 2733932498-0
                                                • Opcode ID: 76cfe6a88e8d4c97ddc2bff8c99a0a5ec9652acf9fcd88a0bb64bf620c77a0d2
                                                • Instruction ID: 224eb4c98b05ad8943e0b1b9763d65946d265f7ed576f06b9f0fb000f572b8b4
                                                • Opcode Fuzzy Hash: 76cfe6a88e8d4c97ddc2bff8c99a0a5ec9652acf9fcd88a0bb64bf620c77a0d2
                                                • Instruction Fuzzy Hash: 46B17E26B04B5681EB10EFA6D490ABDAB65FB48FE4FA55032DE5D4779ACF38D440C320
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAFC7C0 Relevance: 6.0, APIs: 4, Instructions: 24filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: FileFind$AttributesCloseFirstlstrlen
                                                • String ID:
                                                • API String ID: 2695905019-0
                                                • Opcode ID: 0e40a590ccee8b84c2b17bba0c0d64c91c67e628f63cf05be15c9ff0c6569a5d
                                                • Instruction ID: 13a1902f6765b802d9cab497be38184909f22eb73a5cbd732e535ae28f7ee23a
                                                • Opcode Fuzzy Hash: 0e40a590ccee8b84c2b17bba0c0d64c91c67e628f63cf05be15c9ff0c6569a5d
                                                • Instruction Fuzzy Hash: 67F05E20E0960291EA246BA5A809B38E6A0BF41B75FA44330D47F066E4DF7C9498C260
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAA02C4 Relevance: 5.7, Strings: 2, Instructions: 3180COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: DEFINE$x
                                                • API String ID: 0-4035502692
                                                • Opcode ID: ef8c6a1001600b964e5fbe2637a07538f3dd4599c6cbe193d186c423f91508d7
                                                • Instruction ID: 7f7c8243673c31f6ad2012a93dbcbf2830064c0f3428dbca9fcaf9801dba9556
                                                • Opcode Fuzzy Hash: ef8c6a1001600b964e5fbe2637a07538f3dd4599c6cbe193d186c423f91508d7
                                                • Instruction Fuzzy Hash: A853DF72B046528AE760EFA5C440ABC77A5FB44F88FA08036DE4D57B84EF39E941C752
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA93C20 Relevance: 5.3, APIs: 3, Instructions: 832COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Init_thread_footer
                                                • String ID:
                                                • API String ID: 1385522511-0
                                                • Opcode ID: 22f4ddece5590f9ab5149614c05ac7f8aa226173c2915d24097b6f9bf072f8f2
                                                • Instruction ID: be866f01d7079fc16233db155a49e810ac83f2309163bc12fbc45a2d0a6d4f21
                                                • Opcode Fuzzy Hash: 22f4ddece5590f9ab5149614c05ac7f8aa226173c2915d24097b6f9bf072f8f2
                                                • Instruction Fuzzy Hash: 14829E36A18A5286EB50FF95E884A79B7A1FB44F84FB10035DA5E47794DF3CE840C322
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAA0E90 Relevance: 4.9, Strings: 3, Instructions: 1176COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $[$\
                                                • API String ID: 0-3681541464
                                                • Opcode ID: f7681cbd2ea07fa149fa3418819e144fbe1fe0a990a0ed3c69471eaae0dbb131
                                                • Instruction ID: ed13d08dec3f7fd76e0b696b10a4e283608ae982bc3657a66cf7cf0034755966
                                                • Opcode Fuzzy Hash: f7681cbd2ea07fa149fa3418819e144fbe1fe0a990a0ed3c69471eaae0dbb131
                                                • Instruction Fuzzy Hash: BEB28E72B047528AEB64DFA5C480ABCB7B1FB44B48FA14136DE0D57B88EB38E941C751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB06428 Relevance: 4.6, APIs: 3, Instructions: 116fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Find$File$CloseFirstNext
                                                • String ID:
                                                • API String ID: 3541575487-0
                                                • Opcode ID: 68e3a9218ce893ff5da120e8ed9a0dd63e03a58202c13d19b4c87c3f6d3b5ac8
                                                • Instruction ID: 4dbe450b98d536ef6c18a814e286942d0157c6752413e3d1ce2efa2c0b4b7430
                                                • Opcode Fuzzy Hash: 68e3a9218ce893ff5da120e8ed9a0dd63e03a58202c13d19b4c87c3f6d3b5ac8
                                                • Instruction Fuzzy Hash: 83518E32608A4685DB14EFA5D480ABCBB60FB84F94FA04232CB6D43BA5CF7CE551C721
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAFBF80 Relevance: 4.6, APIs: 3, Instructions: 54fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: CloseControlCreateDeviceFileHandle
                                                • String ID:
                                                • API String ID: 33631002-0
                                                • Opcode ID: ca0bd82f7ad00f84ec25768a9b54d2dc1663f901610658eb39350496b70fa362
                                                • Instruction ID: 86a37934ab95720472aba56513f955def48f08ec923d129218a375fa43bd5019
                                                • Opcode Fuzzy Hash: ca0bd82f7ad00f84ec25768a9b54d2dc1663f901610658eb39350496b70fa362
                                                • Instruction Fuzzy Hash: F9219D7361874087E3508F55E0847AAB7A0F384BA0F608236DB9D43B98DF3CC95ACB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAECDC4 Relevance: 4.5, APIs: 3, Instructions: 29memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Heap$AllocInitializeProcess
                                                • String ID:
                                                • API String ID: 570334035-0
                                                • Opcode ID: c2212e710faa0aa25c6585764cd3283daba03b8e8a3efd7139333ad593dfd05c
                                                • Instruction ID: 5d0f9b1cc692ca0d24af94534d34393f5b7db28fd81eda44e9dd007d9709c251
                                                • Opcode Fuzzy Hash: c2212e710faa0aa25c6585764cd3283daba03b8e8a3efd7139333ad593dfd05c
                                                • Instruction Fuzzy Hash: D3F01D36A19B9282D724DB96B44541AB7A0FB88B90BA48534DF9943B14EF3CE954CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAC2F50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .
                                                • API String ID: 0-248832578
                                                • Opcode ID: 704ebd355b677e1258a9e20fb2f824619711b00144154a2c45bc08c04a856543
                                                • Instruction ID: d500fa5c8561d3bb7c21b84e5cc1fdeb4ae557b54c7268ff56cea05695448974
                                                • Opcode Fuzzy Hash: 704ebd355b677e1258a9e20fb2f824619711b00144154a2c45bc08c04a856543
                                                • Instruction Fuzzy Hash: 11314726B1869144EB20AFB29804A76E691FB94FF4FA48631EE6D07BC5DF3CD485C211
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAC67F0 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ExceptionRaise_clrfp
                                                • String ID:
                                                • API String ID: 15204871-0
                                                • Opcode ID: 2c887139cc1f69395780bda7c312862f1bbc48349006177215bd8e385e5acab5
                                                • Instruction ID: 9803800882ef7bb119c336701d7b07283ded698d26c1388563f198d60eaaadad
                                                • Opcode Fuzzy Hash: 2c887139cc1f69395780bda7c312862f1bbc48349006177215bd8e385e5acab5
                                                • Instruction Fuzzy Hash: 0AB17C77604B848BEB15DF29C8457687BE0F784F58F688831DAAD837A4CB39D491C712
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAECCE0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: AdjustCloseHandlePrivilegesToken
                                                • String ID:
                                                • API String ID: 81990902-0
                                                • Opcode ID: f8c62455d5772da1dd4533a543d241db4b20cc33079523c2d2b39321df0bd38e
                                                • Instruction ID: e3709ae713fbc1e33e40ce347b3e2dbed8a50b92dead80989fdb04f1b817cd55
                                                • Opcode Fuzzy Hash: f8c62455d5772da1dd4533a543d241db4b20cc33079523c2d2b39321df0bd38e
                                                • Instruction Fuzzy Hash: 06F03076A18A4682EB54EBA1D4557B9A7A0FB98F98F740531CE0D07654CF3CD086C261
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAAC3FC Relevance: 2.7, Strings: 2, Instructions: 219COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID: 0$0x%p
                                                • API String ID: 3215553584-2479247192
                                                • Opcode ID: 2cf1ea9a671600e4e0a2c177b28b5012e25eeeeabff85c4abdd8ee56160d1f52
                                                • Instruction ID: 338a5f37386bd745a45c802521cdd74954de73053081ad3fce6f4d44a32ea9a5
                                                • Opcode Fuzzy Hash: 2cf1ea9a671600e4e0a2c177b28b5012e25eeeeabff85c4abdd8ee56160d1f52
                                                • Instruction Fuzzy Hash: C581F621A183036AFAA4BAA78044E7DA3D0BF40F44FF41431ED0A97695DF3DE845D7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA90E70 Relevance: 1.9, Strings: 1, Instructions: 680COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Variable is not of type 'Object'.
                                                • API String ID: 0-1840281001
                                                • Opcode ID: c79eb93deea7b2ff9bc60bb1385e06ce3c34d4a98e53676fea2b35d62f8e7c4e
                                                • Instruction ID: c95e99f092092b56af1ce6e0177a0517c7d84e0bb205380a7f64b4ebc6cf0fe5
                                                • Opcode Fuzzy Hash: c79eb93deea7b2ff9bc60bb1385e06ce3c34d4a98e53676fea2b35d62f8e7c4e
                                                • Instruction Fuzzy Hash: 9E528E32B086429AEB50FFA0C444AFDA7A1FB15B88FA14035DE1D17B95DF38E545C362
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA9FA4F Relevance: 1.7, Strings: 1, Instructions: 447COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: no error
                                                • API String ID: 0-1106124726
                                                • Opcode ID: daf22cd7e491b1831c7a4d7ece73bd53412841c2595e7b00d29937dbea50e64a
                                                • Instruction ID: d1af075fbabe8f933cd2d6399c6124ca64416787d09e1c8f53078dd1efc76280
                                                • Opcode Fuzzy Hash: daf22cd7e491b1831c7a4d7ece73bd53412841c2595e7b00d29937dbea50e64a
                                                • Instruction Fuzzy Hash: 1912DE76A087528AE724EFA5D8409BDB7B0FB04B48FA08135EE4E57B94DF38E944C711
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB10A00 Relevance: 1.5, APIs: 1, Instructions: 23keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: BlockInput
                                                • String ID:
                                                • API String ID: 3456056419-0
                                                • Opcode ID: 8cf4d90d24b710f01b8413e09e10ab0a79a0cee39ea01687b76c1a24c8fffcac
                                                • Instruction ID: 3395f63e6ca0a8bb95a9356c1bc2876ab0affa0088da8f0a6a26c4c6b7c9853b
                                                • Opcode Fuzzy Hash: 8cf4d90d24b710f01b8413e09e10ab0a79a0cee39ea01687b76c1a24c8fffcac
                                                • Instruction Fuzzy Hash: D9E0653271820286EB44ABA1E441A7EA6A0BB98F94F645034DA1D83385DF7CD890C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAE2BCF Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: NameUser
                                                • String ID:
                                                • API String ID: 2645101109-0
                                                • Opcode ID: 8585f7f64f3c872cdf94fb193dbdc54333e80748829e3d3e151e5918de675c21
                                                • Instruction ID: 59230bce45f03186303110a1e499fd8e39ace4009fe7ecd65d8c701dca7cb381
                                                • Opcode Fuzzy Hash: 8585f7f64f3c872cdf94fb193dbdc54333e80748829e3d3e151e5918de675c21
                                                • Instruction Fuzzy Hash: C7C01271615A52D9E760EF60DC845EC3371F70071CFD00031E60A0E868DF789248C310
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAAC130 Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID: 0
                                                • API String ID: 3215553584-4108050209
                                                • Opcode ID: e36cd3313365073150127e4babc7a8598c5f16c08797db25288978382bee99ce
                                                • Instruction ID: 27e1cae4e6c6c3b75a7d067d900f5ab37d3dbf0f5a1cfb8d4d83238e2fc7015a
                                                • Opcode Fuzzy Hash: e36cd3313365073150127e4babc7a8598c5f16c08797db25288978382bee99ce
                                                • Instruction Fuzzy Hash: EC81F322A183026AFA64BAD78040D7EA391FF81F44FB41535DD0997695CF3DE84AD3E2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAABEB4 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID: 0
                                                • API String ID: 3215553584-4108050209
                                                • Opcode ID: 1b448239c859d57582f3fa817e0dbfe1db0dd889c5120d72b994c6c156eeceba
                                                • Instruction ID: 5bbbe6b572cde1767fc8ff88fdb80aaad16703c6b435dbad1d3e63f3091d2834
                                                • Opcode Fuzzy Hash: 1b448239c859d57582f3fa817e0dbfe1db0dd889c5120d72b994c6c156eeceba
                                                • Instruction Fuzzy Hash: 0471E621A0C3825AFA68AAA79040A7DE7D0BF41F44FB80535DD09976D5CF3DE845CBA3
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EABA8A0 Relevance: 1.4, Strings: 1, Instructions: 139COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: 16c5ff97d355010ed637a1ec5e52f006fc41d4859a4220ae5f264295bc75ec93
                                                • Instruction ID: 742370e1cf94b5822e97ec206ed2e0076a0d2e21a7c81c29309b8dd8ef74e24f
                                                • Opcode Fuzzy Hash: 16c5ff97d355010ed637a1ec5e52f006fc41d4859a4220ae5f264295bc75ec93
                                                • Instruction Fuzzy Hash: EF41C172714B4586EE04EFAAD4246A9B7A1BB8CFD0B99A036DE4D87754EF3CD446C300
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA8B9F0 Relevance: .6, Instructions: 577COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 79ad00f66ecbff5f633682f2b9edf12bf1647722772a5124462754c80745a45d
                                                • Instruction ID: c3dddcbb9c09887282222868747a840a1c9c7c83792d60127ea46f37cf6d0fa6
                                                • Opcode Fuzzy Hash: 79ad00f66ecbff5f633682f2b9edf12bf1647722772a5124462754c80745a45d
                                                • Instruction Fuzzy Hash: 4D42DE36B0879286EB10EBA5D480ABDBBA4FB84B98FB04131DE5D47B95DF38E441C711
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAB30DC Relevance: .5, Instructions: 535COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 44e0bcb64cdb213a1ae13f0197e832722533c3c8cf9ea28823a7f9588fce5fb2
                                                • Instruction ID: 3a80f826a373e42442e5b31eb0e41f8f48c2c742b1d97d0a4716e0ff9327d814
                                                • Opcode Fuzzy Hash: 44e0bcb64cdb213a1ae13f0197e832722533c3c8cf9ea28823a7f9588fce5fb2
                                                • Instruction Fuzzy Hash: A0428832D2DE4984E253AFB5A462D35AB64BF517C0FA18333D84E76A15DF7CA846C320
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAC6DE4 Relevance: .2, Instructions: 194COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 3215553584-0
                                                • Opcode ID: aef1645feaa1291f65bd50d9bda51e86790c3738af6c6eb1c9d6e81d2b8add60
                                                • Instruction ID: d0630ad52e9447df595217938042bbfc3d811ecfe826d8671128087e95c210a0
                                                • Opcode Fuzzy Hash: aef1645feaa1291f65bd50d9bda51e86790c3738af6c6eb1c9d6e81d2b8add60
                                                • Instruction Fuzzy Hash: DA71E922A0824246F764EAA9D440E39E2D5BFC4F70FB40635EA6D467D1DF7DE881C722
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB01A18 Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c2308bd2b59363eb380d9f2aadf6ae7fcc9e74111fd97fe2ff68e231cb56cb52
                                                • Instruction ID: e6fbe1171b32d838109c236c9b5a865dd8bb68df418b3fd7c0aa9916d805a1b5
                                                • Opcode Fuzzy Hash: c2308bd2b59363eb380d9f2aadf6ae7fcc9e74111fd97fe2ff68e231cb56cb52
                                                • Instruction Fuzzy Hash: A821CF32A2400187E70CDFB5D862EA977E5B360708F68C13AD52B83684CF3CE905C790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EABFD20 Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f4e4605b7b007d95894f61c83fec82003118576a017aad510c5c4214a882ee24
                                                • Instruction ID: 8f95cf2e6b37f202f90d32761752c04a37a82dcf36487e96e8fb52bf25dde6bd
                                                • Opcode Fuzzy Hash: f4e4605b7b007d95894f61c83fec82003118576a017aad510c5c4214a882ee24
                                                • Instruction Fuzzy Hash: 3FF04471B1C2559ADB949F6CA842A297F90F748384BA08039D59983E54DA3C9050DF14
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAA59C8 Relevance: .0, Instructions: 2COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 06a18b8ad93dc8222913c3b18848eb7fe0d0fd2f3d8a242d5e2f0303cc3a2d96
                                                • Instruction ID: d74df8e4da2c0f3eaf913972f7652055463b760894e44215fcf06873dccd8474
                                                • Opcode Fuzzy Hash: 06a18b8ad93dc8222913c3b18848eb7fe0d0fd2f3d8a242d5e2f0303cc3a2d96
                                                • Instruction Fuzzy Hash: 47A0023690FD02E4E614ABC1E851870AB71FB50710BF11433D00D45861DF3DB480C766
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2E95C Relevance: 49.7, APIs: 33, Instructions: 231windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                • String ID:
                                                • API String ID: 3521893082-0
                                                • Opcode ID: 83951a0f5ab674c7ceda612414a489f98c53b7b77578a5fec0661329090dac0c
                                                • Instruction ID: 4879791bb1f6e12347fc8965d24b067a497b17b9e76b5e6ddff1a022d3e2d3fb
                                                • Opcode Fuzzy Hash: 83951a0f5ab674c7ceda612414a489f98c53b7b77578a5fec0661329090dac0c
                                                • Instruction Fuzzy Hash: 8CA1B772F05A4286EB14ABE2D84597C6BA1BF49B64FA04334DE2E53BD4DF3C9444C3A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB04F30 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 247COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ErrorMode$DriveType
                                                • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                • API String ID: 2907320926-4222207086
                                                • Opcode ID: 95469adb000f55e80b35bf279774cb29b0463a79c734ed7031b91ee428a0fd32
                                                • Instruction ID: bd1c999138307bd3af48008b35f11f1b050562d7da00cb33bdbe9be39a37aa5a
                                                • Opcode Fuzzy Hash: 95469adb000f55e80b35bf279774cb29b0463a79c734ed7031b91ee428a0fd32
                                                • Instruction Fuzzy Hash: 1DB15C21B0EA4394EA64BBE5D840DBDAB61BF40B84BF45131D90E47A99EF3CF945C321
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2ECB4 Relevance: 39.2, APIs: 26, Instructions: 179windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                • String ID:
                                                • API String ID: 1996641542-0
                                                • Opcode ID: af2003aee250e54b852e397d0315c9d0f6196c66345de4a516034d00de27f57a
                                                • Instruction ID: d07cbe4f9dd196dab670d4552eb6c1a5c0696e995a1374d50f7121b5e9e2b8ab
                                                • Opcode Fuzzy Hash: af2003aee250e54b852e397d0315c9d0f6196c66345de4a516034d00de27f57a
                                                • Instruction Fuzzy Hash: AC71C736A09A8187E764EB91E845A7AB7A1FB88BA0F604334DD5E43B94DF3CD444C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB26EA0 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 268windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                • String ID: tooltips_class32
                                                • API String ID: 698492251-1918224756
                                                • Opcode ID: 134fb4e1424d2fb4e321c1dd5c8cc0f154a29b10d7bebbc83ea585521f9a7016
                                                • Instruction ID: 33d48588234c51a2338b2df23969baa0cb2692b3f78612b8a3e42eb9ae4a15b9
                                                • Opcode Fuzzy Hash: 134fb4e1424d2fb4e321c1dd5c8cc0f154a29b10d7bebbc83ea585521f9a7016
                                                • Instruction Fuzzy Hash: 51C15432A087968AEB14DFA5E4446AEBBA1FF88B45FA00035DA5D47B54CF3CE845C714
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAF2C10 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 175windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                • String ID: @
                                                • API String ID: 3869813825-2766056989
                                                • Opcode ID: b82c187733dd5023c28d903207b62df0d5996a373ba8083c7f15af3311f57f4a
                                                • Instruction ID: e11d69da1dd13e288a95146af3e3ebb2446ebb6a0e0487bd048e841ee778b9dd
                                                • Opcode Fuzzy Hash: b82c187733dd5023c28d903207b62df0d5996a373ba8083c7f15af3311f57f4a
                                                • Instruction Fuzzy Hash: EE818132A05A4286E740EFB5E854A7D77A0FB44F88FA44532DE4DA7B98DF38D845C720
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA82620 Relevance: 28.7, APIs: 19, Instructions: 201COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Color$LongWindow$ModeObjectStockText
                                                • String ID:
                                                • API String ID: 554392163-0
                                                • Opcode ID: 75ec6bcd28a8efb3125b08e197a7caecd4c99aa61c3caa47667afd5c8d51fa7a
                                                • Instruction ID: 82832ceb180f17a018006b8cafd663a4fc79815cd52f7bc682ca930916d6ca59
                                                • Opcode Fuzzy Hash: 75ec6bcd28a8efb3125b08e197a7caecd4c99aa61c3caa47667afd5c8d51fa7a
                                                • Instruction Fuzzy Hash: CC81E631D0856682EA30A7A99848A79A791FF45F65FF50231C99E037E4DF3CE882C761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAFC81C Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 140COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: wcscat$FileInfoQueryValueVersion$Sizewcscpywcsstr
                                                • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                • API String ID: 222038402-1459072770
                                                • Opcode ID: 2d5e5e3e76826f94c3f6d4a5c1a7de8f40f2fa6e444124fee147eef73f68b5d3
                                                • Instruction ID: 94d60e0ac33189c616e896da819d2574b1bfbfa708985b3944d2f21391769692
                                                • Opcode Fuzzy Hash: 2d5e5e3e76826f94c3f6d4a5c1a7de8f40f2fa6e444124fee147eef73f68b5d3
                                                • Instruction Fuzzy Hash: 4551C021B0874292EA14FBA3A4419B9A791BF85FD0FE08432ED4D47B96DF3CE501C766
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB26608 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 475windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: BuffCharMessageSendUpper
                                                • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                • API String ID: 3974292440-4258414348
                                                • Opcode ID: f7eb3b82bd33efc39cdfbe657952fc67dbcbb2fb0c02c8aa3a7f3dc4219201ec
                                                • Instruction ID: a79fe4a1aa9ff139f285a747cc65f71edd409642fbc255898b1ec17bf19ad593
                                                • Opcode Fuzzy Hash: f7eb3b82bd33efc39cdfbe657952fc67dbcbb2fb0c02c8aa3a7f3dc4219201ec
                                                • Instruction Fuzzy Hash: E312E313B1869382EE54BBA588059BDEBA0BF54F85BE44531DE1E47799EF3DE801C320
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB03FD0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 197COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: SendString$BuffCharDriveLowerType
                                                • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                • API String ID: 1600147383-4113822522
                                                • Opcode ID: f252e619c40fa0aff5f0b1f1e37f3765b913bf4df1bc6161e1addbf501e4a31a
                                                • Instruction ID: 877a8eeda54cdad7b68f343a8940cc512d32af935552d8a2bcfc0902b2a34004
                                                • Opcode Fuzzy Hash: f252e619c40fa0aff5f0b1f1e37f3765b913bf4df1bc6161e1addbf501e4a31a
                                                • Instruction Fuzzy Hash: 5F81C232B14A52C5EB00ABA5D851ABDB7B1FB54B98FA04431CE4D97B94EF3CE945C320
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB30118 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 175windowlibraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Load$Image$IconLibraryMessageSend_invalid_parameter_noinfo$DestroyExtractFree
                                                • String ID: .dll$.exe$.icl
                                                • API String ID: 258715311-1154884017
                                                • Opcode ID: e03b8a297f3e31543187ea4d980dcab107f3fc290ba37e0d0746b7471e731d00
                                                • Instruction ID: 5387f243ed2fd6f310b819aaff85605985b5d9a5728daaf6117d2656673e4981
                                                • Opcode Fuzzy Hash: e03b8a297f3e31543187ea4d980dcab107f3fc290ba37e0d0746b7471e731d00
                                                • Instruction Fuzzy Hash: BD71B332A05B5282EB64AFA29445EB9A7E0FF49F98F940635ED1D47B94DF3CD444C310
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB303D0 Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                • String ID:
                                                • API String ID: 3840717409-0
                                                • Opcode ID: 7c311c18288b1496fa214aa0c4abe44590be5c31b38ad7f7d9d564ed982c3a32
                                                • Instruction ID: 638867fc6ac08277774ea1af4fef5cf773bb8c7fba67f4adceb3426f21841498
                                                • Opcode Fuzzy Hash: 7c311c18288b1496fa214aa0c4abe44590be5c31b38ad7f7d9d564ed982c3a32
                                                • Instruction Fuzzy Hash: 1B517836B15B4186EB14EFA6E849E6D77A0FB88B94BA14231DE5E03B14DF3DD805C710
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB00D70 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 388COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Variant$ClearInit
                                                • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                • API String ID: 2610073882-3931177956
                                                • Opcode ID: 3a4deae4be3d28b748e7cdb3881e49b2f52cd22b671274b5b57ee26e9b6474c9
                                                • Instruction ID: fbf490577af70edd26c7e5ad6c0b936e817ce687396cc88be1bc1619651e4028
                                                • Opcode Fuzzy Hash: 3a4deae4be3d28b748e7cdb3881e49b2f52cd22b671274b5b57ee26e9b6474c9
                                                • Instruction Fuzzy Hash: A1028932A09642C6EB5DBBA5C154D7DBBA1FB05B80FA98535DA0E07A94DF3CF950C220
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB0246C Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 281fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Filewcscat$DeleteTemp$NamePath_fread_nolock_invalid_parameter_noinfowcscpy
                                                • String ID: aut
                                                • API String ID: 130057722-3010740371
                                                • Opcode ID: bdbe7f6e9be2466084ded0a7f968f31c408d930c5ced813d0871173edae7c5aa
                                                • Instruction ID: e1f7f87c4318200c3962646f22bfa128deae86813807b95b3e2ba441258646e2
                                                • Opcode Fuzzy Hash: bdbe7f6e9be2466084ded0a7f968f31c408d930c5ced813d0871173edae7c5aa
                                                • Instruction Fuzzy Hash: 51C189326146C695EB30EFA5E8409F9A754FB84B88F904036EB8D47B59DF3CE609C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2E40C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 177windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Window$MessageSend$CreateDestroy$DesktopRect
                                                • String ID: tooltips_class32
                                                • API String ID: 2443926738-1918224756
                                                • Opcode ID: aaeb60d555cc86bf3e66e764e60d0e4162c92bacd9f6913f3df39f71d352b9df
                                                • Instruction ID: 7034c25f15046b95288628199feb7276913196bbd88785035cbcca5059004c95
                                                • Opcode Fuzzy Hash: aaeb60d555cc86bf3e66e764e60d0e4162c92bacd9f6913f3df39f71d352b9df
                                                • Instruction Fuzzy Hash: AF91AC32A19B8586EB51DFA5E440BADBBA1FB88B84FA04036DE4D47B58DF3CD045C720
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB14F54 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 151windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                • String ID:
                                                • API String ID: 2598888154-3916222277
                                                • Opcode ID: 0687041585a76cffa9d893ce7bd17f4e87b15e62bb487ba43aaf867343990d1c
                                                • Instruction ID: 8dedda7dd791467558c8cb16e6372646088fed66173408dd63d6cbcdbe476ded
                                                • Opcode Fuzzy Hash: 0687041585a76cffa9d893ce7bd17f4e87b15e62bb487ba43aaf867343990d1c
                                                • Instruction Fuzzy Hash: DF516336B15641CBE750DFA5E844AAEBBE1F748B98B508139EE4A53B18CF38E415CB10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAEB0C4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 117memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                • String ID: NULL Pointer assignment
                                                • API String ID: 2706829360-2785691316
                                                • Opcode ID: f387a50e6818b73d110b12cd73088d785cdd73093c11eac48bc39c6d5f3c3ae3
                                                • Instruction ID: 5de04c0abcc01589b22cc0b491e4314f49db4a6362e70ac6eb2466ef0fda3c49
                                                • Opcode Fuzzy Hash: f387a50e6818b73d110b12cd73088d785cdd73093c11eac48bc39c6d5f3c3ae3
                                                • Instruction Fuzzy Hash: 22513132B15A128AEB50EFA5D895ABCB770FB84F88F914431DA0E47A69DF38D445C350
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB21110 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 371COMMON
                                                Download Yara Rule
                                                APIs
                                                • CharUpperBuffW.USER32(?,?,?,00000000,?,?,?,00007FF78EB1FD7B), ref: 00007FF78EB21143
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: BuffCharUpper
                                                • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                • API String ID: 3964851224-909552448
                                                • Opcode ID: e7e63e4dd25da427c1142b0bbb9523a4c6b780727a3c5ada72161eb03b32f57b
                                                • Instruction ID: c9ee798f28ab7c0da0e2b4ae67f59709ce9bda400681b40c63bbd6cf101b1557
                                                • Opcode Fuzzy Hash: e7e63e4dd25da427c1142b0bbb9523a4c6b780727a3c5ada72161eb03b32f57b
                                                • Instruction Fuzzy Hash: CBE1C312F086D781EA60AFE5D840AB9A7A1BF10B98FE48531D91E577D4EF3CE945C320
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB087CC Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 200COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory$AttributesFilewcscat$wcscpy
                                                • String ID: *.*
                                                • API String ID: 4125642244-438819550
                                                • Opcode ID: 1ea90ef3ac2d7d254d472ba41b7dd042367ce3fbfdec11002f51064aa4e1dc95
                                                • Instruction ID: 4e897b72276e6de8f640c7ae04280e094dd6323f4a75da5ed2c24811cdc78392
                                                • Opcode Fuzzy Hash: 1ea90ef3ac2d7d254d472ba41b7dd042367ce3fbfdec11002f51064aa4e1dc95
                                                • Instruction Fuzzy Hash: 51818032618A8286EB50EF95D840EBDB7A0FB44B84FE44036DA4E47B95DF7CE644C760
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAFA40C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188windowsleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ItemMenu$Info$CheckCountRadioSleep
                                                • String ID: P
                                                • API String ID: 1460738036-3110715001
                                                • Opcode ID: 09c43fc9986b4157130dcd1dffd3aa1f9b08a6e3a366ab44e0db326a1696cd75
                                                • Instruction ID: 9bb1e6eee3ae42929747fd2e80f9ab4e2a387c6ecc433dc162ef4d890167c466
                                                • Opcode Fuzzy Hash: 09c43fc9986b4157130dcd1dffd3aa1f9b08a6e3a366ab44e0db326a1696cd75
                                                • Instruction Fuzzy Hash: 6271F732A0864246F760FFA49444AFDA7A1BB44F49FB48432DE4E07A85CF7CE44AC721
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAF2F78 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Window$ItemMoveRect$Invalidate
                                                • String ID:
                                                • API String ID: 3096461208-0
                                                • Opcode ID: cd18a514988302620758944a1eb5a442a77522faab4df44982a6bd62bf806ab3
                                                • Instruction ID: 228265bd91b3e456b7338f142cf6073b70a2e84c2b0f56c6bf3a6b205eb53722
                                                • Opcode Fuzzy Hash: cd18a514988302620758944a1eb5a442a77522faab4df44982a6bd62bf806ab3
                                                • Instruction Fuzzy Hash: 0F618372B156418BE714DFAAE444A6DB7E2B788B84F60813ADE0993F58DF3CD905CB10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAF7E64 Relevance: 18.2, APIs: 12, Instructions: 173keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: State$Async$Keyboard
                                                • String ID:
                                                • API String ID: 541375521-0
                                                • Opcode ID: c617befc0bd1dbd4d54129b7722c2ebd01a7f232fb97f78571421a33ec3567e4
                                                • Instruction ID: 052484c63df6ff391bf11ed12e13c95dcc65ddc54ee44cede27998ce0a0a9ac9
                                                • Opcode Fuzzy Hash: c617befc0bd1dbd4d54129b7722c2ebd01a7f232fb97f78571421a33ec3567e4
                                                • Instruction Fuzzy Hash: FB71B622A1C6C155FB35ABA4D010AB9ABA1FB45F88FF9003AD68D03691CF7DD945C732
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB04708 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 339COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: BuffCharDriveLowerTypewcscpy
                                                • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                • API String ID: 1561581874-1000479233
                                                • Opcode ID: aa9232cdcb08be56f6ec1ea37b61e18ec474b2dff0b6b2e38bdc824ec9ac4fd9
                                                • Instruction ID: 7f3fc45da23c7235b2aff9f8182657770bf92beb67f94854f1e3986d629d728a
                                                • Opcode Fuzzy Hash: aa9232cdcb08be56f6ec1ea37b61e18ec474b2dff0b6b2e38bdc824ec9ac4fd9
                                                • Instruction Fuzzy Hash: FCD1C132E0869681EA20BB95D540D7AEBA1FF94BE4FA04231DA5D53B94DF3CF945C320
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAEFF44 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 243windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout
                                                • String ID: %s%u
                                                • API String ID: 1412819556-679674701
                                                • Opcode ID: f9492e365b3c9b1664e5547271ff71d1b3654b4394d6c6a0ded6dd80ebcdab63
                                                • Instruction ID: 498af5c60384b8774cccab939256815c19e11a15a8e9c26bbc75cb954b32f3b9
                                                • Opcode Fuzzy Hash: f9492e365b3c9b1664e5547271ff71d1b3654b4394d6c6a0ded6dd80ebcdab63
                                                • Instruction Fuzzy Hash: 30B1E072B0868696EB18EB65D884EF9B7A0FB45F84FE00032CA1D47785DF39E555C720
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAEC034 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 124registryshareCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue
                                                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                • API String ID: 3030280669-22481851
                                                • Opcode ID: 90b4c898eb35061ed4b9b6613609b6b05beff67f0cc0e7091b8895ca5ea8a7fb
                                                • Instruction ID: 3d403a5266356b2aa91f7629e1d31c00e5f1e38fe8c961b2969a6faccdbf0b87
                                                • Opcode Fuzzy Hash: 90b4c898eb35061ed4b9b6613609b6b05beff67f0cc0e7091b8895ca5ea8a7fb
                                                • Instruction Fuzzy Hash: 6A519532A18A9395EB50EBA5E890AFDA7A0FB84794F900031EE4D47A79DF3CD585C710
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2AD1C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Window$CreateMessageObjectSend$AttributesCompatibleDeleteDestroyLayeredLongMovePixelSelectStock
                                                • String ID: static
                                                • API String ID: 3821898125-2160076837
                                                • Opcode ID: 07e3f444be573a5f56ad52c65b5350ec7a57582bf5bde69e8b4e79c46b6fcd17
                                                • Instruction ID: c2ad0429fc95ea2faee7e7b06464d9ed2cd1394f881db3ebbcb002c4e060c23b
                                                • Opcode Fuzzy Hash: 07e3f444be573a5f56ad52c65b5350ec7a57582bf5bde69e8b4e79c46b6fcd17
                                                • Instruction Fuzzy Hash: 3C418D3260978187EB70AFA5E845B5AB7A1FB88790FA04235DA9D43B98CF3CD445CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB03E20 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 97fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove
                                                • String ID: :$\$\??\%s
                                                • API String ID: 3827137101-3457252023
                                                • Opcode ID: c042ec0e4a157b4915e6cbee2efc7bd563a20e0e85c4cf7d435b60959deae5d8
                                                • Instruction ID: 54229878df45cfc16fa4c71a9cdd992cc1b7c0d38055da5e72b058b14f30d050
                                                • Opcode Fuzzy Hash: c042ec0e4a157b4915e6cbee2efc7bd563a20e0e85c4cf7d435b60959deae5d8
                                                • Instruction Fuzzy Hash: 4941B62161868385E720AF61E804AFDA7A0FF95B98FA40135DA4D47FA8DF7CD546C720
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAEC5FC Relevance: 16.7, APIs: 11, Instructions: 166COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                • String ID:
                                                • API String ID: 1255039815-0
                                                • Opcode ID: 5c88d37276b46e33d2a1e391526b812f5276439b55f88bb912c7bbc104166e1e
                                                • Instruction ID: 8567619532f62865952441f07b535b7fd8f5b5825059dfbe31657a08c683765f
                                                • Opcode Fuzzy Hash: 5c88d37276b46e33d2a1e391526b812f5276439b55f88bb912c7bbc104166e1e
                                                • Instruction Fuzzy Hash: 40618F32B0469296EB10EFA1D8459BC7BE4FB44F88BA48035DE1D53B94DF39D545C3A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAF7BA0 Relevance: 16.6, APIs: 11, Instructions: 106keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: State$Async$Keyboard
                                                • String ID:
                                                • API String ID: 541375521-0
                                                • Opcode ID: 0d5fea19e654a2244c488208034703c69de1b6555bf9c6d80bb1d0db3dd32864
                                                • Instruction ID: f1cba224f0e1f4729ddb271bd35aeabe27f5dbc96d23effdc0671b62b8b48b61
                                                • Opcode Fuzzy Hash: 0d5fea19e654a2244c488208034703c69de1b6555bf9c6d80bb1d0db3dd32864
                                                • Instruction Fuzzy Hash: 7B417E21E1CAC555FB71ABA4D401B79AE90BB11B44FE8413AEA8A035C1CF7DA895C372
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA8E774 Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 438COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FF78EA86838: CreateFileW.KERNEL32 ref: 00007FF78EA868A2
                                                  • Part of subcall function 00007FF78EAA4380: GetCurrentDirectoryW.KERNEL32(?,00007FF78EA8E817), ref: 00007FF78EAA439C
                                                  • Part of subcall function 00007FF78EA856D4: GetFullPathNameW.KERNEL32(?,00007FF78EA856C1,?,00007FF78EA87A0C,?,?,?,00007FF78EA8109E), ref: 00007FF78EA856FF
                                                • SetCurrentDirectoryW.KERNEL32 ref: 00007FF78EA8E8B0
                                                • SetCurrentDirectoryW.KERNEL32 ref: 00007FF78EA8E9FA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory$CreateFileFullNamePathwcscpy
                                                • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                • API String ID: 2207129308-1018226102
                                                • Opcode ID: d4f4e905929ff731fc64366d578c9f4c84fceb5eabe737004fb488fe7275a5ec
                                                • Instruction ID: 0335d13f6bf167972957df9af412ba1f3da3796187a1a72f6b6a4858cab35547
                                                • Opcode Fuzzy Hash: d4f4e905929ff731fc64366d578c9f4c84fceb5eabe737004fb488fe7275a5ec
                                                • Instruction Fuzzy Hash: ED12D532A1865286EB10FBA1D4449FEE760FB85F84FE04132EA4E47699DF7CD505C722
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB166B4 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 182comCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                • API String ID: 636576611-1287834457
                                                • Opcode ID: 169f94b154b07c145e8afc4df5feea87b6ccedfebeea82715f136f646080e8d1
                                                • Instruction ID: 7a198cefefb46c6a7d5dcbc99fff109dab4900129e26bbfa562247d6a6b595fa
                                                • Opcode Fuzzy Hash: 169f94b154b07c145e8afc4df5feea87b6ccedfebeea82715f136f646080e8d1
                                                • Instruction Fuzzy Hash: 8D718122A08B0781EB15EFA6D4409BDABA1FB44FA8FA45432DE1E47759DF3CE445C360
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB12A18 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 174networkfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Icmp$CleanupCloseCreateEchoFileHandleSendStartupgethostbynameinet_addr
                                                • String ID: 5$Ping
                                                • API String ID: 1486594354-1972892582
                                                • Opcode ID: c5ec28ae87b9963566e486c3747175212f4b4effce9ee38a7591bc62717ee17b
                                                • Instruction ID: 2422e9bfc3a970d8ecd77f75b642ae34d52aa0a26bfc3f606b4e52db4f5546be
                                                • Opcode Fuzzy Hash: c5ec28ae87b9963566e486c3747175212f4b4effce9ee38a7591bc62717ee17b
                                                • Instruction Fuzzy Hash: A1718E72A0864282EB20EB96D480B7DBBA0FF84B90FA18431DA5D47791DF7CD541C761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAEE1AC Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 74windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: MessageSend$CtrlParent$ClassName
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 2573188126-1403004172
                                                • Opcode ID: 09a0585a879aa7a3574045f94ed89f574aca608bff89165bfbbf01bae2deb851
                                                • Instruction ID: e36bb3315f4b1b0a99a0de04f06406a3e5b46ff657ff742fabd0470e23a368a1
                                                • Opcode Fuzzy Hash: 09a0585a879aa7a3574045f94ed89f574aca608bff89165bfbbf01bae2deb851
                                                • Instruction Fuzzy Hash: F231C231A09A8282EA10EF91E8549B9A761FF89FD0FE44131DE9D03B95DF3CE505C761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAEE08C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 74windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: MessageSend$CtrlParent$ClassName
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 2573188126-1403004172
                                                • Opcode ID: dfc79a9e17b0648763ebb6a0e3bc46e10628265031a1e09320b73760a5a57e34
                                                • Instruction ID: d844487c0650954c718d818146f593c7439785a48d4cecdafedbf5d20b043d35
                                                • Opcode Fuzzy Hash: dfc79a9e17b0648763ebb6a0e3bc46e10628265031a1e09320b73760a5a57e34
                                                • Instruction Fuzzy Hash: 7731D131A09A4182EA10BB91E8509B8A761FF89FE0FE48231DEAD137D5CF3CE505C761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAFCA98 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: wcscpy$CleanupStartupgethostbynamegethostnameinet_ntoa
                                                • String ID: 0.0.0.0
                                                • API String ID: 2479661705-3771769585
                                                • Opcode ID: 39908202b238dba1e9305c57f171ff884d1651b8f70c43c4d4bd0128cd43e1dd
                                                • Instruction ID: 3a9b29d7628f5d6f67e30f05809d7a76c362808949feab6439d7d7e7ef7ed0c9
                                                • Opcode Fuzzy Hash: 39908202b238dba1e9305c57f171ff884d1651b8f70c43c4d4bd0128cd43e1dd
                                                • Instruction Fuzzy Hash: 6A215131A0868391EA20BB92E585BBDE361BF94F80FE04132D54E47AA5DF3CD544C325
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB30D7C Relevance: 15.2, APIs: 10, Instructions: 209windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ItemMenu$InfoWindow$CheckCountCtrlEnabledFocusLongMessagePostProcRadio
                                                • String ID:
                                                • API String ID: 2672075419-0
                                                • Opcode ID: 483736ca4524e46e39a6667cb4a9483b8f15c912601d7af63434f91fd575caa3
                                                • Instruction ID: 98b57517ca19a55ea50fcffaff00602e8b4811b7df0e4599c324b2c21e956a0e
                                                • Opcode Fuzzy Hash: 483736ca4524e46e39a6667cb4a9483b8f15c912601d7af63434f91fd575caa3
                                                • Instruction Fuzzy Hash: 10919E36B096528AEB50AFE5D441BBDABE1FF45B88FA00035DE0D53A99DF38E405C320
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAEE908 Relevance: 15.1, APIs: 10, Instructions: 59keyboardsleepwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Virtual$MessagePostSleepThread$AttachCurrentInputProcessWindow
                                                • String ID:
                                                • API String ID: 685491774-0
                                                • Opcode ID: c5260aafb6a4b6d42d2605749b26c771a95cedda71831fed2f7dc5c01b1cab92
                                                • Instruction ID: 5ff7222665086d9e44a9687f023b4d7a2ea02beb89ca8e1e6167e9c9733a6856
                                                • Opcode Fuzzy Hash: c5260aafb6a4b6d42d2605749b26c771a95cedda71831fed2f7dc5c01b1cab92
                                                • Instruction Fuzzy Hash: C5119075B0590282F714ABF6A899D7D66A1BFCCB81FA09039C90E4BB50DF3DE054C360
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAEF7F4 Relevance: 14.5, APIs: 2, Strings: 6, Instructions: 471COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                • API String ID: 0-1603158881
                                                • Opcode ID: 8592d670b6a5495871e12ff66e0da7572921ba9f8c170d8e8a2b49cf93bae69b
                                                • Instruction ID: 25247c6a550fe515e6eb13a1799b41469c7f5849ad8dc8b9fa47ce18da6e6fdd
                                                • Opcode Fuzzy Hash: 8592d670b6a5495871e12ff66e0da7572921ba9f8c170d8e8a2b49cf93bae69b
                                                • Instruction Fuzzy Hash: 9A12B466B1C68392FA58ABA1C851EF9F291FF54F84FE44531CA1D97290EF3CE950C221
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2A350 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 139windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$CreateObjectStockwcscat
                                                • String ID: -----$SysListView32
                                                • API String ID: 2361508679-3975388722
                                                • Opcode ID: c344d9879c390065c59b29320dac7b0039891542bbecba4ba3e0f02e7f9bfa97
                                                • Instruction ID: 98765fc1461d2dc4c4169409284943a74c1fd916c883e5c0c996a2d8e5c80e7d
                                                • Opcode Fuzzy Hash: c344d9879c390065c59b29320dac7b0039891542bbecba4ba3e0f02e7f9bfa97
                                                • Instruction Fuzzy Hash: C251E332A047818AE720DF65E844AEEB7E1FB88784F90013ADE4D57B59CF38D994CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAEE2CC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 54windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameParentSend_invalid_parameter_noinfo
                                                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                • API String ID: 2019164449-3381328864
                                                • Opcode ID: 8e262b819e6f56a90fb6f0dff8af3bf336551f9b4e3e960db18143356d212841
                                                • Instruction ID: 3df4498795a4a5dc2c71e17961374701928fcb48a9e0238da5d23675a2f497c7
                                                • Opcode Fuzzy Hash: 8e262b819e6f56a90fb6f0dff8af3bf336551f9b4e3e960db18143356d212841
                                                • Instruction Fuzzy Hash: EB214C21B1C64390EA20B792E945E79A791BF81B84FA08035C90D87695EF3CE916C721
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB17054 Relevance: 13.9, APIs: 9, Instructions: 373COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: FreeString$FileFromLibraryModuleNamePathQueryType
                                                • String ID:
                                                • API String ID: 1903627254-0
                                                • Opcode ID: 598b5a242d4ad7e8ea74ab1cb47f7436f773884321b066f1e5bf024af7697886
                                                • Instruction ID: ebc76aee2e67ce7302eb1d927fa25a734712fa358131f253b9fb3186cd55b305
                                                • Opcode Fuzzy Hash: 598b5a242d4ad7e8ea74ab1cb47f7436f773884321b066f1e5bf024af7697886
                                                • Instruction Fuzzy Hash: C5025D22A08A9286DB50EF65D4445BDBBA1FB85F94FA04032EF4E47B64CF3CD549C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2C324 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                • String ID:
                                                • API String ID: 3210457359-0
                                                • Opcode ID: 33ab6cce80c9e0840b45516de4cf550524ae496078474d2d7534a7033dd0db45
                                                • Instruction ID: 89a8e88a591eff6b5d84bb1380d8acf8eff844b9ff4aeb657cd2b8d3dd97381f
                                                • Opcode Fuzzy Hash: 33ab6cce80c9e0840b45516de4cf550524ae496078474d2d7534a7033dd0db45
                                                • Instruction Fuzzy Hash: 4C619131A0858396FB34BAA59841FBA9A51BF407A4FB08531DA1D036E5CF7DEC41DB20
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB30B24 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 142windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageReleaseScreenSendText
                                                • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                • API String ID: 3721556410-2107944366
                                                • Opcode ID: 3604d4c7ce96f57bdd947ebfa5ae980c85c78aa1d887a29cd4c966ae94874c70
                                                • Instruction ID: bc3abefdb6cfabb9b1c15cad67ab037d5d2b29e6913d9bf6e1f33b021f7de1d8
                                                • Opcode Fuzzy Hash: 3604d4c7ce96f57bdd947ebfa5ae980c85c78aa1d887a29cd4c966ae94874c70
                                                • Instruction Fuzzy Hash: 07617F76A14A5285EB00FFA5E8819FDBBB0FB44B98FA01132DD1D13AA5CF38E545C350
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB1E580 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 138COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                • String ID: SeDebugPrivilege
                                                • API String ID: 2533919879-2896544425
                                                • Opcode ID: f739a1b5ec9dcf9be788f6fa4a29232cbc47b3c853728f973a89d79ffbc52252
                                                • Instruction ID: 7920aab335a7950f61619712de3a0124accfa1962aef58ceeb2ccbc9b9c5b236
                                                • Opcode Fuzzy Hash: f739a1b5ec9dcf9be788f6fa4a29232cbc47b3c853728f973a89d79ffbc52252
                                                • Instruction Fuzzy Hash: 56517D62A0869282EB00FBA5C590B7CBB60FF84F91FA58431D60E07792DF3CE404CB21
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAFA070 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 135windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                • String ID: 2$P
                                                • API String ID: 93392585-1110268094
                                                • Opcode ID: 46a49604fdc7cbe7f64919669a233ff3b62d38c72d86d24d888cad9356e87a30
                                                • Instruction ID: 368bb5b08068b0765966e753fe0cddfdefb7782a777aadffa2d81978c986c553
                                                • Opcode Fuzzy Hash: 46a49604fdc7cbe7f64919669a233ff3b62d38c72d86d24d888cad9356e87a30
                                                • Instruction Fuzzy Hash: 2151C332B0864289F760AFE5E440AFDB7A5BB40B58FB44136CA5E53694DF38E481C722
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2E248 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 129windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Window$LongMessageSend$Show
                                                • String ID: '
                                                • API String ID: 257662517-1997036262
                                                • Opcode ID: eb894a93846cd46a5342e3ebb468783be677627f1867a2ee8fe2f5b975b70651
                                                • Instruction ID: 4511265582969683266dd62e26ceb09172a911e31c3cac61e5eb36cdfc9906ee
                                                • Opcode Fuzzy Hash: eb894a93846cd46a5342e3ebb468783be677627f1867a2ee8fe2f5b975b70651
                                                • Instruction Fuzzy Hash: 4C51D73290868281E762ABA7A554E7DBF90FF85B91FA48132CE5E03790CF3DE441D710
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAFAD94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 70windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: IconLoad_invalid_parameter_noinfo
                                                • String ID: blank$info$question$stop$warning
                                                • API String ID: 4060274358-404129466
                                                • Opcode ID: a20ad64d4c1f0ff606b53834bd72c3c9b388472799770000db1625183137431d
                                                • Instruction ID: edd26cb1a14356e960271e3dcb32a80c31dfe6b0f439ef9db110cb3dce7df023
                                                • Opcode Fuzzy Hash: a20ad64d4c1f0ff606b53834bd72c3c9b388472799770000db1625183137431d
                                                • Instruction Fuzzy Hash: 6D216D21B0C79381FA60BB96E9109BAE755BF44B80FE45032DD4D42795EF7CE852C361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAFC5C8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: HandleLoadModuleString$Messagewprintf
                                                • String ID: %s (%d) : ==> %s: %s %s
                                                • API String ID: 4051287042-3128320259
                                                • Opcode ID: f7e86a73b67135bbf4198df281c36ffde702979d794fcff8f2d08bb660d9317c
                                                • Instruction ID: 0ca9eb40161d1006cc3438f2805ca3aa0ae2dcd9b1f8dda27e936b3b5224006f
                                                • Opcode Fuzzy Hash: f7e86a73b67135bbf4198df281c36ffde702979d794fcff8f2d08bb660d9317c
                                                • Instruction Fuzzy Hash: A9116571B1DB8591D730AB50F445BEAA7A0FB48748FD05036EA8E43A58DF7CC149C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB3233C Relevance: 12.3, APIs: 8, Instructions: 254windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                • String ID:
                                                • API String ID: 1211466189-0
                                                • Opcode ID: e4483054fe90d725006c88ea8490581a4df116f0e1f8785d266180591fe398c1
                                                • Instruction ID: abbbfbceed89fe1a90336968d9f82688d79aaf664099c187a2922468dd3faa33
                                                • Opcode Fuzzy Hash: e4483054fe90d725006c88ea8490581a4df116f0e1f8785d266180591fe398c1
                                                • Instruction Fuzzy Hash: 4AA10232B1868282EB68AFE59555F79BAE0FB84B44F605035DE0A43E90DF3CE851C710
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB1FCC0 Relevance: 12.2, APIs: 8, Instructions: 246registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Close$BuffCharConnectDeleteOpenRegistryUpperValue
                                                • String ID:
                                                • API String ID: 50796853-0
                                                • Opcode ID: b3e9e5569108577abde508208a8a77bfdd0d9330c3e28af58334325f69aefe54
                                                • Instruction ID: a67bf5a67f4273cc5b82fa0a898350bf3c6406932fa912823ebb72edecb42daf
                                                • Opcode Fuzzy Hash: b3e9e5569108577abde508208a8a77bfdd0d9330c3e28af58334325f69aefe54
                                                • Instruction Fuzzy Hash: 31B19D32B0969286EB10EFA5D491BBDAB60FF85B84FA14031DA4E17B96CF3CD105C725
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAA443C Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ShowWindow
                                                • String ID:
                                                • API String ID: 1268545403-0
                                                • Opcode ID: cc21e6db9a044589e755c4703016b6e1d9c57170080a8525f9bf3d2d7d54c8f4
                                                • Instruction ID: 199731003b857c6792ac52e87b58704dff83323c9e62deb908bd03d76b214d25
                                                • Opcode Fuzzy Hash: cc21e6db9a044589e755c4703016b6e1d9c57170080a8525f9bf3d2d7d54c8f4
                                                • Instruction Fuzzy Hash: B251A831E0C2438AF765BBAA9445B7DBA92BF42F44FB84075D50E429D5DF3CE484C262
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB290A8 Relevance: 12.1, APIs: 8, Instructions: 102windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                • String ID:
                                                • API String ID: 3864802216-0
                                                • Opcode ID: 51e6ec7aa37fc3003482106919c843e152de56e0f8813b4e66b1a7a4e18ad1cb
                                                • Instruction ID: d84ea85dd9f8ba6ab05a31b889d513e4aea8188ca39f7e5ce7c0417cdf590719
                                                • Opcode Fuzzy Hash: 51e6ec7aa37fc3003482106919c843e152de56e0f8813b4e66b1a7a4e18ad1cb
                                                • Instruction Fuzzy Hash: B541A97662968187E7248BA2B445B6ABBA0FB88B91F604135EF8E43F54DF3CD440CB00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAC0BBC Relevance: 10.8, APIs: 7, Instructions: 294COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 3215553584-0
                                                • Opcode ID: c2757373dfb26c044112a110afa25e05e956175428925470acde8015b00b00d1
                                                • Instruction ID: d321665dd2e0c6a6ea1cb48fa05c44de5a23f687dffef1ed9558772f9e752098
                                                • Opcode Fuzzy Hash: c2757373dfb26c044112a110afa25e05e956175428925470acde8015b00b00d1
                                                • Instruction Fuzzy Hash: C5C1FA22A0C68285EA61AF9590C0A7EEB91BF85F90FB54135DA4E077D5CF3DE4C0C762
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB009C4 Relevance: 10.7, APIs: 7, Instructions: 248COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                • String ID:
                                                • API String ID: 2550207440-0
                                                • Opcode ID: cc58eafc9923de1e7c3249b18b6e84dbd69b0111c8c505ccc1afaa6432328985
                                                • Instruction ID: 5d395e5f067ea3ffe649269f4f3c98b6c70e209dabca5815c865c38b8d9efdba
                                                • Opcode Fuzzy Hash: cc58eafc9923de1e7c3249b18b6e84dbd69b0111c8c505ccc1afaa6432328985
                                                • Instruction Fuzzy Hash: 69A19032A0861285FB54AFA5C454FBCABA1FB46B88FA54831DE0D47691DF7CF581C360
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA82100 Relevance: 10.7, APIs: 7, Instructions: 246COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ObjectSelect$BeginCreatePath
                                                • String ID:
                                                • API String ID: 3225163088-0
                                                • Opcode ID: e150efe4bbb5a68fe2f4df4e615a944ed6587934d7859263685a3daad39b8607
                                                • Instruction ID: 39764dcb974c8507d2d6566f10fcf11380e8db00b118a339f124f811c6aac936
                                                • Opcode Fuzzy Hash: e150efe4bbb5a68fe2f4df4e615a944ed6587934d7859263685a3daad39b8607
                                                • Instruction Fuzzy Hash: 3FA1A072A0C6C087D7749F59A400A7EFBB5FB85B95FA04125EA8913B69CB3CD442CF11
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2FB28 Relevance: 10.7, APIs: 7, Instructions: 212windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: MessageSendWindow$Enabled
                                                • String ID:
                                                • API String ID: 3694350264-0
                                                • Opcode ID: 4a77701bf279e5e10e090b08d0e82f3a928381821d52e04601c4e196b5ce2c82
                                                • Instruction ID: a149a5a855695552483ccbb90b5dc8c84cb3ee378345705ab3ee06b39316a794
                                                • Opcode Fuzzy Hash: 4a77701bf279e5e10e090b08d0e82f3a928381821d52e04601c4e196b5ce2c82
                                                • Instruction Fuzzy Hash: A791AE21E0D68642FB74BB949454BB9AB92BF84B84FA44036CA4D23799CF3CE491C321
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAF8E18 Relevance: 10.6, APIs: 7, Instructions: 145windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: MessagePost$KeyboardState$Parent
                                                • String ID:
                                                • API String ID: 87235514-0
                                                • Opcode ID: e18e0e2c600af16f3ee63314e1511203568865ab3516c571b9de0b17f9c371ff
                                                • Instruction ID: a14514bcaa1338c6c76b10351e764c13f138532d0ec76f77c3306aec0c02a6ef
                                                • Opcode Fuzzy Hash: e18e0e2c600af16f3ee63314e1511203568865ab3516c571b9de0b17f9c371ff
                                                • Instruction Fuzzy Hash: 4351D423A0D2D255FB6197B19111E7DAFA1FB46FC0FA88076DA8907E46CF28E454C332
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAF4860 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124comlibraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: From$ErrorModeProg$AddressCreateFreeInstanceProcStringTasklstrcmpi
                                                • String ID: DllGetClassObject
                                                • API String ID: 668425406-1075368562
                                                • Opcode ID: 214bc254c47588fde01e5fc27ee3c6930efb076d9c02937a19424ffc77af6643
                                                • Instruction ID: 0895ce2f05c4364c9a7a5cbc68457e1a675bbffc4a44e1cacbfb17bf11dd66fb
                                                • Opcode Fuzzy Hash: 214bc254c47588fde01e5fc27ee3c6930efb076d9c02937a19424ffc77af6643
                                                • Instruction Fuzzy Hash: 56519D32A08B4686EB14AF96E540B79A7A0FF84F84FA04036DB4D57A45DF7CF094C721
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB137A8 Relevance: 10.6, APIs: 7, Instructions: 103networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ErrorLastinet_addrsocket
                                                • String ID:
                                                • API String ID: 4170576061-0
                                                • Opcode ID: 6f732a3ceb6dc8ae0713a757b729ef5f32bd0ba729350ec97b60288269ebfabf
                                                • Instruction ID: 70d46e6a9192ad8829739a1aae81a2bff02e104e0153268a8c12bc158534d7cf
                                                • Opcode Fuzzy Hash: 6f732a3ceb6dc8ae0713a757b729ef5f32bd0ba729350ec97b60288269ebfabf
                                                • Instruction Fuzzy Hash: 3D41B572A0C68282E720AFA5A444ABDF7A1FB44BE4FA14231DE6E43B95DF3CD445C710
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2A884 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                • String ID:
                                                • API String ID: 161812096-0
                                                • Opcode ID: f652d99759d139f7e87a15b3a4320fe0bc8d646037924ff5962e8acb98e6298b
                                                • Instruction ID: ca3916ac08439736acd36825aaba617287ae5a10d7f4a4efda576e266bca242a
                                                • Opcode Fuzzy Hash: f652d99759d139f7e87a15b3a4320fe0bc8d646037924ff5962e8acb98e6298b
                                                • Instruction Fuzzy Hash: 27419F36A05B4585EB50DFA6D880AAC7BB0FB84B98FA54036DE4D43B64CF38E445C710
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAF4FCC Relevance: 10.6, APIs: 7, Instructions: 76memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                • String ID:
                                                • API String ID: 3761583154-0
                                                • Opcode ID: 44f7315ec137fccb8cfc24c068c372bc78d2615cd5705ef111b775d28ff6eb28
                                                • Instruction ID: 648b8e4e7f25960783718bb5d8bd6608dbc6dc270902eca0d7cc563c61559e03
                                                • Opcode Fuzzy Hash: 44f7315ec137fccb8cfc24c068c372bc78d2615cd5705ef111b775d28ff6eb28
                                                • Instruction Fuzzy Hash: D231AE31A08B4689DA20AF92E444978F7E0FB85FD0FA98236DA5E03B90CF3DE444C354
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAF4EB0 Relevance: 10.6, APIs: 7, Instructions: 74memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: AllocByteCharMultiStringWide
                                                • String ID:
                                                • API String ID: 3603722519-0
                                                • Opcode ID: b1007ac638b947db620a6db0c2ebc1e3135516e026687e2bb7390bcafa021b90
                                                • Instruction ID: ba0b2ca00fa7d6c6c74580398d5a4d04e4fbcce552de943664adef999ecdbb61
                                                • Opcode Fuzzy Hash: b1007ac638b947db620a6db0c2ebc1e3135516e026687e2bb7390bcafa021b90
                                                • Instruction Fuzzy Hash: 90314F31A09B4589EB20AF52E444979F7E0FB44F91FA84236EA5E53B95CF3CE584C710
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2AEDC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: MessageSend$CreateObjectStockWindow
                                                • String ID: Msctls_Progress32
                                                • API String ID: 1025951953-3636473452
                                                • Opcode ID: 175e965b11afd85df2c3a996d4a298cb258778d92a24fde76c77afeddb8f143d
                                                • Instruction ID: d69dc8b03c38d53cb9986efad1d985b5387088a1516e9a6ad7f5e94b32556826
                                                • Opcode Fuzzy Hash: 175e965b11afd85df2c3a996d4a298cb258778d92a24fde76c77afeddb8f143d
                                                • Instruction Fuzzy Hash: AA31673260968187E3609F65F485F1ABB61FB88790F609239EB9853F98CF3CD845CB10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAFF9EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65pipeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: CreateHandlePipe
                                                • String ID: nul
                                                • API String ID: 1424370930-2873401336
                                                • Opcode ID: c3b93562104d94dec8cab7a09dad708560240dd78c66e81481d559291ba52c16
                                                • Instruction ID: 9c50124af42e49293024c979370d274f6b966bfd795010d5bff731c941a4ff55
                                                • Opcode Fuzzy Hash: c3b93562104d94dec8cab7a09dad708560240dd78c66e81481d559291ba52c16
                                                • Instruction Fuzzy Hash: B4218E36A1DB4682EB10AB64D014B79A3A0FF85B78FA44332DA6E067D8DF7CD044C751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAFFAFC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65pipeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: CreateHandlePipe
                                                • String ID: nul
                                                • API String ID: 1424370930-2873401336
                                                • Opcode ID: 0134d29867f6a044a915cc83a074af2c17d8f13ec2a8203597b3b6c722d2df41
                                                • Instruction ID: 3d78c79ac627ed638dc80937c80a4a721607d603a0df14d917ac04acecb0b484
                                                • Opcode Fuzzy Hash: 0134d29867f6a044a915cc83a074af2c17d8f13ec2a8203597b3b6c722d2df41
                                                • Instruction Fuzzy Hash: 10318036A1CA4686EB10AB64D414B79A6A0FB85B78FA00332DA7D467D4CF3CD445C712
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA88F40 Relevance: 9.2, APIs: 6, Instructions: 246COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Rect$Client$Window$MetricsScreenSystem
                                                • String ID:
                                                • API String ID: 3220332590-0
                                                • Opcode ID: d8f977ea4750bda3b048e49f0aa9ed333f17e400e230103ea3ed7eb9902d4993
                                                • Instruction ID: e476353fe29f24e5e7a8573fe919036830e88589ddf711b4afd07adb30054959
                                                • Opcode Fuzzy Hash: d8f977ea4750bda3b048e49f0aa9ed333f17e400e230103ea3ed7eb9902d4993
                                                • Instruction Fuzzy Hash: D8A1F56AA1825385E764AFB18404BBDB3B0FF04F58FA55035DE1D97A94EB3D9840D332
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAAA054 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 492COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID: f$p
                                                • API String ID: 3215553584-1290815066
                                                • Opcode ID: 6085b62d98b7eab37ce0c073fe453d3efb4bb7d0cdd32a8db3e6aa1a08046eff
                                                • Instruction ID: 7ab536b70e229abcc98dda91deef93d3a732a2475f8241f4c802a56dda7b560d
                                                • Opcode Fuzzy Hash: 6085b62d98b7eab37ce0c073fe453d3efb4bb7d0cdd32a8db3e6aa1a08046eff
                                                • Instruction Fuzzy Hash: D612A522E0C35386FB20BA96E044A7AE6D1FB40F94FE44232D69D075C4DB3DE550CBA6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAEAD30 Relevance: 9.2, APIs: 6, Instructions: 193memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Variant$ClearCopy$AllocInitString
                                                • String ID:
                                                • API String ID: 3859894641-0
                                                • Opcode ID: 2ee1352e520512debfa067338aa973891b78a2f0a8d3fc5eb6061229bd62edbc
                                                • Instruction ID: e82ace90cfee8a23c1294a0f2e4fe242955a03f924621d3a596cc95384133432
                                                • Opcode Fuzzy Hash: 2ee1352e520512debfa067338aa973891b78a2f0a8d3fc5eb6061229bd62edbc
                                                • Instruction Fuzzy Hash: 4C711972A0824381EA28BBA9955497CB7A0BF45F80FA48536D74E07B95DF3CE911C322
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA81E04 Relevance: 9.1, APIs: 6, Instructions: 108COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                • String ID:
                                                • API String ID: 2592858361-0
                                                • Opcode ID: 55256b84f857a58467b122c2e0110198eeb840c0349577806b29d092c26582af
                                                • Instruction ID: 76c25b8294f6d6e6dffd3cb0ca8ecc0a78fd8427999757578329af1673ea5f23
                                                • Opcode Fuzzy Hash: 55256b84f857a58467b122c2e0110198eeb840c0349577806b29d092c26582af
                                                • Instruction Fuzzy Hash: 6451D436A18B9286E720EB55E444BB9BBA0FB45F94FA04236CE5D43B94CF7CE441C711
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAF2240 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: CapsDevice$Release
                                                • String ID:
                                                • API String ID: 1035833867-0
                                                • Opcode ID: db491a3267b275339f548d81dbee8ecebd291c24a581f1a9e6271a89bb132f3c
                                                • Instruction ID: 764b64c67c0d16160bbc7babfd65440c9d03d04e717e3c5148f77e38f5c38e55
                                                • Opcode Fuzzy Hash: db491a3267b275339f548d81dbee8ecebd291c24a581f1a9e6271a89bb132f3c
                                                • Instruction Fuzzy Hash: 3D119E35B15B0186EB08DBA1A949429BAA5FB88FC0FA08039CE0E47F94DF3DD801C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB309FC Relevance: 9.0, APIs: 6, Instructions: 45COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                • String ID:
                                                • API String ID: 43455801-0
                                                • Opcode ID: cd64bc4caddf1c30f8798d15c9bc183870131294e5ef7b47fced05608eeea06d
                                                • Instruction ID: 5a17a9a5b6f1911cf15f16a9c832bccac3b7be1316dbf3933226986a67edccc5
                                                • Opcode Fuzzy Hash: cd64bc4caddf1c30f8798d15c9bc183870131294e5ef7b47fced05608eeea06d
                                                • Instruction Fuzzy Hash: 2C11BF31B1469282E714AB56B805B69BFA1FF86B84FA84131CF0603F51CFBDA448C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAA2D5C Relevance: 9.0, APIs: 6, Instructions: 39keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Virtual
                                                • String ID:
                                                • API String ID: 4278518827-0
                                                • Opcode ID: d88387182f0ff78ab7778ef1a67cdc330360886ef23228c05630025599c5fb3f
                                                • Instruction ID: 1fab609de6acaf3ae5f9cbcec99277cd7dff64f2476bf9a06a14cebcd52439fd
                                                • Opcode Fuzzy Hash: d88387182f0ff78ab7778ef1a67cdc330360886ef23228c05630025599c5fb3f
                                                • Instruction Fuzzy Hash: BF1152729066408AD348DF79DC489197BF2FB58B09B948034C2499F665EF39D49AC710
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAFDA1C Relevance: 9.0, APIs: 6, Instructions: 34windowtimethreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                • String ID:
                                                • API String ID: 839392675-0
                                                • Opcode ID: 8de778dfa191c13712f893bc864b87f9ca3b199504ecf632adb079649907a02e
                                                • Instruction ID: 9c120b8b0a60a11bb3c63ca02bfbeaeed5d548d2338774a386f75626c102cf0a
                                                • Opcode Fuzzy Hash: 8de778dfa191c13712f893bc864b87f9ca3b199504ecf632adb079649907a02e
                                                • Instruction Fuzzy Hash: 02018F72A1574183EB10ABA1E805E29F7A1FF89B95F945034CA0A06F14DF3CD048CB10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB17E38 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 237COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: FreeFromProgTask$BlanketConnectConnection2CreateInitializeInstanceOpenProxyQueryRegistrySecurityValuelstrcmpi
                                                • String ID: NULL Pointer assignment
                                                • API String ID: 1653399731-2785691316
                                                • Opcode ID: 74e140c0a3b96a9d62fba3994218285520586fa5553d09b37dc0b1daa8a1d12d
                                                • Instruction ID: a0f16bd49b1dd090c924c5886b44979c9fb197cb7626152d32c92f3f4ce5dc58
                                                • Opcode Fuzzy Hash: 74e140c0a3b96a9d62fba3994218285520586fa5553d09b37dc0b1daa8a1d12d
                                                • Instruction Fuzzy Hash: 13B17F33A04B918AE710EFA1D4409ADBBB1FB887A8FA00135EE4D57B58DF38E545CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB1CDF0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON
                                                Download Yara Rule
                                                APIs
                                                • CharLowerBuffW.USER32(?,?,?,?,00000003,00000000,?,00007FF78EB1BF47), ref: 00007FF78EB1CE29
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: BuffCharLower
                                                • String ID: cdecl$none$stdcall$winapi
                                                • API String ID: 2358735015-567219261
                                                • Opcode ID: cfd27aa9078fe54b5237ae4ae96dd4eb24f1e30810729373652e6a66a1bfe0f4
                                                • Instruction ID: c0fbd417c66400b1ba5bf615f3626e4f4846dc15043040d20b00457544805a44
                                                • Opcode Fuzzy Hash: cfd27aa9078fe54b5237ae4ae96dd4eb24f1e30810729373652e6a66a1bfe0f4
                                                • Instruction Fuzzy Hash: 11912823B1865391EA18AFA59440D7DABA2BF147A0BF04535DE5D93B84DF3DEC42C720
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB16920 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 212COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                • API String ID: 4237274167-1221869570
                                                • Opcode ID: b3b6d2ada6ccf103fe3fbc6ee34d72f9b562082d7f5494f8603740d1ad09ed8b
                                                • Instruction ID: 89742966ac1ec9eb9acc687eb0361915d837a5cc7092ac20c07ccc6e50cb576d
                                                • Opcode Fuzzy Hash: b3b6d2ada6ccf103fe3fbc6ee34d72f9b562082d7f5494f8603740d1ad09ed8b
                                                • Instruction Fuzzy Hash: 2E91BB36B08B5285EB00FFA5E040ABDB7A5FB48B98BA54432DE5E53759DF38E405C360
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAF0EAF Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 187COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetForegroundWindow.USER32 ref: 00007FF78EAF0EDB
                                                  • Part of subcall function 00007FF78EAF0B90: CharUpperBuffW.USER32(?,?,00000001,00007FF78EAF0F61), ref: 00007FF78EAF0C6A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: BuffCharForegroundUpperWindow
                                                • String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
                                                • API String ID: 3570115564-1994484594
                                                • Opcode ID: 7c257ca8d76c0aa10b9ff23c4fdb9d550ebcebe8798a519d819cbaa0415aa93d
                                                • Instruction ID: fb15b57a208f100ec19fcad729c449ef193f9e4f182189eff7cad63349c182fd
                                                • Opcode Fuzzy Hash: 7c257ca8d76c0aa10b9ff23c4fdb9d550ebcebe8798a519d819cbaa0415aa93d
                                                • Instruction Fuzzy Hash: 0C71B612B0864341FE64BBE5D451AB9E2A1BF64F84FE44033D94D96792EF3CE944C322
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAB9B18 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 121COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID: #$E$O
                                                • API String ID: 3215553584-248080428
                                                • Opcode ID: 475178099990ac0353bf962476b95ad540ed5abada18ffefe6575b5c91291a80
                                                • Instruction ID: 2cf6766470e80decf12b4b99d91ec8454f0da475b2f9e929475d193303d2d0e6
                                                • Opcode Fuzzy Hash: 475178099990ac0353bf962476b95ad540ed5abada18ffefe6575b5c91291a80
                                                • Instruction Fuzzy Hash: 6D41D522A1875188EF51AFA198409BDA7F0BF85F88F684031EE8D17799DF3CD441C322
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAEDF3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: MessageSend$ClassName
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 787153527-1403004172
                                                • Opcode ID: ff640e8f0f1b2ddff4678b01bce3fe36037d9840c3b2af55b5fddd693c733b9a
                                                • Instruction ID: 9108063d7ea499bd7ad3909fe9ab4a602aa7f7f0e544aca5d34669d2f008216b
                                                • Opcode Fuzzy Hash: ff640e8f0f1b2ddff4678b01bce3fe36037d9840c3b2af55b5fddd693c733b9a
                                                • Instruction Fuzzy Hash: 72319032A0964282EA20FB91E4419B9F7A0FB85F84FA58131DE5D47B95CF3CE505C721
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAC89B4 Relevance: 7.8, APIs: 5, Instructions: 265COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 03f3b3863cf3428f55316b0c9d809bb68f76fa44e49f8ab79cf537312fbddc30
                                                • Instruction ID: 77f6599cca5652ec7b984a8f2fce67fc8997f142be647935e164b03686c18917
                                                • Opcode Fuzzy Hash: 03f3b3863cf3428f55316b0c9d809bb68f76fa44e49f8ab79cf537312fbddc30
                                                • Instruction Fuzzy Hash: 60A1E562A0978246EB61ABE09410BB9A6D1BF40FB4FA54635DA5D077C5DF3CF484C322
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB145A4 Relevance: 7.8, APIs: 5, Instructions: 250networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ErrorLasthtonsinet_ntoa
                                                • String ID:
                                                • API String ID: 2227131780-0
                                                • Opcode ID: 7d4f4024c9f60fc6d0c547bc01d771306aecca345db762115638398fb3bdfb40
                                                • Instruction ID: ddd5f7d8b33ec7fee5d1d0fd1890e61dae0d35d874d5cc4f1c0ea028d9d86973
                                                • Opcode Fuzzy Hash: 7d4f4024c9f60fc6d0c547bc01d771306aecca345db762115638398fb3bdfb40
                                                • Instruction Fuzzy Hash: 0CA1D232A0864286DB20FBA6D851ABDEB91BF81FA4FA04531DE1E47795DF3CD500C721
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB1E838 Relevance: 7.7, APIs: 5, Instructions: 207COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Process$CloseCountersCurrentHandleOpen
                                                • String ID:
                                                • API String ID: 3488606520-0
                                                • Opcode ID: c6c8e3dea7ced7a7265ec6b0fd3e3d9db0199cdbbf202679ca2a1ea85aefeb01
                                                • Instruction ID: 4d685eba52fd1859df242d7af0510fbfa549e85557e182cef94cae406b58ebb2
                                                • Opcode Fuzzy Hash: c6c8e3dea7ced7a7265ec6b0fd3e3d9db0199cdbbf202679ca2a1ea85aefeb01
                                                • Instruction Fuzzy Hash: D0819D22B0869185EB04BFA2C454ABDBBA1BB48FD4FA54035DE1E17B96CF38D401C751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB202DC Relevance: 7.7, APIs: 5, Instructions: 159registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                • String ID:
                                                • API String ID: 3451389628-0
                                                • Opcode ID: 2df9632571d69b756c3699524fa3ecfa34112e0eb2563d100e82bb15e07072f1
                                                • Instruction ID: 4c8fabd84dd9450d910eabe8c4546eaa77f2aa874307de4446fa960fe5dbf9b0
                                                • Opcode Fuzzy Hash: 2df9632571d69b756c3699524fa3ecfa34112e0eb2563d100e82bb15e07072f1
                                                • Instruction Fuzzy Hash: 89715E32B08A9289EB10EFA5D0917BCBB70FF85B88F918131DA0D57A96CF38D505C365
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EABE67C Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                • String ID:
                                                • API String ID: 3659116390-0
                                                • Opcode ID: 565e37f08fcc29d8b24d7793246010796331880618d15c7c8224c4ccd3a000f5
                                                • Instruction ID: 59a9bb0541caaa7f7a32db71e4af26e9288fcb4e8c8abc0d2cade55eb2e496b0
                                                • Opcode Fuzzy Hash: 565e37f08fcc29d8b24d7793246010796331880618d15c7c8224c4ccd3a000f5
                                                • Instruction Fuzzy Hash: 1C51D132A14A5189E710DFA5E484BBCBBB0FB88B98F648135DE8E47B98DF38D145C711
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB20084 Relevance: 7.6, APIs: 5, Instructions: 141registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                • String ID:
                                                • API String ID: 3740051246-0
                                                • Opcode ID: cd6aad3c3a8c30d4909f65b28e82e2c944414c1da58a4a5d40bd82117204266b
                                                • Instruction ID: ae45db939f42bb86eb1874876ddb7ef8d69a30506fdd8c9413efef760889a1bd
                                                • Opcode Fuzzy Hash: cd6aad3c3a8c30d4909f65b28e82e2c944414c1da58a4a5d40bd82117204266b
                                                • Instruction Fuzzy Hash: 5161B532A08A9685EB10EBA5D4807BDBB70FF85B84FA04132EB4D07A66CF7CD545C751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB1D0F8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF78EB1C2BF), ref: 00007FF78EB1D176
                                                • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF78EB1C2BF), ref: 00007FF78EB1D217
                                                • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF78EB1C2BF), ref: 00007FF78EB1D236
                                                • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF78EB1C2BF), ref: 00007FF78EB1D281
                                                • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF78EB1C2BF), ref: 00007FF78EB1D2A0
                                                  • Part of subcall function 00007FF78EAA4120: WideCharToMultiByte.KERNEL32 ref: 00007FF78EAA4160
                                                  • Part of subcall function 00007FF78EAA4120: WideCharToMultiByte.KERNEL32 ref: 00007FF78EAA419C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                • String ID:
                                                • API String ID: 666041331-0
                                                • Opcode ID: ba53198603ea7a1cc2753551fdecf120f81164c0fcf7ca152e94c049322842ea
                                                • Instruction ID: 615c3fd5d6ceee5a92048d553def28275daab2617ec93d30ccca7dde77dc7592
                                                • Opcode Fuzzy Hash: ba53198603ea7a1cc2753551fdecf120f81164c0fcf7ca152e94c049322842ea
                                                • Instruction Fuzzy Hash: 0C515836A04B5685EB00EF96D8809BCB7B4FB88F95BA64032DE5E43755DF38D441C362
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAF670C Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Variant$Clear$ChangeInitType
                                                • String ID:
                                                • API String ID: 4136290138-0
                                                • Opcode ID: 5bf158a84cb56ccb7168b4d37c167f5e8b54303454597cac92653ddc8f5d8736
                                                • Instruction ID: bfe75a1cb8ace72796bc5e7c7e04b16fedf56b772f97eaf576d05c408aecd54b
                                                • Opcode Fuzzy Hash: 5bf158a84cb56ccb7168b4d37c167f5e8b54303454597cac92653ddc8f5d8736
                                                • Instruction Fuzzy Hash: D7518433625A8492DB10DF15E084BAD73B8FB84F80F928126CB9E43B64EF39E458C751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAC2998 Relevance: 7.6, APIs: 5, Instructions: 133COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 3215553584-0
                                                • Opcode ID: 69caafc8f8afcb53c87a7f7053d9646584506dbe7d8e8e6cfd9f4db44817ad77
                                                • Instruction ID: 8d88d51974ad4751c472d893f4a3dfdd5d3a845fda3bdf7f617888003225486c
                                                • Opcode Fuzzy Hash: 69caafc8f8afcb53c87a7f7053d9646584506dbe7d8e8e6cfd9f4db44817ad77
                                                • Instruction Fuzzy Hash: 7D519F32608B8285EA70AF959440979FA95FF44FB0FB45231DA69077D4DF3CE491C722
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA81CEC Relevance: 7.6, APIs: 5, Instructions: 124keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: AsyncState$ClientCursorScreen
                                                • String ID:
                                                • API String ID: 4210589936-0
                                                • Opcode ID: 66afa1c94deaf905156041cf676ffe3a2b02e9b0039980c06c23d4dff2918920
                                                • Instruction ID: 9f02dda88f660380ce01a25958d929d1a6b839f74daea994d6c0e634197706e6
                                                • Opcode Fuzzy Hash: 66afa1c94deaf905156041cf676ffe3a2b02e9b0039980c06c23d4dff2918920
                                                • Instruction Fuzzy Hash: F6512436B142928BE754EF71C450A7AB7A0FF45B54F600231EA9A43BD5CF38E491C710
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EABBA2C Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: AddressProc
                                                • String ID:
                                                • API String ID: 190572456-0
                                                • Opcode ID: a18f96543d52060ea1fb4eaea9751658dcb69330229f7bbe75e5b271c8b8e6e3
                                                • Instruction ID: 9ad45591bc658d3b883383021f20343f3f13eab1b87b2bfc0d3d822e483c40e4
                                                • Opcode Fuzzy Hash: a18f96543d52060ea1fb4eaea9751658dcb69330229f7bbe75e5b271c8b8e6e3
                                                • Instruction Fuzzy Hash: 2041C531F0AA4282FE15AF869814AB5E791BF84F90FA94535DD9D4B798DF3CE404C321
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2FF50 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Window$Show$Enable
                                                • String ID:
                                                • API String ID: 2939132127-0
                                                • Opcode ID: c489c8d02495f69c1778672d4edb055e6fea3c7ece5ab9feb79cbeb3e5804fe0
                                                • Instruction ID: c409d4696411d3bd7ec0316188f7d8b2835c2bad6807097d715bb935cb3018fc
                                                • Opcode Fuzzy Hash: c489c8d02495f69c1778672d4edb055e6fea3c7ece5ab9feb79cbeb3e5804fe0
                                                • Instruction Fuzzy Hash: 5E51613690978B82EB54DB99D445A78BBA1FB86B44FB84036CE4D17AA0CF3DE441D320
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAED924 Relevance: 7.6, APIs: 5, Instructions: 91sleepwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: MessagePostSleep$RectWindow
                                                • String ID:
                                                • API String ID: 3382505437-0
                                                • Opcode ID: eede7ce4c4e84a454966b5ad3a71d2882c358ebf9f1b03269eaebc827b2ba57d
                                                • Instruction ID: 0f7392a22e03a4ebb03d41894f48fe15bde73c47a03523e4b116549670a03920
                                                • Opcode Fuzzy Hash: eede7ce4c4e84a454966b5ad3a71d2882c358ebf9f1b03269eaebc827b2ba57d
                                                • Instruction Fuzzy Hash: 1F31D73660864547E710DFA9E844979B791F788FA8F900135EE5D97B94CF3CE845C710
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAF1B34 Relevance: 7.6, APIs: 5, Instructions: 74windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: MessageSend$BuffCharUpperVisibleWindowwcsstr
                                                • String ID:
                                                • API String ID: 2655805287-0
                                                • Opcode ID: 4791d6a7e049e7ec9e35f4cc7525c8f63c6a15740064a3cb2c7179034048e16a
                                                • Instruction ID: 816c681085de67f57acc0dfbad1f8f1e246201cf50693348225f2f899db23643
                                                • Opcode Fuzzy Hash: 4791d6a7e049e7ec9e35f4cc7525c8f63c6a15740064a3cb2c7179034048e16a
                                                • Instruction Fuzzy Hash: 82210822B0978246EB14EB92A905A75AA90FF88FE0FA44531EE1D57B95DF3CD441C350
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB12E64 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Window$ForegroundPixelRelease
                                                • String ID:
                                                • API String ID: 4156661090-0
                                                • Opcode ID: 0803af3d0555ee4f2e7cd4680bdbd11eb807c22797343ae4eaf726b5c3b1d4d7
                                                • Instruction ID: b4d32b2fccc21191bae003aabaeb6b162e9918bb1f5432e449b44a9cf6d9294d
                                                • Opcode Fuzzy Hash: 0803af3d0555ee4f2e7cd4680bdbd11eb807c22797343ae4eaf726b5c3b1d4d7
                                                • Instruction Fuzzy Hash: AD219F36B0865182EB04EFA6E88587DE7A1FB88F90BA84035DE0D87B95DF38D841C350
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA82370 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ObjectSelect$BeginCreatePath
                                                • String ID:
                                                • API String ID: 3225163088-0
                                                • Opcode ID: 8abe7a71c66bee896d504cb3d5ab816aa1492e552a9085df695a80683d63dbe3
                                                • Instruction ID: 715e64c4446c35e28d752ec03e987eb0cd449d9a5e937d7f0dc43168b2204d06
                                                • Opcode Fuzzy Hash: 8abe7a71c66bee896d504cb3d5ab816aa1492e552a9085df695a80683d63dbe3
                                                • Instruction Fuzzy Hash: 03315832D19B528BE350AB85B844B39FAA1FB86B90FA4013AD94D46B50CF7CE441CB21
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAB1F44 Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 2067211477-0
                                                • Opcode ID: 6c75004fdc8f89f48edb4038dcc6ab145b99058f26a8cd052d9a22877b7c3d52
                                                • Instruction ID: bcb3115e8b2e62f4a10f9a1ade1f9d53e63c9d67b5c449978c4cb07b5444b35f
                                                • Opcode Fuzzy Hash: 6c75004fdc8f89f48edb4038dcc6ab145b99058f26a8cd052d9a22877b7c3d52
                                                • Instruction Fuzzy Hash: 3B215025A0A78285EE14EFE5945087AE7D0BFD4F80FA84531EA8D43B95DF3CE400C621
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EABF9D4 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _set_statfp
                                                • String ID:
                                                • API String ID: 1156100317-0
                                                • Opcode ID: e270cafaa1c1bb403facffb31b6a836e27aa4e45b093d38abbba4bbe7c8013ef
                                                • Instruction ID: ac2a2abb63b751af49d360b9ac2fd4717afe2157016b4a06520795dc0eee3cb1
                                                • Opcode Fuzzy Hash: e270cafaa1c1bb403facffb31b6a836e27aa4e45b093d38abbba4bbe7c8013ef
                                                • Instruction Fuzzy Hash: 0D11607EE1C60305F65C31A9EC41B7595417FD5BA0FAD4238EAEE466DACF3C6440C222
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAECB58 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                • String ID:
                                                • API String ID: 44706859-0
                                                • Opcode ID: 18e3121f69b2f55043958739cbc43e37301fc4036db83b04d1dc9e6091f96284
                                                • Instruction ID: f5704af6f7f9e41cde00c784b44a261e67e95a065dc8fcb10433b299b3b1d453
                                                • Opcode Fuzzy Hash: 18e3121f69b2f55043958739cbc43e37301fc4036db83b04d1dc9e6091f96284
                                                • Instruction Fuzzy Hash: DF115E36A04B82C6E710DF92E840969BBB4FB88F80BA54436DF8947B14DF3CE815C740
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAECAB4 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                • String ID:
                                                • API String ID: 44706859-0
                                                • Opcode ID: 3045165107d4a0871487eb7a52e49b2bb276054106bd9f861ce7bf3483f017d6
                                                • Instruction ID: d73c86816616dd50c8262453b0ab68fd8c6c2f0ab386f005f4e33a946127ffbb
                                                • Opcode Fuzzy Hash: 3045165107d4a0871487eb7a52e49b2bb276054106bd9f861ce7bf3483f017d6
                                                • Instruction Fuzzy Hash: 4E119A36604B82C6E710DF86E84096ABBB4FB88F80BA54436CF8803B24DF78E415C740
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAF2ED0 Relevance: 7.5, APIs: 5, Instructions: 37windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                • String ID:
                                                • API String ID: 3741023627-0
                                                • Opcode ID: 8c0ba02d18c33329f7d04451d21e8c8e2fc8c024a9545b6606e830f761915d0e
                                                • Instruction ID: 9219e72fa21287b90bf72a6a3ec325a630b596f3feef2845c106f5005a533e76
                                                • Opcode Fuzzy Hash: 8c0ba02d18c33329f7d04451d21e8c8e2fc8c024a9545b6606e830f761915d0e
                                                • Instruction Fuzzy Hash: 9011A532A0894282EB25AFA4F444B79A7A0FF84F48FE48032D94D476D4DF7CD595C320
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAFD7F8 Relevance: 7.5, APIs: 5, Instructions: 36sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: PerformanceQuery$CounterSleep$Frequency
                                                • String ID:
                                                • API String ID: 2833360925-0
                                                • Opcode ID: e93a488e7ef773f4239d39afdac6f2cad4444a29d3dd75f0fed3b9e62e675ca8
                                                • Instruction ID: 526de31b972b536d31a8d73c9f630dd75acbde5646567a4ba21e40c625e31b2a
                                                • Opcode Fuzzy Hash: e93a488e7ef773f4239d39afdac6f2cad4444a29d3dd75f0fed3b9e62e675ca8
                                                • Instruction Fuzzy Hash: F501D830A09A0242EB16A7B5E49593DD760BFD5B80FB40236E50F51960DF3CE4C4C660
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB00008 Relevance: 7.5, APIs: 5, Instructions: 33synchronizationthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • EnterCriticalSection.KERNEL32(?,?,?,00007FF78EAE29AD,?,?,?,00007FF78EA92AB2), ref: 00007FF78EB0003C
                                                • TerminateThread.KERNEL32(?,?,?,00007FF78EAE29AD,?,?,?,00007FF78EA92AB2), ref: 00007FF78EB00047
                                                • WaitForSingleObject.KERNEL32(?,?,?,00007FF78EAE29AD,?,?,?,00007FF78EA92AB2), ref: 00007FF78EB00055
                                                • ~SyncLockT.VCCORLIB ref: 00007FF78EB0005E
                                                  • Part of subcall function 00007FF78EAFF7B8: CloseHandle.KERNEL32(?,?,?,00007FF78EB00063,?,?,?,00007FF78EAE29AD,?,?,?,00007FF78EA92AB2), ref: 00007FF78EAFF7C9
                                                • LeaveCriticalSection.KERNEL32(?,?,?,00007FF78EAE29AD,?,?,?,00007FF78EA92AB2), ref: 00007FF78EB0006A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: CriticalSection$CloseEnterHandleLeaveLockObjectSingleSyncTerminateThreadWait
                                                • String ID:
                                                • API String ID: 3142591903-0
                                                • Opcode ID: ba6bd7e5b15845e6b6bdca5424b03e7aeaa25a678f545ea5128a0138939c9a9e
                                                • Instruction ID: 59d0b555ecbdb3a2cabd6c2c10640d44863ba04c566e19040db0bb1e6d901192
                                                • Opcode Fuzzy Hash: ba6bd7e5b15845e6b6bdca5424b03e7aeaa25a678f545ea5128a0138939c9a9e
                                                • Instruction Fuzzy Hash: B101483AA08B4186E710AF95E440629B760FB88B90FA04431DB8E43B69DF3CE892C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA822E8 Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Path$ObjectStroke$DeleteFillSelect
                                                • String ID:
                                                • API String ID: 2625713937-0
                                                • Opcode ID: c45599d3bc9fc7debef7ab567c3c0eb4022d53e70f819905b21d88790cde579c
                                                • Instruction ID: 849dd4bfcaa92a4731c78a64ef24204437be2f57d8af22d69d9ed07d70c30df0
                                                • Opcode Fuzzy Hash: c45599d3bc9fc7debef7ab567c3c0eb4022d53e70f819905b21d88790cde579c
                                                • Instruction Fuzzy Hash: C4015E31D08A4392F7547B94BD95B34EB62BF1AB91FB84131C82E46AA1CF7DA044C320
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAF03F8 Relevance: 7.5, APIs: 5, Instructions: 26threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Thread$CurrentProcessWindow$AttachInputMessageSendTimeout
                                                • String ID:
                                                • API String ID: 179993514-0
                                                • Opcode ID: 3c9aaefa71688af513bcff76e9269722b622f20c654f000aa95846671475ad7f
                                                • Instruction ID: cce1b3dc4b1d1b69a1265290c9a5f9ae688bfb45e7eb5d66f2caa5d7efe9d085
                                                • Opcode Fuzzy Hash: 3c9aaefa71688af513bcff76e9269722b622f20c654f000aa95846671475ad7f
                                                • Instruction Fuzzy Hash: C4F03024F1960282FF2437F668CAA7497917F89B46FE45031CC0A02691DF3D9895C661
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB05F2C Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 300comCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: CreateFullInitializeInstanceNamePathUninitialize
                                                • String ID: .lnk
                                                • API String ID: 3769357847-24824748
                                                • Opcode ID: 4fdeb1db9959f65fc74ea48eff23697b1a3a9072be6150b8faa5cdb13eaf19fd
                                                • Instruction ID: 4cc704874c1b911c10c20f5bdaaace72e7b871d1c8aa37cfcf4c7335a712dc98
                                                • Opcode Fuzzy Hash: 4fdeb1db9959f65fc74ea48eff23697b1a3a9072be6150b8faa5cdb13eaf19fd
                                                • Instruction Fuzzy Hash: A7D15A36B04A5685EB10EFA6C090ABD7BB0FB48F88BA44032DE5D47B59DF39E945C350
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAC0040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 205COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                • API String ID: 3215553584-1196891531
                                                • Opcode ID: 77144706097a283061aa6841737fd5fc45152d0aa2c4d7c8d9b1e627f9bd4a8a
                                                • Instruction ID: 676d2a6b85637bd6f5e735a8590b2f951d1f6bf713790a7457e9d4f56ea38ea4
                                                • Opcode Fuzzy Hash: 77144706097a283061aa6841737fd5fc45152d0aa2c4d7c8d9b1e627f9bd4a8a
                                                • Instruction Fuzzy Hash: E181C072E0C30285FB656F9595C4A7DE6A0BF12F64FA58031CB1E57780DB3DA890D223
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAB6148 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _set_statfp
                                                • String ID: !$acos
                                                • API String ID: 1156100317-2870037509
                                                • Opcode ID: 0d89aa78777a41b63d954a76095aee346a1dbdd639e7adc8a9fc006d5894d638
                                                • Instruction ID: 4642cd233cee9c758fdbc6562c9747b59f14afa566e3d92513da56d663cf3c9b
                                                • Opcode Fuzzy Hash: 0d89aa78777a41b63d954a76095aee346a1dbdd639e7adc8a9fc006d5894d638
                                                • Instruction Fuzzy Hash: 2D61C931D28F4584E2239BB46811676DB58BFD67D0F618336E95E35D64DF3CE042CA60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAB6408 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _set_statfp
                                                • String ID: !$asin
                                                • API String ID: 1156100317-2188059690
                                                • Opcode ID: dda4458e7c1e859fb838f80da50bdd89987d805c8091ebd73b4f99c53429eb29
                                                • Instruction ID: 675fe4d09db2bebb3309f05106c773c8a048da5ab6018ed325bdb99a519e2224
                                                • Opcode Fuzzy Hash: dda4458e7c1e859fb838f80da50bdd89987d805c8091ebd73b4f99c53429eb29
                                                • Instruction Fuzzy Hash: 4861A722D28F8185E2539BB46812776DB58BFD63D1F608332E95E35A65DF3CB082CA10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAEEAC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                • String ID: @
                                                • API String ID: 4150878124-2766056989
                                                • Opcode ID: 8590b3572ee50005f206f958431262ef9082a01c97b701578a5c0a82d3af5d25
                                                • Instruction ID: 724c8060b49779b66d019384393b3ac974164a0d9d0318df2341915c4ad5c0a9
                                                • Opcode Fuzzy Hash: 8590b3572ee50005f206f958431262ef9082a01c97b701578a5c0a82d3af5d25
                                                • Instruction Fuzzy Hash: 1451DF3661868182D720EB92E8819BEFB60F7C8B84F914032EE4D53B49DF7CE505CB10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAFA6BC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Menu$Delete$InfoItem
                                                • String ID: P
                                                • API String ID: 135850232-3110715001
                                                • Opcode ID: 7a885196f2dcceb0a8221e88f5e4acf8149e86b4233e81131ef081c483961346
                                                • Instruction ID: 876510b50fa65ead16ab5c4ad2ac642b571f8e91bd1069bd68e9bb5f7bd6961c
                                                • Opcode Fuzzy Hash: 7a885196f2dcceb0a8221e88f5e4acf8149e86b4233e81131ef081c483961346
                                                • Instruction Fuzzy Hash: 6E41C232A04A8181EB60EF55C444BF9A7A0FB84FA0FA68232DA6D477D1DF38D542C761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EABEAA8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ByteCharErrorFileLastMultiWideWrite
                                                • String ID: U
                                                • API String ID: 2456169464-4171548499
                                                • Opcode ID: 94b35a9ebb8fe33294e0bdd0e775bf8e0988a6ef2a86fc1225fbcd9ba36526fe
                                                • Instruction ID: ae2084d099a86e386bcbbb2d5e0cd95619fe6b45d0f07119c27cb7d24f1a7e29
                                                • Opcode Fuzzy Hash: 94b35a9ebb8fe33294e0bdd0e775bf8e0988a6ef2a86fc1225fbcd9ba36526fe
                                                • Instruction Fuzzy Hash: C241D532B19A4582DB209F95E4457BAF7A0FB88B94F908032EE8E87798DF3CD441C751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2AB9C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$CreateObjectStock
                                                • String ID: SysMonthCal32
                                                • API String ID: 2671490118-1439706946
                                                • Opcode ID: a35748cbb4f7d20bc5763ff5a18e4d80cc8b65d6717278039b9a5fd016896ec3
                                                • Instruction ID: 8773a50c89dab64fe96db401f985bba2d5d7e72496b17082b51c5ec50d3d049f
                                                • Opcode Fuzzy Hash: a35748cbb4f7d20bc5763ff5a18e4d80cc8b65d6717278039b9a5fd016896ec3
                                                • Instruction Fuzzy Hash: 83415E326086C287E770DF55E444B9AFBA1FB88790F504235EA9953A99DF3CD485CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2B798 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$CreateDestroyObjectStock
                                                • String ID: msctls_updown32
                                                • API String ID: 1752125012-2298589950
                                                • Opcode ID: 3ad8a05af1a04f4639f3558a706eda2379b4f54061b6a2bc35ec0bb5bf7c66ed
                                                • Instruction ID: 0cae47505bf994ffcf7aaebe91b57dffd85b707e07034b5cef254ed5fd94e753
                                                • Opcode Fuzzy Hash: 3ad8a05af1a04f4639f3558a706eda2379b4f54061b6a2bc35ec0bb5bf7c66ed
                                                • Instruction Fuzzy Hash: 8231E532A18B8582EB60DF55E480BAAB760FBC5B91FA08136DA8D47B58CF3CD444CB10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2A1F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$CreateMoveObjectStock
                                                • String ID: Listbox
                                                • API String ID: 3747482310-2633736733
                                                • Opcode ID: 4629ce28c24575fa998f22937708fe0feac1f339ddb28addb223e5ca3634c4d7
                                                • Instruction ID: 4d4bbd4ded95c3db3ba36287ee1e39f43b2fd857e06187bc02ac39d7dfc18d57
                                                • Opcode Fuzzy Hash: 4629ce28c24575fa998f22937708fe0feac1f339ddb28addb223e5ca3634c4d7
                                                • Instruction Fuzzy Hash: 5D313C366097C186E770DF55B444B5ABBA1F7887A0F608235EAA913B98CB3DD485CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB04DF8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ErrorMode$InformationVolume
                                                • String ID: %lu
                                                • API String ID: 2507767853-685833217
                                                • Opcode ID: 1d2d9ec70042b180fc7aee4065bf2b0cf31a7f0658b1f1c5aeac4af0ce1da44c
                                                • Instruction ID: db34cb4e2f8e56fdfedbd2ace9b3a10629b4a0c0a66bed101ecb805f6eca9322
                                                • Opcode Fuzzy Hash: 1d2d9ec70042b180fc7aee4065bf2b0cf31a7f0658b1f1c5aeac4af0ce1da44c
                                                • Instruction Fuzzy Hash: 87316D72608B8685DB10EB56E48097DB7A1FB89B80FA04031EA8D47B65CF3CD595C710
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2B104 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: MessageSend$CreateObjectStockWindow
                                                • String ID: msctls_trackbar32
                                                • API String ID: 1025951953-1010561917
                                                • Opcode ID: d23565779f05c86e88825c5223c790f228a79c76439431c452903b53a7f93148
                                                • Instruction ID: 5b6961780f9a13d6f3920a92f95ed9f704e66ba50dc40ae16a11ff8909e5c0ca
                                                • Opcode Fuzzy Hash: d23565779f05c86e88825c5223c790f228a79c76439431c452903b53a7f93148
                                                • Instruction Fuzzy Hash: C9313632A1878187E7609F55E444F5ABBA1FB88B90F604239EB9813B58CF3CE841CF14
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAA8782 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
                                                • String ID: csm
                                                • API String ID: 2280078643-1018135373
                                                • Opcode ID: f3b44f69e9663573439d22a4e4da11b073c1d9211702bf15dcc91806c3a7fe41
                                                • Instruction ID: a007474161232c3e688e5445d59a02e4c81dcc2ecc81353514422e99bdb2d47d
                                                • Opcode Fuzzy Hash: f3b44f69e9663573439d22a4e4da11b073c1d9211702bf15dcc91806c3a7fe41
                                                • Instruction Fuzzy Hash: 9A212F3660874182E670EF52E44497EB7A5F789FA4F900225DE9D03795CF3CE886CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAFC110 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: CloseControlCreateDeviceFileHandle
                                                • String ID: 0
                                                • API String ID: 33631002-4108050209
                                                • Opcode ID: 122fac756a3aebd614dbe24bd4d9d3fcd08661cb9d9b68eb4b308195107418d6
                                                • Instruction ID: f7fc7f0b94e880df4c7cd909cd254c25c3933a4197f60fb5d961ddfa53696faf
                                                • Opcode Fuzzy Hash: 122fac756a3aebd614dbe24bd4d9d3fcd08661cb9d9b68eb4b308195107418d6
                                                • Instruction Fuzzy Hash: FF218632618780D6D3209F51E484A9AB7B4F784B94F644236DB9D03F94DF3DD555CB04
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB210C8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: RegDeleteKeyExW$advapi32.dll
                                                • API String ID: 2574300362-4033151799
                                                • Opcode ID: 88aa4d55391e805054e25835240c34e867389002f23d272af78df165a122bac4
                                                • Instruction ID: ea49ba3ab1dfd860ae68b34f14c46130f277a3b1dbd3e7df5cfa30bb9fe7c7ad
                                                • Opcode Fuzzy Hash: 88aa4d55391e805054e25835240c34e867389002f23d272af78df165a122bac4
                                                • Instruction Fuzzy Hash: EAE0ED61A06B0681EF14AB90E416768A7E4FF08B55FA40435CD1E86350EF7CD995C350
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA86D1C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                • API String ID: 2574300362-1355242751
                                                • Opcode ID: f93d3ff0ce366ab95d7e6c8a1355595afc9dd02f208f5495b2fec8b10b31cda7
                                                • Instruction ID: 6b7b57208b5a345374a04669887c5cdaeeca35e02a1ac588441c3f007a7cde5b
                                                • Opcode Fuzzy Hash: f93d3ff0ce366ab95d7e6c8a1355595afc9dd02f208f5495b2fec8b10b31cda7
                                                • Instruction Fuzzy Hash: 09E0ED31906F0682EF16AB90E4197B4A7E4FF48B48FA40434C92D46768EFBCD594C310
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EA86D64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                • API String ID: 2574300362-3689287502
                                                • Opcode ID: 0d692eaeaee984e821757872aa743bf672a5f4ffbc2c7638c6bb6d49df66a179
                                                • Instruction ID: 84fcbd7b4ec86efcd8aac550e85fb4bf7dddc0f1786bbe84a7b5110bc3eaf8ed
                                                • Opcode Fuzzy Hash: 0d692eaeaee984e821757872aa743bf672a5f4ffbc2c7638c6bb6d49df66a179
                                                • Instruction Fuzzy Hash: 6FE0ED31906F0681EF15AB91E415774A7E4FF48B48FA40435C92D46354EF7CE595C350
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB179D8 Relevance: 6.3, APIs: 4, Instructions: 282COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ClearVariant
                                                • String ID:
                                                • API String ID: 1473721057-0
                                                • Opcode ID: 7524d7e2d52d05920338dceab766341373bac426c68e9c37cb254224bebc0e48
                                                • Instruction ID: c8f7d6197321397c82c9133c6173205d3b5ccaac7d88ef5834b8ec121eb666d5
                                                • Opcode Fuzzy Hash: 7524d7e2d52d05920338dceab766341373bac426c68e9c37cb254224bebc0e48
                                                • Instruction Fuzzy Hash: 63D18976B09B419AEB50EFA5D4805ECB7B1FB44B88B900036DE0D57BA9DF38E519C390
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB1EB34 Relevance: 6.2, APIs: 4, Instructions: 156processCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32
                                                • String ID:
                                                • API String ID: 2000298826-0
                                                • Opcode ID: 46ffc974d03c74fe675a359457ba7bbb3a6c384647595a219b83fce263b46345
                                                • Instruction ID: 31a839437bfe41541dc4933a5e3731acbd709352d727205388a4f77f86eb39f8
                                                • Opcode Fuzzy Hash: 46ffc974d03c74fe675a359457ba7bbb3a6c384647595a219b83fce263b46345
                                                • Instruction Fuzzy Hash: B9718036A18B4186E700EB61E444BAEB7B1FB88B88F904132EE4D07B69DF7CD545C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAFBAB8 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: CreateDirectory$AttributesErrorFileLast
                                                • String ID:
                                                • API String ID: 2267087916-0
                                                • Opcode ID: 9a50aa74d2559c0d1d2fc8bb5d1523606716f977cfdc5cafbc327c2c6a102045
                                                • Instruction ID: 2f6c8d5c8562766919d051fdd1c18f5e2938e2e7387c2246146c354e55ed381b
                                                • Opcode Fuzzy Hash: 9a50aa74d2559c0d1d2fc8bb5d1523606716f977cfdc5cafbc327c2c6a102045
                                                • Instruction Fuzzy Hash: FA51AE32B05A1185EF50AFA2D8409BDA7B5BB48F94BA44136DE0D57BA8DF3CD942C321
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB143C8 Relevance: 6.1, APIs: 4, Instructions: 126networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ErrorLast$socket
                                                • String ID:
                                                • API String ID: 1881357543-0
                                                • Opcode ID: 2f7cf8263c41ad3ca56e1a8fad4cf6ea685e9961862279cbfea50359dc3cc1a2
                                                • Instruction ID: ae684e0f13cbc9e9d194713d102874f95e0cc79c41ea64562b2c3675d97c3cd7
                                                • Opcode Fuzzy Hash: 2f7cf8263c41ad3ca56e1a8fad4cf6ea685e9961862279cbfea50359dc3cc1a2
                                                • Instruction Fuzzy Hash: D241C12170869286DB10BFA2E441A7DEB91BB85FE0FA44534DE2E4BBA6CF3CD001C751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB05DA4 Relevance: 6.1, APIs: 4, Instructions: 108fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: CreateHardLink$DeleteErrorFileLast
                                                • String ID:
                                                • API String ID: 3321077145-0
                                                • Opcode ID: 328523951a9f40cbbb3ace38589825012ca206b81047daa6fbc9b46e9d48e72f
                                                • Instruction ID: 3257778d803950846ea1a22eea8ef8bee9b0c39c52e19fd66acbb165bf7349ef
                                                • Opcode Fuzzy Hash: 328523951a9f40cbbb3ace38589825012ca206b81047daa6fbc9b46e9d48e72f
                                                • Instruction Fuzzy Hash: B841D866A04B5681DB14EF66D49186DB7A0FB88FD0B989432DF8E47B66CF3CE440C361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2F014 Relevance: 6.1, APIs: 4, Instructions: 107windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Rect$BeepClientMessageScreenWindow
                                                • String ID:
                                                • API String ID: 1352109105-0
                                                • Opcode ID: 2f09a68d55c04cb191ca289c596e56cd55ceee8682779a4dba9d7602fe5484e5
                                                • Instruction ID: ee658bfadc04406be9d5ca1eb58d3d3758b6cfe37aee0cffbfdd9c696db59a3b
                                                • Opcode Fuzzy Hash: 2f09a68d55c04cb191ca289c596e56cd55ceee8682779a4dba9d7602fe5484e5
                                                • Instruction Fuzzy Hash: D3419232A08B9686EA10AF99D884979BBA0FF44B95FF54136CE1DA3764DF3CE441D310
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2AA04 Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Menu$Item$DrawInfoInsert
                                                • String ID:
                                                • API String ID: 3076010158-0
                                                • Opcode ID: dc6c68aad8de4ec1ea0eac338f153197ea768d30efaa3fb996dae5153308a6de
                                                • Instruction ID: 686c70942652bac1273bdb536475ea617cecc60348c1df23fd7c8bab6ce63126
                                                • Opcode Fuzzy Hash: dc6c68aad8de4ec1ea0eac338f153197ea768d30efaa3fb996dae5153308a6de
                                                • Instruction Fuzzy Hash: 0341AC36B00B818AEB20DFA6D444AADBBA1FB48B94FA44136CE0D13B54CF39E845C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EABC72C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                • String ID:
                                                • API String ID: 4141327611-0
                                                • Opcode ID: a9867840faaecfdaa354c38ff02ada8b7424d64697801e09ff4ff5a4409c6d4e
                                                • Instruction ID: 7f8f2778b1a7d9dddd715c6f3c0ba588ed06cd20c439bc5953809782b4772503
                                                • Opcode Fuzzy Hash: a9867840faaecfdaa354c38ff02ada8b7424d64697801e09ff4ff5a4409c6d4e
                                                • Instruction Fuzzy Hash: 18418D32A0874256EB61AB919044F79E291BFC0F90FB44530DA8906A95DF3CD881CB22
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAF8B38 Relevance: 6.1, APIs: 4, Instructions: 96keyboardwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: KeyboardState$InputMessagePostSend
                                                • String ID:
                                                • API String ID: 432972143-0
                                                • Opcode ID: 56c9a0b6ee225f986b8f36bfa830b7f851ce703ec5b55e2ab927aaea8bed82d2
                                                • Instruction ID: 7537667ac629fbfb1f56385c3a7c06ec7b059b4d46ec687fa484a2c685a108ab
                                                • Opcode Fuzzy Hash: 56c9a0b6ee225f986b8f36bfa830b7f851ce703ec5b55e2ab927aaea8bed82d2
                                                • Instruction Fuzzy Hash: CF410AB1A1D68241F730EB61D410E79AAA0FB44F94FF41532EA9A136D5CF3CD582C762
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2C580 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: LongWindow$InvalidateMessageRectSend
                                                • String ID:
                                                • API String ID: 3340791633-0
                                                • Opcode ID: 41522454ef5ffe58f3c47094a62836e99305b084494bc2ef8d406c22aeaeab5d
                                                • Instruction ID: 5c3cc9ae131e6727a930d8dfe9e4a57b53aa9f82dbf219216391805545e0a658
                                                • Opcode Fuzzy Hash: 41522454ef5ffe58f3c47094a62836e99305b084494bc2ef8d406c22aeaeab5d
                                                • Instruction Fuzzy Hash: 51418D31A4858696FB65AAD4C401AB8AB60FF84B94FB85132CA0D036D5CF7CEC81CB21
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAF8CAC Relevance: 6.1, APIs: 4, Instructions: 89keyboardwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: KeyboardState$InputMessagePostSend
                                                • String ID:
                                                • API String ID: 432972143-0
                                                • Opcode ID: 5e46c45bdab3a47586a9f1d6f3cf12586a4e74534b52d5ecd50e7167bd5190cf
                                                • Instruction ID: 2d77a1caa14456c89f6e656daf16ed19a0fdfc6896d72033382412bdeda1a755
                                                • Opcode Fuzzy Hash: 5e46c45bdab3a47586a9f1d6f3cf12586a4e74534b52d5ecd50e7167bd5190cf
                                                • Instruction Fuzzy Hash: EE31C331A0878146EB70AB659400FB9ABA4FF54F94FA50232DA99137D5CF3CD551C722
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB0D7DC Relevance: 6.1, APIs: 4, Instructions: 82networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Internet$CloseConnectHandleOpen
                                                • String ID:
                                                • API String ID: 1463438336-0
                                                • Opcode ID: 589cd8c68b57d7423dd74b1edc4dd3949ed0ac3f90bc7328400ab694d8be37aa
                                                • Instruction ID: 341bdd84f92e13b9210d4aab19607e11511f86db1f6f415da2dd465913cef205
                                                • Opcode Fuzzy Hash: 589cd8c68b57d7423dd74b1edc4dd3949ed0ac3f90bc7328400ab694d8be37aa
                                                • Instruction Fuzzy Hash: 2F318036A0978283EB25EB56E050F79AB60FB89B94F644135DA4D07B84DF3CE054CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAC3D98 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF78EABA27B,?,?,?,00007FF78EABA236), ref: 00007FF78EAC3DB1
                                                • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF78EABA27B,?,?,?,00007FF78EABA236), ref: 00007FF78EAC3E13
                                                • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF78EABA27B,?,?,?,00007FF78EABA236), ref: 00007FF78EAC3E4D
                                                • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF78EABA27B,?,?,?,00007FF78EABA236), ref: 00007FF78EAC3E77
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                • String ID:
                                                • API String ID: 1557788787-0
                                                • Opcode ID: 01582a1cc1afdad6e1d5985337141992fa687edcd13d7850452916e3cfeba0bf
                                                • Instruction ID: b5c3f4d941163bb96de59d2e681d7c859ed83d06d5f244c5e77e95593f59eca4
                                                • Opcode Fuzzy Hash: 01582a1cc1afdad6e1d5985337141992fa687edcd13d7850452916e3cfeba0bf
                                                • Instruction Fuzzy Hash: 0F21B135B1979181E620AF526400439F6E5FF94FE0BA84174DE8E23B94DF3CE496D311
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB3108C Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                • String ID:
                                                • API String ID: 2864067406-0
                                                • Opcode ID: b766ee5e7a6f79c275b6e8452a41ed66ab3f515ad85ef8642b06b7120701f994
                                                • Instruction ID: e4803aff5fbb5cf4b962ba074c405ec2c67e6f1deab48fbbba379c55b84f42ac
                                                • Opcode Fuzzy Hash: b766ee5e7a6f79c275b6e8452a41ed66ab3f515ad85ef8642b06b7120701f994
                                                • Instruction Fuzzy Hash: 41318036A08A4582EB10EF56E455BB9EBA4FB84F94FA40132DA8D43F65CF3CD845C720
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAF50E4 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 69stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: lstrcmpilstrcpylstrlen
                                                • String ID: cdecl
                                                • API String ID: 4031866154-3896280584
                                                • Opcode ID: b1a8f7825b1da29788af026b5061c681ca54c64004f31bc8b54455b05eabb44f
                                                • Instruction ID: cd44f5470e06518d4d84f35a2c07034f618044d30d282d644ed291f662adef30
                                                • Opcode Fuzzy Hash: b1a8f7825b1da29788af026b5061c681ca54c64004f31bc8b54455b05eabb44f
                                                • Instruction Fuzzy Hash: ED21BF2160434285EB14BF92A854678B7A2FF88FD0BA85135EB5E47790EF3DE840C315
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB32264 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ClientCursor$LoadLongProcRectScreenWindow
                                                • String ID:
                                                • API String ID: 1626762757-0
                                                • Opcode ID: c10d22a9dfdb007e9cd3e446db2f26fc59a904d9b079c484f8598dfd72a81c9f
                                                • Instruction ID: 5d75dd71e929c081de0a09467232952c40910a7b6140488f317a97211845fb8a
                                                • Opcode Fuzzy Hash: c10d22a9dfdb007e9cd3e446db2f26fc59a904d9b079c484f8598dfd72a81c9f
                                                • Instruction Fuzzy Hash: D2214136A0864286EB24EB85F981969FBA0FB85F84FA44131DB4D47F55CF3CE945C720
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAB2FB8 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _ctrlfp
                                                • String ID:
                                                • API String ID: 697997973-0
                                                • Opcode ID: 696024c0d85e9950b44dad3db47e8c6049c7f355de1dae667ed974782f5b2eb5
                                                • Instruction ID: 8572cd5765e64ad36a8c05119a2dc9f61378c711bdd372269c395e9f2e12026f
                                                • Opcode Fuzzy Hash: 696024c0d85e9950b44dad3db47e8c6049c7f355de1dae667ed974782f5b2eb5
                                                • Instruction Fuzzy Hash: 3D11F629D0C54282E210AA78948147BE671FFDBB80FB54230FBC94A6A9DF3DD480CB01
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAFCF68 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait_invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 2979156933-0
                                                • Opcode ID: 2a49c66315dd4afd268b707153c3627d2a79b8a5ce35e179a418e828e304454b
                                                • Instruction ID: 284a3bc223e7a93f25eba1046cd69d9f9ee9d81c87961c83b93aa8e5d72ae7fd
                                                • Opcode Fuzzy Hash: 2a49c66315dd4afd268b707153c3627d2a79b8a5ce35e179a418e828e304454b
                                                • Instruction Fuzzy Hash: 4E213532A0878186E310EFA6BC4166AFAE1FB84BD0F944136EA8D43B64CF3CD445C751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2FA78 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ClientRectScreen$InvalidateWindow
                                                • String ID:
                                                • API String ID: 357397906-0
                                                • Opcode ID: 30ca773a2ae41b56c6e1d6d31e0bfc9c1d6a93403dc69e79101ac1cf7de44ee4
                                                • Instruction ID: 5d9f19eed123bebd1c0b01d349b84b4ac67b7e12d1c22a00d85c8f1f94889a5f
                                                • Opcode Fuzzy Hash: 30ca773a2ae41b56c6e1d6d31e0bfc9c1d6a93403dc69e79101ac1cf7de44ee4
                                                • Instruction Fuzzy Hash: 5F21D8B6A04745DFEB00DFB4E88499C7BF0F748B48B504826EA5893B18DB78D654CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAF4B28 Relevance: 6.0, APIs: 4, Instructions: 44registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Type$Register$FileLoadModuleNameUser
                                                • String ID:
                                                • API String ID: 1352324309-0
                                                • Opcode ID: 26dceef0b12b748e4890be4283cc75c768f711def0b64c07a5df3002dea28784
                                                • Instruction ID: 585fffee1cf8a04a970940504e05e90d24fad1493686b65bc6c7de33fc1c12e8
                                                • Opcode Fuzzy Hash: 26dceef0b12b748e4890be4283cc75c768f711def0b64c07a5df3002dea28784
                                                • Instruction Fuzzy Hash: 7E11917270864282E720AF64E084B79A7A0FB88F88FE44036CB4D9BA45CF7CD544CB20
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB3072C Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                • String ID:
                                                • API String ID: 1539411459-0
                                                • Opcode ID: 058f7c961f19f1df1cfb2125e1cbf4c754dffe1c4cdb6de871a3d3459fa768a6
                                                • Instruction ID: 8a8863604c1297b83ad422eaba2f1af7be8a8cf2e3d2bf14114e1d6227045dd9
                                                • Opcode Fuzzy Hash: 058f7c961f19f1df1cfb2125e1cbf4c754dffe1c4cdb6de871a3d3459fa768a6
                                                • Instruction Fuzzy Hash: 9801B535A2879183E7005B59B80AB29EFA1BF82B94FA80134DF5903FA1CF7DE441CB10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EABCC78 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID: gfffffff
                                                • API String ID: 3215553584-1523873471
                                                • Opcode ID: dc31ed7580b08dc4a7b229eebc0aac3b305a5916052008eb2c70828ae2249d51
                                                • Instruction ID: b967afcdf7a2856da98615aa26b754e546379fe353bcce9906480726b60ffe74
                                                • Opcode Fuzzy Hash: dc31ed7580b08dc4a7b229eebc0aac3b305a5916052008eb2c70828ae2249d51
                                                • Instruction Fuzzy Hash: C2917862B0938A86EB21AF659140BB8AB95BBA1FC0F648531DBCD47391DF3CE111C312
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAF1D10 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 200comCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ContainedObject
                                                • String ID: AutoIt3GUI$Container
                                                • API String ID: 3565006973-3941886329
                                                • Opcode ID: 4d86e30d5d9a21d2b6456c95e62a2a573c83de09a7ab637991307d14889fe5ee
                                                • Instruction ID: 3064280bb9a007362a4aa29ca0a6a2bd201db8432f44341a99bafb9d9f548795
                                                • Opcode Fuzzy Hash: 4d86e30d5d9a21d2b6456c95e62a2a573c83de09a7ab637991307d14889fe5ee
                                                • Instruction Fuzzy Hash: 82914932604B4281DB14EF69E480AADB7A5FB88F94FA18136DF8D43715DF39D845C710
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EABD0A8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID: e+000$gfff
                                                • API String ID: 3215553584-3030954782
                                                • Opcode ID: 04dcd116da85894f10939a0f3d563d07a18b7e7aec23bacfc76a5396d48b7619
                                                • Instruction ID: 03fd365873481c6054fe0b91e3cf1cfc0c54979e5196674b8e291c8fe4dc0bf2
                                                • Opcode Fuzzy Hash: 04dcd116da85894f10939a0f3d563d07a18b7e7aec23bacfc76a5396d48b7619
                                                • Instruction Fuzzy Hash: 7D511462B187C146E7259A75A941B79AA91FB81F90F988231C69987AD6CF3CD040C712
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EABA09C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: FileModuleName_invalid_parameter_noinfo
                                                • String ID: C:\Users\user\Desktop\ocs-office.exe
                                                • API String ID: 3307058713-1717753346
                                                • Opcode ID: d66799c7fb8d49ba8911ba2da8beafd52f849db9660eadf2b3aeaa59b2ad0887
                                                • Instruction ID: eb5874096174e918d15cd2e49593692e0dc5cef1b0629b368d983bddbbd1833f
                                                • Opcode Fuzzy Hash: d66799c7fb8d49ba8911ba2da8beafd52f849db9660eadf2b3aeaa59b2ad0887
                                                • Instruction Fuzzy Hash: E2419032A08B5289E754AFA1E8408B9A7A5FF84BD0BA44431E98E47B55DF3DE481C321
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB29E08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Window$CreateDestroyMessageObjectSendStock
                                                • String ID: static
                                                • API String ID: 3467290483-2160076837
                                                • Opcode ID: 51e36b6c54ad91b2f3bc3c79a4a5b84972d833c13ef2b788b84b8940173b306d
                                                • Instruction ID: 4878aff99b3b6b6fcec14aef9bad2aa45d299b14f5e923e6ac87ce6c8073bbf5
                                                • Opcode Fuzzy Hash: 51e36b6c54ad91b2f3bc3c79a4a5b84972d833c13ef2b788b84b8940173b306d
                                                • Instruction Fuzzy Hash: 52410D325086C286D670AF65E440BAFB7A1FB84791F604235EBED03A99DB3CE485CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB15E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWidehtonsinet_addr
                                                • String ID: 255.255.255.255
                                                • API String ID: 2496851823-2422070025
                                                • Opcode ID: 2d101bd9dfb627ac808c5d84433716e1dc37b63231176999d8b08aaa7ca37302
                                                • Instruction ID: df5931e7984db776a1964a62dc3044e63283f490ee97fd9ab845fe8df5b15be8
                                                • Opcode Fuzzy Hash: 2d101bd9dfb627ac808c5d84433716e1dc37b63231176999d8b08aaa7ca37302
                                                • Instruction Fuzzy Hash: AF31DE32A0965281EB10EBA2E841A7CBBA1FF54FA4FA58531DE5E43391DF3CD446C320
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB103C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _snwprintf
                                                • String ID: , $$AUTOITCALLVARIABLE%d
                                                • API String ID: 3988819677-2584243854
                                                • Opcode ID: 9f22cad88255bf2fcf281287ddd6c52f1c7a7d00ac6447b17437cda3d472c94d
                                                • Instruction ID: d4ba7ac661b5df7804be68f762c35d7ce099292d406485fac269063678a2d949
                                                • Opcode Fuzzy Hash: 9f22cad88255bf2fcf281287ddd6c52f1c7a7d00ac6447b17437cda3d472c94d
                                                • Instruction Fuzzy Hash: 72316F76B08B0295EB10EBA1E4919BC7771FB45B84BA14032DE1D57B69CF3CE90AC360
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EABDC30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: FileHandleType
                                                • String ID: @
                                                • API String ID: 3000768030-2766056989
                                                • Opcode ID: 6504a464ad744481ce6bc1c71c4353ab51ac4f53e5ce451b4dcbbfd06c50b848
                                                • Instruction ID: b292c93fcb4a3a218555792cf35d4263c648be99ebbdd8e6351dd9976cf92dc0
                                                • Opcode Fuzzy Hash: 6504a464ad744481ce6bc1c71c4353ab51ac4f53e5ce451b4dcbbfd06c50b848
                                                • Instruction Fuzzy Hash: AA21C522A18A4281EB649B759490539AA50FFC6B74F781335D6EE077D4CF3CD881D362
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2A0C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                • String ID: static
                                                • API String ID: 1983116058-2160076837
                                                • Opcode ID: 2cf77c951f50a5aa7b90eeaf8a6614b83960d367aa0043a5ee29e49d78538776
                                                • Instruction ID: 3b057b6db7256ec384996d7b313d2b8b4f550d9eefb65e17e2e5ba0fbec80d4c
                                                • Opcode Fuzzy Hash: 2cf77c951f50a5aa7b90eeaf8a6614b83960d367aa0043a5ee29e49d78538776
                                                • Instruction Fuzzy Hash: B5313C32A087C18BD324DF69E440B5ABBA1F788750F504239DB9953B98DB38E441CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB29BD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: LengthMessageSendTextWindow
                                                • String ID: edit
                                                • API String ID: 2978978980-2167791130
                                                • Opcode ID: 7385061f885e14c89e765babf531e3acc6228f8566b1a940e972c4d460c7f125
                                                • Instruction ID: 302f123f6065cdd31e0a5e12489c545ae35c654c987fb49160b203950c78ab44
                                                • Opcode Fuzzy Hash: 7385061f885e14c89e765babf531e3acc6228f8566b1a940e972c4d460c7f125
                                                • Instruction Fuzzy Hash: 12312D36A087C1CAE770DB55E444B5AB7A1FB84790F644235EAAC43B98DB3CD841CF11
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EABFD90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: _handle_error
                                                • String ID: "$pow
                                                • API String ID: 1757819995-713443511
                                                • Opcode ID: 2773d63829b6bc9e243f88705d039ab02ec385488ae35a30c1ce332e33ed45c5
                                                • Instruction ID: f304219bdd5c5b4574a75506a8747aee2bc3ef15d7aab1bc19a7193c7a8fad40
                                                • Opcode Fuzzy Hash: 2773d63829b6bc9e243f88705d039ab02ec385488ae35a30c1ce332e33ed45c5
                                                • Instruction Fuzzy Hash: 90219C76C1CAC487E370DF50E840A7AEAA0FBDA744F641326F2C946A55CBBDD081CB01
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAEDDF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameSend
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 3678867486-1403004172
                                                • Opcode ID: d7f563d908b7ab0e139775c10ea95422d2fbe172cfe8d6c3fca552207e27f14c
                                                • Instruction ID: 40c08bc0812d7592fdba11de8207bb4c57f1f0c8152224c9992d39cacb153b93
                                                • Opcode Fuzzy Hash: d7f563d908b7ab0e139775c10ea95422d2fbe172cfe8d6c3fca552207e27f14c
                                                • Instruction Fuzzy Hash: 8611D332A08A8291E610EB61D5444F9A3A1FB99FA0FE44271DAAC437DADF3CE505CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAEDD48 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameSend
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 3678867486-1403004172
                                                • Opcode ID: 4818382d5386dae1fce8f10ecd247d8033a66d44d18a664d9e28551785c1ee4d
                                                • Instruction ID: 517eb8caa56fc1a15cddfce5f6c71454b408713ac16972da0af22f498ed0c745
                                                • Opcode Fuzzy Hash: 4818382d5386dae1fce8f10ecd247d8033a66d44d18a664d9e28551785c1ee4d
                                                • Instruction Fuzzy Hash: 1511A721E0D68691EE10E750E5909F9A350FF85B84FE44131D98D03B8ADF3CE605CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAEDCA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameSend
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 3678867486-1403004172
                                                • Opcode ID: 30c2cbca8ddea967e868705950fd5399c79b102bd344a556156e5ab8739dea70
                                                • Instruction ID: ff0df7a965f02d2b0d756c899384734e32fccc72e86a8226e8be5d9dfbbb8714
                                                • Opcode Fuzzy Hash: 30c2cbca8ddea967e868705950fd5399c79b102bd344a556156e5ab8739dea70
                                                • Instruction Fuzzy Hash: 5011A732E0D68291EA10EB50E5919F9A360FF89B80FE45431E98D43B99DF3CE605CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EB2FEA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: CloseCreateHandleProcess
                                                • String ID:
                                                • API String ID: 3712363035-3916222277
                                                • Opcode ID: 7b42f129ca5b2bc2214f050bb36978d190a1a5278d42b1070c82c133f3bdff27
                                                • Instruction ID: 0a59d99189ed4ce913bf8475aad364c2de4262716bc41d1c5a7771d6004b1b68
                                                • Opcode Fuzzy Hash: 7b42f129ca5b2bc2214f050bb36978d190a1a5278d42b1070c82c133f3bdff27
                                                • Instruction Fuzzy Hash: 37115131A0C7418AE710AF96F801A6AFBA5FB84780FA48135DA9947E64CF3CD090CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAEDEA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameSend
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 3678867486-1403004172
                                                • Opcode ID: 81a3ab15b29573282fc80f9ba309110290a8cda79a0218f0cb3de8ac7bf1c4a3
                                                • Instruction ID: c4d813ac5f02c731cdce447510190232ea8f4ff91f67d0bcec9e4a98c9f3e9a7
                                                • Opcode Fuzzy Hash: 81a3ab15b29573282fc80f9ba309110290a8cda79a0218f0cb3de8ac7bf1c4a3
                                                • Instruction Fuzzy Hash: E601DB21E1C54291EA20F764E5919F9E361FF85784FE04131E98D47ACADF3CE608CB12
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FF78EAEC59C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2304521965.00007FF78EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78EA80000, based on PE: true
                                                • Associated: 00000000.00000002.2304499401.00007FF78EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB35000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304588716.00007FF78EB58000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304652244.00007FF78EB6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2304681314.00007FF78EB84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff78ea80000_ocs-office.jbxd
                                                Similarity
                                                • API ID: Message
                                                • String ID: AutoIt$Error allocating memory.
                                                • API String ID: 2030045667-4017498283
                                                • Opcode ID: 648476b70242862a2c772a7204b94de0f4739c6881b98e5a59267def54d3366a
                                                • Instruction ID: f9946c98706bb4f5c504d4f003c260eeb5e086fbf475bf58480a8f690eebf62c
                                                • Opcode Fuzzy Hash: 648476b70242862a2c772a7204b94de0f4739c6881b98e5a59267def54d3366a
                                                • Instruction Fuzzy Hash: 10F08230B1834641E71877D2B151BB9A651BF88B80FF45431D91947B9ACEBDD481C751
                                                Uniqueness

                                                Uniqueness Score: -1.00%